Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PAT vs static

A network architecture is like this: PIX firewall, inside (private static IP, and the LAN of private static IPs, the outside (only one public IP available, i.e.,

For the LAN hosts to access to the outside such as internet, obviously, a PAT is needed. This is Many to One translation.

Now for any outside hosts to access to the inside web server such as, a permit and IP translation have to be done. Usually, the translation will say:

static (inside, outside) tcp www www netmask 0 0

1) If I understand it correctly, from inside to outside is PAT, many to one, while from outside to inside is One to One static translation. Is this correct? How could both many to one , and one to one co-exist on the same PIX?

2) What does the last two 0's stand for in the Static statement above ( 0 0 )?

Thanks to help.



Re: PAT vs static

The last 2 0's expand to within which the first stands for any source ip address, and the second stands for any source subnet mask.


Re: PAT vs static


The answer to question 1 is that they use different IP addresses.

For instance your PAT configuration on the PIX:

NAT (inside) 1 0 0

Global (outside) 1 interface

ip address outside

In this example all the outbound connections (those that start on the inside) will use the source address of on the Internet. But each will use a different source port, thats the PAT part.

If you add a static translation, this maps 2 specific IP addresses to each other.

If you apply this static

static (inside, outside) tcp netmask 0 0

an inside PC with the address will map to If you start a connection from that PC it will use the source address of

This behaviour is modified when you include the www in the static, I think outbound connection from will only use the address defined in the static if the source port is TCP 80, try it and see.

Any other inside address would use the outside address of the PIX as its source.


CreatePlease login to create content