PAT and Static NAT on a PIX 501

interface ethernet0 auto interface ethernet1 auto nameif ethernet0 outside security0 nameif ethernet1 inside security100 hostname fw domain-name rml-lab.com fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 names access-list outside_cryptomap_20 permit ip host 69.51.x.x 170.232.x.x

255.255.255.0 access-list outside_in permit tcp any interface outside eq http access-list outside_in permit tcp any interface outside eq https access-list outside_in permit tcp any interface outside eq domain access-list outside_in permit tcp any interface outside eq 3389 access-list outside_in permit tcp any interface outside eq pop3 access-list outside_in permit tcp any interface outside eq ftp access-list outside_in permit tcp any interface outside eq smtp pager lines 20 logging on logging timestamp logging standby logging console debugging logging trap notifications logging facility 1 logging host inside 192.168.1.2 mtu outside 1500 mtu inside 1500 ip address outside 69.51.x.x 255.255.255.128 ip address inside 192.168.1.1 255.255.255.0 ip audit info action alarm ip audit attack action alarm pdm history enable arp timeout 14400 global (outside) 1 interface nat (inside) 1 192.168.1.0 255.255.255.0 0 0 static (inside,outside) 69.51.132.x 192.168.1.2 netmask 255.255.255.255 0 0 access-group outside_in in interface outside route outside 0.0.0.0 0.0.0.0 69.51.x.x 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 20 ipsec-isakmp crypto map outside_map 20 match address outside_cryptomap_20 crypto map outside_map 20 set peer 170.232.x.x crypto map outside_map 20 set transform-set ESP-3DES-MD5 crypto map outside_map interface outside isakmp enable outside isakmp key ******** address 170.232.x.x netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 telnet timeout 5 console timeout 0 terminal width 80

In article , wrote: :I have a PIX 501 6.3(4) that I currently have PAT configured and :converting all the internal addresses to be the interface address upon :leaving the PIX. Although I do also have a web server that the outside :world needs to be able to talk to on my second address. Everything :works great when I have PAT configured, but as soon as I add a static :nat for the webserver, all traffic stops.

Please post a sanitized configuration.

The IP's here ("interface outside") should macth the first IP in your static Else you need port statics instead.

This IP is your outside and and also your PAT IP for outbound connection from inside

You have a NAT static, so the unique IP must be free on the outside. the second IP is the host/server that maps to this public IP, hence should have the, in the ACL stated, ports open.

As for what stops your traffic, it could likely be a license limit on the PIX501 (You do not mention the license) Norm there is a 10 user limit on

501's

HTH Martin Bilgrav'

oh and there is something rotten in your VPN config - Do you use this ? if not remove it, as it might interfer with what you are doing.