Cisco Support Community
Community Member

PIX NAT and access rules

I have a server with real IP has Natted to as follows;

static (inside,outside) netmask 0 0

If I want to allow network to access server network , what is the correct IP to be defined as destination ( real or global ?)

That is ,

(1). access-list outside_access_in permit ip OR

(2).access-list outside_access_in permit ip ?

Community Member

Re: PIX NAT and access rules


I'm a little confused about your config. where is your server exactly?

the static command you wrote means: host is in inside and nat this address to when it's going out. It doesn't make sense to me. If your server is inside and it has address of you have to write the static command like this :

static (inside,outside) 0 0

this command makes your server reachable from the outside.(also you have to permit them with an access-list). for permitting the outside users to reach that server you have to use the real adress in your ACL. because they know your server as

I assume that, your network is also in inside. actually the traffic between this network and your server doesn't need to go through the pix. you can keep them talking inside. if you send your config of your pix, and the topology of your network I can help more..

also the link below are very useful for understanding traffic through pix :

I hope I didn't totaly misunderstood.. ;)


Community Member

Re: PIX NAT and access rules


Many thanks for the detailed reply. But my network is little diffarant then you expalined.

Server real address is ( a legacy application installed long ago) Since we cennot do any application changes, we are natting it to

The server is inside the firewall and the client network is outside the firewall. ( ie firewall is sitting between the client and the server).

I was confused as to what address should be specified in the ACL for the server ( real or natted).

I defined ACL as

access-list outside_access_in permit ip ,

but after applying it, the cleints int the could not access the server. Therefore the other option is to define;

access-list outside_access_in permit ip

Any ideas ?

Community Member

Re: PIX NAT and access rules

can you elaborate it in more detail??

in my opinion,I choose the first one,and

you must configure a route which is pointed to the network of /24,

can you got my idea??

Community Member

Re: PIX NAT and access rules

access-list outside_access_in permit ip will permit traffic from to so for your scenario this is the correct way to do it. You need to target the translated address rather than the real one

Community Member

Re: PIX NAT and access rules

yes, the correct one is to use the natted one. because the outside world knows your server as Did you try this access-list? If it doesn't work ; it maybe because of another access-list in inside you have an acl in inside interface?

CreatePlease to create content