Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Help configuring Reverse NAT


I have a PIX 515E with software ver 6.3(5). I have a consultant that I'm trying to allow access to a specific machine on our internal network. I'm trying to setup reverse NAT to allow him access into our network, but I don't want him to be able to access other nodes on our network (and actually, he'll only need access to the specific address and a specific port number). From looking at the documentation, it looks like I'll need to add the following lines:

nat (outside) 1 outside (which would be his IP address)

global (inside) 1 (which would assign him an address on our network)

I think this is correct, but how would I restrict him to a single IP? Access-list?


Re: Help configuring Reverse NAT

All traffic flowing from a lower security interface to a higher security interface is alwasy denied unless an ACL allows the traffic.

Your best bet in this setup would be to use Port Address translation and an ACL to allow the traffic. Much easier.


Maps your internal host to an external IP for the telnet port:( an external ip on the pix. it can be changed to the interface command to use the actual interface ip)

static (inside,outside) tcp telnet telnet netmask

0 0

Allow the traffic:

access-list out->in permit tcp host host eq telnet

access-group out->in in interface outside

This link should help.



Please rate if this helps.

New Member

Re: Help configuring Reverse NAT

The problem is that they may be able to get around it if they have access to the Terminal Server/VNC type solution on the machine.


Re: Help configuring Reverse NAT

Only if he was giving TS/VNC access to that internal machine. At that point the remote user would have access to everything that internal machine did. If he is only giving access to http, ftp, or ssh then the remote host will only be able to access that.

CreatePlease to create content