No NAT in PIX 515 E

Unanswered Question


I need to configure a PIX without NAT and I don't know how to do it. Can anyone help me please?

I have;

outside interface with

inside interface with

interface2 with

I need that goes to the outside without doing NAT over it (because we have another FW in another place outside)

How can I do it?

Thanks, Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sachinraja Thu, 01/08/2009 - 05:42
User Badges:
  • Red, 2250 points or more

hello eneko

YOu gotta use nat 0 statements to do a no-nat on the PIX.. the following commands should be in place:

nat (inside) 0 0 0

If there are more than one networks, you can assign an access-list and then allow the networks which have to be no-natted.

nat (inside) 0 access-list 101

access-list 101 permit ip any

Let us know if this works fine.. all the best..


cisco24x7 Thu, 01/08/2009 - 05:58
User Badges:
  • Silver, 250 points or more

That is not entirely correct.

Depending on the configuration. Assuming

that you have no PAT/NAT configuration on the

Pix and that you use versin 7.x or 8.x,

"no nat-control" is on by default on the Pix

and the Pix will become a router. network will be able to get to the

outside and return traffic can get back without

any issues, with the exception of icmp stuffs.

sachinraja Thu, 01/08/2009 - 06:45
User Badges:
  • Red, 2250 points or more

Agree with David.. If it is 6.3 and less, you can use my solution, if it is 7.x or 8.x, you can use no nat-control.. but im not really convinced with nat-controls.. by statically defining no-nats, the administrator always has the control of what traffic goes through the firewall, without nat, which is critical to his network.. If by default, all traffic is allowed, isnt it a security risk ? and if there is no access-list on the inside network, then it will be a major mess !




This Discussion