Cisco Support Community
Community Member

NAT to specific destination

Cisco PIX Firewall Version 6.3(1)

model: 515e


Is is possible to have the PIX use PAT for outbound traffic, like FTP and HTTP to any IP address, but then have it use NAT only to a few specific destinations?

Here is the problem I have which may help explain the question:

I have client PC's that need to access a remote site to another company via Nortel VPN. This requires a 1-1 mapping with NAT, and no PAT. I have gotten this to work in a test env with the global commands and with static commands. The problem I have is; there are more client computers that need access to the VPN than I have public IP's, but not all the clients use the VPN software at the same time.

So effectively what I want is:

an access-list that uses PAT for all regular traffic


an access-list that says:

if traffic is going to destination x.x.x.x, then use the global pool of x.x.x.1-x.x.x.20.

I know this is possible with Netscreen firewalls, I just hope it is with the PIX as well.



Re: NAT to specific destination

Hi Dan,

Please check out the policy NAT feature per this document.



Community Member

Re: NAT to specific destination

Thanks Nadeem,

This is exactly what I need, but the FOS will not let me set it up.

I have cleared the config and started from scratch, but this still does not help. Here is what I am doing:


pix(config)# show access-l

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

pix(config)# access-l NET1 perm ip host 12.40.x.x

pix(config)# access-l NET2 perm ip any

pix(config)# nat (inside) 2 access-l NET1

ERROR: invalid nat ID, <2>, with access-list

Usage: [no] nat [()] [

[dns] [outside]

[ [emb_limit> []]]]

[no] nat [(if_name)] 0 [access-list [outside]]



I always get an error stating that the NAT ID is incorrect, no matter what I change it to. Any thoughts on this. I've done some searching, and it seems that only and "nat (inside) 0" command will work with an access-list. But it sems that this will limit my possibilites.


Community Member

Re: NAT to specific destination

Looks like this is a feature introduced in 6.3(2).

guess I need to figure out how to get that version now.

CreatePlease to create content