I need Help on PIX525

Unanswered Question
Feb 12th, 2007

Hi. I've a PIX525 ver5.3 I'm trying to traslate a private address to a public address The first address is a DMZ4 and the second is the traslate to outside. I have thist instruction: NAT (dmz4) 2 0 0 and GLOBAL (outside) 2 Adctionaly, I have GLOBAL (outside) 1 for the others address (inside and other dmz's) but when an address 172.16.x.x is in internet, its leaves with address I don't know why. In my case, the sentence NAT (dmz4) 2 is not working. I hope to be clean in this problem. If somebady can help me, I'll apreciate it. Thanks a lot.

Francisco Velasco

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pachomedellin Mon, 02/12/2007 - 13:01

Hi. Jon. Thnks for your answer. In general, this is the main settings of our PIX. Remenber that the idea is the DMZ4 to access to internet by and the ip address is for the another networks:

nameif ethernet0 outside security0

nameif gb-ethernet0 dmz4 security20

ip address outside

ip address dmz4

global (outside) 1

global (dmz4) 1

global (dmz2) 1

global (dmz3) 1

nat (dmz4) 1 0 0

static (dmz4,outside) netmask 0 0

thanks again for your help.

Francisco Velasco

Jon Marshall Mon, 02/12/2007 - 13:39

Hi Francisco

Okay your problem is this:

nat (dmz4) 0 0

global (outside) 1

This translates all your hosts on dmz4 to

You then have a static statement

static (dmz4,outside) netmask 0 0

There are a few things wrong with this statement

1) it's the wrong way round ie. it should read

static (dmz4,outside) netmask 0 0

2) If someone from the outside of the pix wants to access one of the servers with this statement how will they know which address to go to ie. if a user on the outside contacts how does the pix know which 172.16.x.x host this is destined for.

If you want to translate just one host from DMZ4 you could use

static (dmz4,outside) netmask

(this is just an example - i have no idea what 172.16.x.x addressing your dmz4 servers are using).

You can statically translate more up to the number of available IP addresses from the subnet.

With these static translations a user on the outside will be able to access the DMZ4 server as long as you allow it thru an access-list. So from the above example if a user from the outside sends a packet to and you have allowed it in your access-lists then the packet will go to

If you don't need any servers to be contacted from the outside and are only interested in the servers going from the dmz4 to the outside remove your static and change the following.

nat (dmz4) 2

global (outside) 2

Hope all that is clear. Any queries let me know.


pachomedellin Tue, 02/13/2007 - 08:40

Hi, Jon.

I done this instructions but in this case any host on the DMZ4 can access the Internet. I think that if is necesary the line "nat (dmz4) 1 0 0" or not? I apreciate your help and I wait for your response.


Jon Marshall Tue, 02/13/2007 - 11:47

Hi Francisco

Could you just clarify. Do you want all hosts on your DMZ to be able to access the Internet or just one of the hosts ?


pachomedellin Thu, 02/15/2007 - 06:46

Hi Jon. Please, excuse me, but I had a mistake in the ip address ( because that address is not available to access directly to internet, there were a restiction in the PIX with that address. I checked it and now is working perfectly. But I apreciate a lot your help, it was very important for me. I hope that I can write to you for future questions.

You have a nice day.

Francisco Velasco


This Discussion