PIX access list issues

Unanswered Question
Mar 24th, 2009

Hi guys, I have a test PIX 515 here and I have just configured a logical interface as a VLAN. The switch can see the correct VLAN, and the pix can ping one host on the new VLAN, and vice versa, so the VLAN is operational.

I am sitting behind an interface called ABC and this is numbered and I am trying to access the network listed above on

I believe I need to create 2 static entries, nat entries for both and then create an access-list for traffic, applying the list via an access-group. Is this correct, or am I missing something here?

as far as the static entries go, are these something like:

static(abc,vlan166) netmask

For nat do I just add:

nat (abc) 1 0 0

nat (abc) 0 access-list nonatabc



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


You only have to have 1 static NAT from the source to the destination, the PIX will work out the reverse. You would need to add another static NAT if the traffic flows in the other direction.

The above config is incorrect - let me explain:-

nat (abc) 1 0 0 - says all traffic from interface abc should be natted to the global NAT IP addressed associated with NAT id 1.

nat (abc) 0 access-list nonatabc - says any traffic from the source to the desintation in access-list nonatabc should not be natt'd

static(abc,vlan166) netmask - statically performs a same IP static network nat.



This Discussion