Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Complex NAT and Pix version 8.0(3)

This is my HQ Pix firewall version 8.0(3):

ip address outside (security 0)

ip address inside (security 100)

ip address dmz (security 90)

ip address lease-line (security)

route inside

route dmz

route lease-line

static (inside,outside) netmask

static (dmz,outside) netmask

static (inside,outside) netmask

access-list test permit ip any any log

access-group test in interface outside

access-group test in interface inside

access-group test in interface dmz

I have requirements like this:

- There is a a couple of VPNs terminte on this firewall, to remote-A and remote-B.

Remote A also has network which overlap with my LAN

network. Double-NAT will have to done on both sdes,

- Remote-B has a nework of which is overlapped with my dmz network.

Double-NAT will have to be done on both sides,

- Users coming source over the Internet hitting host and

host, and the destination will be translated into and instead of and, respectively. Any other

sources coming from the Internet hitting host and .200, the destination

will be translated to and .0.200,

- Users coming from source hitting the outside interface on port 3389

will be translated to host on port 3389. Anyone else coming

from other addresses over the internet hitting host will be translating


- network will NOT be NAT'ed to on the dmz BUT host will be NAT'ed to when accessing any hosts

on the network.

- I have similar requirements on the lease-line interface as well but I will hold

off on it for now.

Can anyone estimate how long it would take to coming up with a workable configuration?

Is it even possible? In term of support and maintenance, is this a good idea?

Thanks in advance.


Re: Complex NAT and Pix version 8.0(3)

almost pssiable but first try it with one interface if worked the go ahead

as u mentioned above u need to make NATing based on source and destination addresses

what i would sugesst u to try is

extended ACL with static NAT


access-list 100 host

static (outside, inside) aceess-list 100

and so on

i reversed th static nat to used the extended ACL

and i really wish a good luck

and let me know

by the way **reload after config**

with nating sometime the firewall dose not take the changes directly i mean u might do the change and sounds ok but dose not work

so after u make the changes just RELOAD it to avoid any problems