Showing results for 
Search instead for 
Did you mean: 


Configurging PAT


I would like some configuration example for configuring PAT on PIX 515. We have 5 public IP addresses and around 20 machines that need to be published with public IP addresses, they include webservers and mail servers, and also a larger number of clients would like to be able to connect to the internet. How to configure the PIX to allow for inbound access for mail and web server and alos outbound for internet and how to configure the DNS for those published services

Cisco Employee


Please check the example below

webserver =

mailserver =

PUblic IP addresses

YOu want to grant access to those internal servers using the IP YOu need to configure a static translation with Port redirection

static (inside,outside) tcp 80 80 netmask

static (inside,outside) tcp 25 25 netmask

Now create the ACL to allow the traffic to pass through

access-list inbound permit tcp any host eq 80

access-list inbound permit tcp any host eq 25

Apply the ACL to the outside interface

access-group inbound in interface outside

Now to allow inside users to go out to the internet using the other IP address (, configure the following:

nat (inside) 1 0 0

global (outside) 1

With the rule above, all inside users will be port address translated when going to the outside interface (PAT)

Hope it helps,

Franco Zamora

Thank you very much for your input, However if we have multiple web servers and mail servers, how are we going to translate that and how are we doing the enty in the external DNS server for example we have currently

how are we going to use the external address to represent all those server in the DNS and also on the PIX ( if we have multiple web are mail servers)

Thank you very much.

Very enlighting for me, thank you Franco.

My situation is a little different, we use DSL from our ISP and only have dynamic IP address, which means here:

Public IP address ( only one, change every few weeks):


How can I still configure PAT to allow access to a Linux server(ssh) and windows server(http), please help....

>>static (inside,outside) tcp Dynamic IP 80 80 netmask

Content for Community-Ad