Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Reverse NAT


I have a PIX 506E 6.3(4) setup to use Dynamic NAT for 15 addresses and the rest are setup to use STATIC NAT. At this time, I am using ALIAS statements to take care of outside requests that need access to inside machines.

Unfortunately, the PDM software won't allow us to manage the PIX if we use the ALIAS statments. I am told that I need to use Reverse NAT.

MY question is how to do this if I already have NAT setup dynamically for my 15 of my available addresses? What do I need to do to setup Reverse NAT for my static addresses?

My current config looks like this.

global (outside) 1 XX.XX.XX.110-XX.XX.XX.126 netmask

nat (inside) 1 0 0

Any help would be greatly appreciated.



New Member

Re: Reverse NAT

Hello Scot,

You can use the static command in combination with an access-list to setup access for inbound connections. For example, if you have a host on your inside network, which is publicly available on, and a webserver is running on it, you can use the following commands:

static (inside,outside) netmask

access-list acl_outside permit tcp any host eq 80

access-group acl_outside in int outside

The static commands tells the pix that the outside address belongs to the inside address Optionally you can specify the maximum number of connections allowed for that entry (see the manual for the static command).

The access-list entry tells the pix that anybody can connect to the ip-address for port 80 (http)

The access-group command tells the pix to use access-list acl_outside on incoming traffic on the outside interface

Check out the example of a mailserver on the inside network at

Hope this helps,

Kind regards,


CreatePlease login to create content