Source and Destination NAT on PIX 506E

Answered Question
Mar 19th, 2008


I am searching for solution on how to do a source and destination NAT on PIX 506E.

I attach the drawing. Let's say I have a web server inside. I have created a destination NAT, that traffic which goes on is nat'ed on

I would like also, that any traffic from Internet, would be source NATed on PIX inside interface. So web server would see incoming transactions as sourced from PIX inside.

I was able to do a source and destination NAT, but only one to one:



Could somebody show me how to do a source NAT from any address to singe IP-Interface of PIX inside?

Thanks in advanced.


I have this problem too.
0 votes
Correct Answer by abinjola about 8 years 10 months ago

add following commands :-

nat (outside) 1 0 0 outside

global (inside) 1 interface


see if this helps !

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Correct Answer
abinjola Wed, 03/19/2008 - 05:13

add following commands :-

nat (outside) 1 0 0 outside

global (inside) 1 interface


see if this helps !

michal.grzelak Wed, 03/19/2008 - 06:42

It works, I have tested that in lab!!! I have been searching for solution for the whole day and found nothing, but now as I look at your config it is clear :)


michal.grzelak Wed, 03/19/2008 - 14:31


It seems that it works, but after applying it, the other nat global-1 that hide all local networks to the internet is not working:

nat (outside) 2 access-list source-nat outside

global (inside) 2 interface

access-list source-nat permit ip any host

nat (inside) 1 access-list nat

global (outside) 1 global-ip-address

Could somebody help me out with this one?



abinjola Thu, 03/20/2008 - 05:04

can you try internet access from a host other than the one mapped in static

wasiimcisco Thu, 03/20/2008 - 05:41

I have pix 525 with 7.2(3)8. I wanted to configre simple nat for inside and dmz.

This is my test lab. I know there are options of static and access-list. But i wanted to test this configuration.

I want my dmz user when access the inside network they use nat not static. and same i wanted to have with my inside user while they access dmz.

global (dmz) 1 interface

global (inside) 3 interface

nat (dmz) 3 outside

nat (inside) 1

access-group outside in interface outside

access-list dmz extended permit ip host host

access-list dmz extended permit ip host host

I have tried all possibilties but fail, even only first time at the start of lab, i use no-nat control but later on it was also stop working.

Now only static configuration is working i am able to use internet. But with this dmz nat and vice versa is not working.

few time ago, i was able to ping from inside to dmz but after sometime later it also stop working. I dont know why this is happening.

why nat control is not working. really strange situation.

alanajjar Tue, 03/25/2008 - 12:51


Try to use this configuration

nat (dmz) 3

global (inside) 3

nat (inside) 1

global (dmz) 1

and remove the dmz access list.



This Discussion