Inbound NAT breaking existing connections

Unanswered Question

Hi all,

I need to configure an inbound nat rule on a PIX firewall so that a network that comes in through a VPN on the outside interface translates to a dmz interface (PAT).

I have the configuration in place to setup all the translation rules without the bidirectional NAT rule in place and all is working, but when I had the bidirectional nat rules:

nat (outside) 10 outside

nat (outside) 0 0 0 outside

global (dmz) 10 interface

everything breaks, even another vpn that I have running on the inside interface.

I have searched for info on bidirectional nat but the documentation available is very slim and it doesn't clearly state exactly what changes when you use it.

Can anybody give some more insigth into this?


Rodrigo Magno

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1.5 (2 ratings)
smahbub Mon, 05/26/2008 - 13:13
User Badges:
  • Silver, 250 points or more

The nat outside option lets you enable or disable outside NAT, which translates the source address of a connection coming from a lower security interface to higher interface. This feature is also called bidirectional NAT.If you enable outside dynamic NAT on an interface, then you must configure explicit NAT policy for all hosts on the interface that need to initiate connections to inside networks. If you want to translate some hosts, but not others, then use identity NAT or NAT exemption (nat 0 or nat 0 access-list) to disable address translation for these additional hosts. The norandomseq and emb_limit options are not supported with outside NAT.

Use the following url to get more info about configuring outside(bidirectional) NAT on PIX:


This Discussion