Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

natting on DMZ & inside interface

I have a router connecting to internet using ISDN and PIX with Dmz on behind.

My router will do the natting,my concern is do I need to configure any

nat command on PIX inorder to allow dmz and inside users able to access internet beside the nat

command for inside users to access dmz server.All my 3 interfaces is using private IP addres


Re: natting on DMZ & inside interface

If the pix does not have to do any kind of natting, then you should use the 'nat 0' command:

'nat (inside) 0 access-list xxx'

'nat (dmz) 0 access-list yyy'

The addresses that match the access-list will not be natted.

Kind Regards,


Community Member

Re: natting on DMZ & inside interface

Hi Tom,thks for response.

How should the access-list?

On the PIX,I've the following:

> ip address inside

> ip address outside

>ip address dmz

> static (inside,outside) netmask

> route outside

On the router ,I have something like:

> ip route dialer1

> ip route

> int fastethernet0

> ip address

> ip nat inside

> int dialer1

> ip address dhcp

> ip nat outside

> ip nat inside source list 1 interface dialer1 overload

> access-list 1 permit any

Cisco Employee

Re: natting on DMZ & inside interface

The static you have defined will do the trick for you. You would also want:

static (dmz,outside) netmask

Personally though, I would do this a little different. By using static's you're still running each packet through the whole NAT process within the PIX, you're just NAT'ing it to the same address. You're better off simply not NAT'ing this traffic at all, puts less load on the PIX. Instead of the static's do the following:

nat (inside) 0

nat (dmz) 0

The "nat 0" says don't NAT this traffic specifically. It'll just be passed through the PIX and onto the router which will do the NAT'ing for you.

CreatePlease to create content