Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

PIX525 - Policy NAT, problem with two outside interfaces

Hi all!

I have PIX with two virtual outside, inside and dmz interfaces.

Outside 1: outside-205 -

Outside 2: outside-500 -

inside -

dmz -

My task is to translate inside hosts to and dmz hosts - to (using PAT).

Inside hosts are translated correctly, but dmz translation fails with error

PIX-3-305006: portmap translation creation failed for icmp src dmz:192.168.4.x dst outside-205:x.x.x.x (type 8, code 0)

Here is my configuration:

=== 8< ===

PIX Version 7.2(2)


interface Ethernet0.10

vlan 205

nameif outside-205

security-level 0

ip address


interface Ethernet0.500

vlan 500

nameif outside-500

security-level 0

ip address


interface Ethernet1

no nameif

no security-level

no ip address


interface Ethernet1.20

vlan 20

nameif inside

security-level 100

ip address


interface Ethernet1.30

vlan 30

nameif dmz

security-level 50

ip address


same-security-traffic permit inter-interface

same-security-traffic permit intra-interface


access-list INSIDE-TO-NAT extended permit ip any

access-list DMZ-TO-NAT extended permit ip any



global (outside-205) 1 interface

global (outside-500) 2 interface

nat (inside) 1 access-list INSIDE-TO-NAT

nat (dmz) 2 access-list DMZ-TO-NAT


route outside-205 1

route outside-500 2

=== 8< ===

What am I doing wrong?



Re: PIX525 - Policy NAT, problem with two outside interfaces

Hi .. your configuration is OK the problem is caused because any packets to the Internet are routed by interface outside-205 .. Inside hosts go out OK because there is a nat-global pair for this access applied to the outside-205 interface, however the hosts on the dmz don't have a global applied to the outside-205 interface only to the outside-500 interface which will only be used when the outside-205 is down. The same issue will happened with the inside hosts when outside-500 is up and outside-205 is down

you could add as below to get this working

global (outside-205) 2

I hope it helps .. please rate it if it does

Community Member

Re: PIX525 - Policy NAT, problem with two outside interfaces

Thanks, Fernando, I’ve added

"global (outside-205) 2"

to my configuration, and it really helped to get rid of message "portmap translation failed".

But... The problem still exists.

For example, when I try to connect to some external www-server from the host in dmz, I have the next error:

PIX-7-710005: TCP request discarded from x.x.x.x/80 to outside-500:

How I can understand, PIX doesn't have a valid translation entry for interface outside-500 (but does for outside-205?) and doesn't expect reply from the remote www-server?

Here is a part of my translations table by "show xlate detail":

TCP PAT from dmz:192.168.4.x/32990 to outside-205(DMZ-TO-NAT): flags ri

Do I need to add some static entries or additional access-lists?

Thanks in advance!

Community Member

Re: PIX525 - Policy NAT, problem with two outside interfaces

Hmm... The problem still exists.

I've tried everything, but it doesn't help!

Someone, please, help me!

Community Member

Re: PIX525 - Policy NAT, problem with two outside interfaces

CreatePlease to create content