Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Nat in Pix 515


I'm running a pix 515E for management purposes. I have several nets, one outside, and three inside. I've set up nat between them, since my inside0 has real ip addresses, and 1 & 2 has private addresses. This is working brilliantly.

My problem is a third private net.

It's located behind a 3750. I can reach it ( -> - loopback interfaces) from the 3750, (their directly connected in some of the interfaces) but not from the rest of the units (e.g. my supervisor server). I'm thinking of reaching these via nat in the pix. But no matter what I try, I just can't seem to reach the 172... addresses from my 90.x.x.x network. The mng vlan is terminated on a vlan interface in the 3750 router.

Any pointers would do me great;=)



Re: Nat in Pix 515


Do you have static routes in the PIX for the remote net poing to your internal default gateway?

someting like:-

Internal default Layer 3 router -

IP Subnet behind the 3750 -

PIX config:-

route inside


New Member

Re: Nat in Pix 515


Thanks for reply. Sorry for answering late, I'was taking a couple of days off;=)

Here's my current config regarding the matter:

interface Ethernet1

nameif mng_inside

security-level 100

ip address 90.x.x.1

global (mng_outside) 1 interface

static (mng_inside,RadioMan) 90.x.x.0 netmask // THis line works

static (mng_inside,AlliedMan) 90.x.x.0 netmask //This line works

static (mng_inside,mng_inside) 90.x.x.0 netmask //This line errors

access-group outside_access_in_1 in interface mng_outside

route mng_outside 128.x.x.1 10

route mng_outside 128.x.x.1 9

route mng_inside 1

route mng_inside 90.x.x.1 1

During a packet trace, I get this error:

Type -


Subtype -


Action -


Show rule in NAT Rules table.


static (mng_inside,mng_inside) 90.x.x.0 netmask match ip mng_inside mng_inside any static translation to 90.x.x.0 translate_hits = 0, untranslate_hits = 38

I've also tried the following line instead:

static (mng_inside,mng_inside) 90.x.x.0 netmask

This do not result in a packet trace error - the packet tracer gently confirms that the packet is allowed.

What I'm thinking - since the network is behind the 90.x.x.12 address, maybe my route in the pix should be route inside 90.x.x.12 ?


Re: Nat in Pix 515

The lines:-

static (mng_inside,mng_inside) 90.x.x.0 netmask


static (mng_inside,mng_inside) 90.x.x.0 netmask

Will just not work - what exactly are you trying to do?

New Member

Re: Nat in Pix 515

hi, no ingles solo español, check security level the interface.



CreatePlease to create content