How do I allow inbound connections to multiple servers using only a single global address?


Core issue

Configure static Port Address Translation (PAT) on the PIX.


Starting with PIX Software version 6.0, the PIX can be configured to translate ports destined to a single global IP address to multiple internal servers.

One place this would be useful is if you only have a single IP address available from your ISP, but your web server is on a different box than your mail server. You can use port redirection (static PAT) to accomplish this.


Address available from ISP:
Mail Server IP Address:
Web Server IP Address:

PIX commands are shown below.

  static (inside,outside) tcp 25 25 netmask
  static (inside,outside) tcp 80 80 netmask
     !--- Now that the port redirection is defined, we need 
     !--- to allow inbound access via an access list.
  access-list inbound permit tcp any host eq 25
  access-list inbound permit tcp any host eq 80
  access-group inbound in interface outside
     !--- Finally, if those two servers also need to initiate 
     !--- connections outbound, then we need to do PAT on
     !--- them to the static address.
  nat (inside) 1
  nat (inside) 1
  global (outside) 1

For more information and configuration examples, see Port Redirection with Statics.