Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Issue with NAT

I am trying to meet the following requirements:-

I need to be able to get traffic from the inside interface to route out through the network to a further secure router. Obviously I need to allow flow back from the router in the network into the inside interface.

Currently I am unable to ping any device including the interface of the network in the pix.

I do not want any NAT to take place between any of the interfaces.

My outside interface does however seem to accept traffic from the legacy1 network fine.

Any suggestions or examples would be very appreciated as I am going round and round in circles with this one!



Building configuration...

: Saved


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 legacy1 security1

nameif ethernet3 imaging security95

nameif ethernet4 Encryption security1

nameif ethernet5 intf5 security10

enable password xxx

passwd xxx

hostname pixfirewall



access-list inside_access_in permit ip any any

access-list Encryption_inbound_nat0_acl permit ip any any

access-list legacy1_outbound_nat0_acl permit ip any any

access-list outside_inbound_nat0_acl permit ip any any

access-list outside_access_in permit ip any any

access-list imaging_access_in permit ip any any

access-list inside_outbound_nat0_acl permit ip any any

access-list Encryption_access_in permit ip any any

pager lines 24

logging on

icmp permit any inside

icmp permit any legacy1

icmp permit any imaging

icmp permit any Encryption

mtu outside 1500

mtu inside 1500

mtu legacy1 1500

mtu imaging 1500

mtu Encryption 1500

mtu intf5 1500

ip address outside

ip address inside

ip address legacy1 195.210.x.x.255.0

ip address imaging

ip address Encryption

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address legacy1

no failover ip address imaging

no failover ip address Encryption

no failover ip address intf5

pdm location inside

pdm location inside

pdm location 0.0.0.x.x.255.0 outside

pdm location inside

pdm location 20.x.x.176 Encryption

pdm location 20.x.x.0 Encryption

pdm location 20.x.x.0 imaging

pdm location Encryption

pdm location imaging

pdm location inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 20 interface

global (inside) 20 interface

global (imaging) 20 interface

nat (outside) 0 access-list outside_inbound_nat0_acl outside

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 0 0 0

nat (inside) 20 0 0

nat (legacy1) 0 access-list legacy1_outbound_nat0_acl

nat (legacy1) 0 0 0

nat (Encryption) 0 access-list Encryption_inbound_nat0_acl outside

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

access-group imaging_access_in in interface imaging

access-group Encryption_access_in in interface Encryption

route outside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0


Re: Issue with NAT


Unfortunately pix 6.3 doesn't have any good way to turn off nat entirely without entering a couple of commands: there are a couple of ways to do this, but I would do the following

1) Get rid of all your nat and global statements

2) Enter the following commands:

access-list al_no_nat permit ip any any

nat (inside) 0 access-list al_no_nat

nat (legacy1) 0 access-list al_no_nat

nat (imaging) 0 access-list al_no_nat

nat (outside) 0 access-list al_no_nat

Though technically you don't really need the last one, as the nat requirements are from high to low and theres nothing lower than 0

3) do a 'clear xlate' to wipe out any existing xlates that may have been created

4) Test

Now this is where you need to understand a little bit about security on the pix - the pix will not allow you to tranverse the pix to ping another interface: meaning you can't ping the outside interface from and inside ip address (and vice-versa). What you need to do is have an IP out on the Encryption interface that you can ping (possibly a router) and on that device have it route the 192.168 network back to the interface on your firewall. Then an inside host should ping that and be able to get a reply right (assuming the routing is in place to get that network back to the firewall)

Your permit ip any any ACLs should allow all the traffic return that needs to for connectivity to work.

Other than that, the config looks good, though nothing is being routed to the Encryption interface as of yet (your outside network has the default route).


Please rate this message if it helped solve some or all of your issue.

New Member

Re: Issue with NAT


Thank you so very much. Excellent answer. The only change I made due to others utilising the pdm was to create individual access lists for the interfaces as the pdm does not allow you to utilise it more than once.

All up and working.

Thanks again.