Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

NAT from outside to inside

Hi all!

It is needed to place a NAT from outside to the inside on a PIX506E with OS 6.2(2). The traffic arrives to the outside interface via IPSec tunnel. After the decryption the source address of the packets is from the subnet. A part of these packets are destined to a host with IP address and port 6004 behind the inside interface. This host needs to see a source address, so the ip addresses of the incoming packets must be translated into The other part of the incoming packets mustn't be translated. How can I manage to filter the NAT on the 506E?




Re: NAT from outside to inside

You'll need 6.2, but I think this is exactly what you are trying to achieve.


New Member

Re: NAT from outside to inside

Hi Matt, I have met with this documentation and it is very usefull if you do not prform IPSec. With the IPSec it doesn't work. The procedure should be done on the PIX like the following:

1. IPSec arrives to the outside interface and the decryption takes place

2. The source address of a part of the decrypted packets must be translated (NAT) into a specific internal IP address, in case of the rest of the packets no translation is needed

3. All the packets leave the PIX through the inside interface

Anyway in the documentation how does the access-list 101 work? It works but I cannot understand which way? The source and the destionation network are the same:

access-list 101 permit ip


Re: NAT from outside to inside

That might be the case- after decrypting packets from the outside int., the pix might then directly place them on the inside int, and not give it a chance to nat

The access-list/conduit is to allow those hosts in - in the example and .141 are globals assigned to the pix. To allow communication to them, ports must be opened as the pix is the device in the arp cache for them on that subnet - the other machines on that subnet talk to .140 and .141 as if they were on the same subnet, while they are really behind the pix.

CreatePlease to create content