Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Nat from outside to inside PIX 515-E - 6.3(4)


I am pretty new with PIX (version 6.3) and I am trying from my PC in outside ( to ping the inside interface ( or any host in the inside.

Here is my configuration, I do not understand why it is not working.

- I authorized icmp on both interface

- I put an access-list on the outside interface.

- I created a static translation between outside and inside interface.

: Written by enable_15 at 10:38:55.840 UTC Tue Jul 11 2006

PIX Version 6.3(4)

interface ethernet0 100full

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname pix

domain-name goeland.intra

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol ils 389

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69


access-list permitall permit icmp

access-list 101 permit icmp host host

pager lines 24

logging on

logging trap debugging

icmp permit any outside

icmp permit any inside

mtu outside 1500

mtu inside 1500

ip address outside

ip address inside

ip audit info action alarm

ip audit attack action alarm

pdm history enable

arp timeout 14400

nat (inside) 0 0 0

static (inside,outside) netmask 0 0

access-group permitall in interface outside

route inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet inside

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


: end

My PC gateway is and I never see a hitcount on access list permitall but I see the icmp packet exit my PC. From the PIx, I can ping muy PC (connected with the console).

Thanks for your help.

Best regards,


New Member

Re: Nat from outside to inside PIX 515-E - 6.3(4)

From your PC can you ping That is what your static translation is setup for.

New Member

Re: Nat from outside to inside PIX 515-E - 6.3(4)


I cannot ping this adress.

I also tried to translate to => Not OK

With ethereal, when pinging, I see the ping exit from but nothing occurs on the PIX (I activated "debug icmp trace" and "debug packet outside"). When pinging from, the ping is OK.

I can ping the from the PIX (console connection).

Best regards,


Re: Nat from outside to inside PIX 515-E - 6.3(4)

Your static command is actually translating to I don't believe this is what you are trying to do. If you want to have your outside source appear as a different IP follow the NAT Outside documentation. Attached below.

Ultimately what you are trying to do is allow internal addresses be access by an external. What you should use is a Policy NAT 0 with an access-list. This will avoid the Xlate requirement for your outside host but still have Xlates for other apps.

Here is a sample configuration (I have something similar in production).

access-list Outside_Host permit ip host host

! next statement is more general but you could make it more subnet specific

access-list Outside_Host permit ip any host

nat (inside) 0 access-list Outside_Host

Please rate any helpful posts



Re: Nat from outside to inside PIX 515-E - 6.3(4)

Hi .. your static sentence ...

static (inside,outside) netmask 0 0

is making appearing as to the outside network. So if you want to reach to the inside device from the outside network you have to ping the destination will be redirected ( NATed) by the PIX to .. Is this what you are trying to achieve ..? or do you want to be able to reach directly ( Without NATing ) ..?

If you want to reach directly then you need to bypass NAT ..

nat (inside) 0 access-list NO_NAT

nat (outside) 0 access-list NO_NAT outside

acccess-list NO_NAT permit icmp

acccess-list NO_NAT permit icmp

I hope it helps .. Please rate if it does !!!

Re: Nat from outside to inside PIX 515-E - 6.3(4)

Fernando picked up on my mistake, he's right on your current NAT statement, it's doing .100 not .98. Typo on my part. They did add the outside command in 6.3 but I've found that outside inside works with just the standard NAT 0 command using an access-list with destination subnet. I have had this working in production before the outside command was released. Either configuration should work for you. Fernando's configuration would have more validity with the TAC.



CreatePlease to create content