Re: Pix506e NAT question

From: Walter Roberson (
Date: 08/23/05

Date: Tue, 23 Aug 2005 18:02:38 +0000 (UTC)

In article <>,
 <> wrote:

:ip address outside 72.x.x.147
:ip address inside

:global (outside) 1 interface
:nat (inside) 0 access-list inside_outbound_nat0_acl
:nat (inside) 1 0 0
:static (inside,outside) tcp 72.x.x.148 https SERVER https netmask 0 0
:static (inside,outside) tcp 72.x.x.148 smtp SERVER smtp netmask 0 0
:static (inside,outside) tcp 72.x.x.148 pop3 SERVER pop3 netmask 0 0
:access-group outside_access_in in interface outside

:Everything works fine, except for when my SERVER goes out, it uses the
:Global PAT address of the outside interface (.147) instead of .148.

Remove the three statics you have now and add instead

static (inside,outside) 72.x.x.148 SERVER netmask 0 0

That will cause translation at the IP level, leaving the port numbers
alone, not just passing through https smtp and pop3 to SERVER.

If, though, you do want to use PAT for SERVER for all ports other than
the three you list, then leave in those three statics and add

nat (inside) 2 SERVER
global (outside) 2 72.x.x.148

The 2 has no significance other than to be an arbitrary identifier to
match up the statements -- using 2 does NOT indicate that the nat is
higher or lower priority than the nat 1 that you have already. Regular
nat statements are processed according to "longest match" -- so because
the SERVER is more specific than
then the corresponding global will be chosen for SERVER's traffic
but all other traffic would use the other NAT... except the
traffic for those static statements. static has a higher priority
than regular nat... but be careful because regular static
has a higher priority than port static.

   Oh, to be a Blobel!

Relevant Pages