Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Understanding outside NAT w/ NAT 0 (pix5153: 6.3(5))


I was trying to configure outside nat to allow a host on the dmz (FLSM) interface to telnet to a host on the inside interface. I gave up and called cisco tac. They were able to get it to work for me by combining a nat 0 command with outside nat. But I don't understand how this works. There's a good possiblity that I'll have to duplicate, troubleshoot or modify the configuration and I want to know how this works before I get into a situation where I'm making changes and not understanding their impact.

The main rule that I follow when tshooting/understanding the pix is that it goes:

Into the interface>ACL>NAT>Routing>out another interface.

It looks to me like:

1. traffic hits the FLSM interface


2. traffic passes the ACL (permit ip any any)


3. trafic from the FLSM interface to the inside is not being nat'd via the nat 0 command except for traffic to

3. the line "static (inside,FLSM) netmask 0 0" lets the pix accept traffic for that ip on the FLSM interface


4. the pix forwards the traffic out the inside interface to the real host

Even that doesn't quite seem to make sense.

Why is there a nat 0 command at all?

Why is not not nat'd? (Not a typo.)

Where does the outside nat statement get applied "nat (FLSM) 2 outside 0 0"?

Here's the config:

515e# sh ru

: Saved


PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 FLSM security50

enable password xxx encrypted

passwd xxx encrypted

hostname 515e

domain-name net.internal

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list FLSM permit ip any any

access-list FLSM1 deny ip any host

access-list FLSM1 permit ip any

pager lines 200

logging on

logging timestamp

logging monitor debugging

no logging message 710005

mtu outside 1500

mtu inside 1500

mtu FLSM 1500

ip address outside dhcp setroute

ip address inside

ip address FLSM

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

global (outside) 1 interface

global (inside) 2 interface

nat (FLSM) 0 access-list FLSM1

nat (FLSM) 1 0 0

nat (FLSM) 2 outside 0 0

static (inside,FLSM) netmask 0 0

access-group FLSM in interface FLSM

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet timeout 5

ssh outside

ssh inside

ssh FLSM

ssh timeout 60

console timeout 0

dhcpd address FLSM

dhcpd lease 692100

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable FLSM

terminal width 80

Hall of Fame Super Blue

Re: Understanding outside NAT w/ NAT 0 (pix5153: 6.3(5))


Easy one first.

To allow traffic from a lower to a higher security interface you need an access-list and a static translation.


static (inside,FLSM) netmask 0 0

is presenting the internal server to the DMZ as It's a peculiarity of the pix that even when you don't want to change the address you still have to set up NAT. With other vendor firewalls you don't need this.

The second bit is a bit more confusing. The nat (FLSM) 0 statement says do no translate the DMZ addresses to anything else. So within your network there must be a route back to the DMZ network.

I agree that the nat FLSM 2 statement is confusing. What this is saying is tranlsate all the DMZ addresses to the inside interface address when traffic comes from the DMZ to the inside.

I suspect the nat 0 is overriding this. Either should work as far as i can see.



CreatePlease to create content