Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Pix 515E and NAT


I'm currently bringing together my three management networks. Network 1 (With real IP addresses, hereby named RealNet) is already behind the firewall on the inside interface with security level 100. Working like a charm.

The two other nets are (Fake2) , situated on eth2) and (Fake3, situated on eth3).

What I want to do, is access Fake2 and Fake3 from RealNet. All the three interfaces have access level 100, but I can't seem to contact my hosts on fake2 & 3 at all. I've tried to set up some form of nat, just to try that, but shouldn't my pix recognize all it's nets? I'll post my config along, without any access rules, since they only apply from outside interface -> RealNet. Does anyone see any obvious faults?


Kind regards,


fw# sh run

: Saved


PIX Version 7.2(1)


hostname fw


interface Ethernet0

nameif mng_outside

security-level 0

ip address


interface Ethernet1

nameif RealNet

security-level 100

ip address


interface Ethernet2

nameif Fake2

security-level 100

ip address


interface Ethernet3

nameif Fake3

security-level 100

ip address


interface Ethernet4


no nameif

no security-level

no ip address


interface Ethernet5


no nameif

no security-level

no ip address


ftp mode passive

dns server-group DefaultDNS

domain-name xxx.xx

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

pager lines 24

logging enable

logging timestamp

logging buffered debugging

logging trap warnings

logging asdm informational

mtu mng_outside 1500

mtu RealNet 1500

mtu Fake2 1500

mtu Fake3 1500

no failover

icmp deny any echo mng_outside

asdm image flash:/asdm-521.bin

no asdm history enable

arp timeout 14400

global (mng_outside) 1 interface

nat (Fake3) 1

access-group outside_access_in_1 in interface mng_outside

route mng_outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

username RealXXX password yep, i've got one. encrypted privilege 15

aaa authorization command LOCAL

http server enable

http mng_inside

snmp-server location Hovden

snmp-server contact Noone

snmp-server community xxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 30

ssh RealNet

ssh RealNet

ssh timeout 5

console timeout 5

management-access RealNet

dhcpd address Fake2

dhcpd dns <<Some DNS Server>> interface Fake2

dhcpd domain xxx.xx interface Fake2

dhcpd enable Fake2


dhcpd address Fake3

dhcpd dns <<Some DNS Address>> interface Fake3

dhcpd domain xxxx.xx interface Fake3

dhcpd enable Fake3




ntp server source RealNet prefer

prompt hostname context


: end


Re: Pix 515E and NAT


static (RealNet,Fake2) 90.x.85.0 90.x.85.0

static (RealNet,Fake3) 90.x.85.0 90.x.85.0

Community Member

Re: Pix 515E and NAT


Sorry for posting so late, I had to put it away for some time. Other stuff to do.

Well, Now I've tried your two lines, (And I've removed my other nat rules, just to rule out other problems with it. I do a packet trace, and a telnet packet from RealNet to Fake1 works. (Finds no errors.) But I can't connect to anything on any of those two networks...

I just replaced some of the lines to the following:

static (RealNet,Fake2) netmask

static (RealNet,Fake1) netmask

That worked, but when I do a packet trace, it fails.

But somehow telnet works here.


CreatePlease to create content