Cisco Support Community
Community Member

help with NAT scenario

I have a need for a single ip host to connect through the outside interface of a PIX (6.3) to any destination host on the inside network There are dozens of addresses they need to connect to, and I need to do some sort of no nat so they can translate to themselves. I cannot just nat the whole network to itself, as it will break other static NAT statements for the subnet that are in place. I only want this single outside host to be able to connect to any inside address without having to define a static translation for every possible destination address. how do I set this up?

Community Member

Re: help with NAT scenario

Just leave the static statement for net to the bottom of all configured static on the pix. The pix processes the static statements from top to bottom. Be carefull with the outside ACL's not to leave access from anyone to

Community Member

Re: help with NAT scenario

so you are saying put in:

static (inside,outside)

and it won't override any existing statics I have for hosts within that range?

Community Member

Re: help with NAT scenario

Hello Matt,

Yep! but remember to keep this translate statement to the bottom of all existing static's defined on the pix. Also once in a while a bit of maintenance has to be done. If you add some more static into that range, the existing static must be removed then re-added to the config to ensure a proper 'translating'. Also a clear xlate has to be done for newest hosts added.

You may verify proper translate configuration using command:

show local detail


show xlate local det


Re: help with NAT scenario

Hi .. perhaps the easiest wayto do it is .. as you already suggested -- bypassing nat.

1.- nat (outside) 0 access-list NO_NAT outside

access-list NO_NAT permit ip host x.x.x.x

where x.x.x.x is the outside host

2.- Allow that access on the access-list applied to the outside interface

3.- Make sure you to bypass NAT traffic initiated on the inside towards the outside host

nat (inside) 0 access-list NO_NAT_Inside

access-list NO_NAT_Inside permit ip host x.x.x.x

4.- Allow that access on the access-list applied to the inside interface.

I hope it helps .. please rate it if it does !!!

CreatePlease to create content