Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT Failing to Work in the Admin Context (Ver 7)


I have a strange issue when configuring NAT in the Admin context of my PIX ver.7 FW! When applying the following configuration:

NAT (inside) 1 0 0

global (oustide) 1

And tracing how the natting part work with "debug icmp trace" I see the inside addresses not being tranlstaed and the ping from inside to outside fails. However, when replacing the NAT and global commands with "stat (inside,outside) <my internal subnet> <my internal subnet> net <netmask>" the translation here works.

When applying similar NAT and Global rules on the other security context (CTX1) the tranlsation works fine.

Does anybody have an idea on what could be the problem? I'm posting my Admin context configuration below for your review:

PIX Version 7.0(4) <context>


hostname pixfirewall



interface Ethernet1

nameif inside

security-level 100

ip address standby


interface Ethernet0

nameif outside

security-level 0

ip address standby


passwd 9ghfCrNHTpkZOynK encrypted

access-list out extended permit icmp any any

access-list in extended permit icmp any any

no pager

logging asdm informational

mtu inside 1500

icmp permit any inside

no asdm history enable

arp timeout 14400

global (outside) 1

nat (inside) 1

access-group in in interface inside

access-group out in interface outside

route inside 1

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh inside

ssh timeout 5

dhcpd lease 3600



Cisco Employee

Re: NAT Failing to Work in the Admin Context (Ver 7)

Hi Haitham

Try to enable "inspect icmp error", it should fix this issue.