Cisco Pix 515 Network translation not working low security high security

Unanswered Question
Apr 14th, 2009
User Badges:

Hi Experts, I have a network translation that is not working and I am hoping one of you can help me.

I need to access from the network, natted to

This server needs to seen as

This translation works as well as any other 192.168.5.x translation:

static (dmz1,dmz3) netmask

--- This is the Only one not working --

static (dmz2,dmz3)

Is it because instead of being "(high,low)low,high" is -- "(low,high)high,low"

I tried it the other way around as well and I can not seem to reach it.


Pix firewall with the following interfaces:

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz1 security66

nameif ethernet3 dmz2 security33

nameif ethernet4 dmz3 security40

nameif ethernet5 dmz4 security25

ip address outside

ip address inside

ip address dmz1

ip address dmz2

ip address dmz3

ip address dmz4

I tried a permit ip any any and permit icmp any any but it seems based on debugs that is not translating correctly

Any help is appreciated.

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
sdoremus33 Tue, 04/14/2009 - 22:40
User Badges:
  • Bronze, 100 points or more

you could try this

static(dmz2,dmz3) netmask

sdoremus33 Wed, 04/15/2009 - 00:49
User Badges:
  • Bronze, 100 points or more

2585, typo should be

static(dmz2,dmz3) netmask 255.255.255. Take care

www.itnetcr Wed, 04/15/2009 - 05:45
User Badges:

Hi sdoremus33,

Thanks for the help. I have one doubt,

The ip address I need to nat is on dmz2 network.

The actual ip of the box is

if I use your static how do bind the to the'm lost... the box ip was, but maybe I'm wrong

Thanks a lot!

sdoremus33 Thu, 04/16/2009 - 10:56
User Badges:
  • Bronze, 100 points or more

So if the src=192.168.8.x where the box is .27, and the dst is 192.168.5.x. The dst device needs to see the src as This instructs the ASA device to take the org src and nat to from the original ip src@ to the dst @192.168.5.x. Now the dest device will see the ip packet with a sourec @ This is one of the isiosyncracies in Cisco ASA/Pix devices.HTH

sdoremus33 Fri, 04/17/2009 - 13:33
User Badges:
  • Bronze, 100 points or more


Was this helpful, my thinking was to take the devive that needed to be natted which was on the .8.x subnet and present this as .5.88 on dmz3. Just curious to see if this worked out for you. Thanks and have a great day

www.itnetcr Mon, 04/20/2009 - 09:55
User Badges:

Hi thanks for the help.

Hi Sdoremus33,

Thanks for all your help.

I tried it yesterday and no luck.


also tried:

static(dmz2,dmz3) didn't work.

Cl xl, clear local-h, allowed permit ip any any to test, didn't work

I even added another pc with a fresh XP install to test if it was a pc issue, couldn't get it work.

I have a big question mark on my head on why the heck id doesn't work :-).....

Eli Barb Fri, 07/17/2009 - 10:42
User Badges:

Did you ever figure this out? I'm hitting my head up against a similar scenario of low security-level interface to high security-level interface static NAT not working.

interface ethernet1 100full

interface ethernet2 100full

nameif ethernet1 inside security100

nameif ethernet2 mgmtdmz security90

ip address inside

ip address mgmtdmz

route outside x.x.x.x 1

route inside 1

route inside 1

route inside 1

access-list mgmtdmz-acl-in permit ip host any

access-list mgmtdmz-acl-in permit icmp any any

access-list inside_access_in line 1 permit ip any host

access-list inside_access_in line 2 permit icmp any any

access-group inside_access_in in interface inside

access-group mgmtdmz-acl-in in interface mgmtdmz

static (mgmtdmz,inside) netmask 0 0

global (outside) 10 interface

nat (inside) 10 0 0

www.itnetcr Fri, 07/17/2009 - 12:17
User Badges:

No buddy, couldn't figure it out. Had to do a cheesy workaround and move the server to another dmz.

Let me know if you figure it out!




I think the problem with this is your access-lists. The first line in each one is backwards. For example, the source in the one applied to the dmz is From an interface perspective, that should be the destination. The inside one is only permitting icmp to go from inside to anywhere because of a similar issue.


This Discussion