Conflicting NAT definition and translate table entries

Unanswered Question
Jun 13th, 2007


I am facing a peculiar NAT situation on a Pix with multiple interfaces, config below-

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security10

nameif ethernet3 dmz2 security40

nat (inside) 1

nat (dmz1) 1

nat (dmz1) 1 outside

global (dmz1) 1

global (outside) 1

global (dmz2) 1

Not my config, but faced with this situation, does the config prevent Inside hosts to DMZ1 server communication?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
hoogen_82 Wed, 06/13/2007 - 22:40

I would say this should work. By default higher security to lower security level communication you only need your nat enabled. Nothing more. Only from lower to higher you need nat as well as access-list.

Why have you used this statement nat (dmz1) 1 outside

You could do without it.


mphadnis Thu, 06/14/2007 - 07:58

Hi Hoogen,

I am only analyzing the existing configuration and not designing one. Inside to DMZ1 traffic does not work with this configuration and I am trying to understand why.

The statement 'nat (dmz1) 1 outside' is inserted because DMZ2 is at an higher security level than DMZ1.

The issue I faced is that - Inside to DMZ1 communication works only when the above statement is removed. The error seen is 305006:No translation defined.

Apparently, this is because, a low-to-high global NAT definition has to be defined for all low-to-high interfaces or none at all. Am I understanding this right?

I would like to know if someone has seen this before and whether this is a bug that has been/ needs to be addressed.

Thanks and Regards,


hoogen_82 Thu, 06/14/2007 - 09:40

That statement is not required, for traffic flowing from DMZ1 to DMZ2 you have already configured the nat statement and also the global statement, you don't need this statement.

Is there anything else that is problematic do let us know.


mphadnis Thu, 06/14/2007 - 14:30

Oh! I thought when defining NAT on a lower security interface (dmz1) and a matching Global on a higher security interface (dmz2), outside NAT is compulsory.




This Discussion