Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco PIX 515 - PAT configuration

I would like to use 1 external IP address to connect to 2 internal machines. I'd differentiate the connections based on specifying ports.

I'm trying to configure PAT to an address as the following needs:


ip address outside 515 <-->

ip address inside 515


ip address outside SSH <-->

ip address inside SSH

It seems as if this is possible. However, it's not working for me. I need the assistance of experts.

My PIX configuration as follows:-

sh run

: Saved


PIX Version 6.2(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname Firewall


fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000


access-list outin permit tcp any host eq ssh

access-list outin permit tcp any host eq lpd

access-list outin permit ip any host

access-list outin permit ip any host

access-list outin permit ip any host

access-list outin permit icmp any any

access-list inout permit ip any

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14600

static (inside,outside) tcp ssh ssh netmask 0 0

static (inside,outside) tcp lpd lpd netmask 0 0

static (inside,outside) tcp 8044 8044 netmask 0 0

static (inside,outside) netmask 0 0

static (inside,outside) netmask 0 0

access-group outin in interface outside

access-group inout in interface inside

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

no sysopt route dnat

telnet inside

telnet timeout 5

ssh timeout 5

terminal width 80

: end


Please help me how i can access internal ssh and lpd on two different machines with a single outside address.

Thanks in Advance.


Re: Cisco PIX 515 - PAT configuration

can't see any error.

do "clear xlate" or "clear xlate global" to flush the existing translation on the pix may resolve the issue.

further, do "sh xlate" to verify whether the static statements are effective or not.

Cisco Employee

Re: Cisco PIX 515 - PAT configuration

static and ACLs are properly configured. PLease issue a clear xlate (if you can, be careful with this command) and try it again.

Check if the packets are even making it to the firewall on those ports. You can run a debug packet or capture traffic.

debug packet outside src XX dst proto tcp dport 22

If you the packets getting to the firewall, remove the debug and place it on the inside interface, this time use the inside IP address of the machine.

If they don't pass through, please log messages and check for the error.

Hope it helps

Franco Zamora