Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

no translation between intranet networks needed on PIX 520

We want to run a PIX 520 FW (V6.1.1) within our intranet (not to the Internet).

Like this, both interfaces, inside and outside, are RFC1918 addresses which we can maintain ourselves and therefore there is no need of any address translation.

We want to be able to restrict access to and from the "outside" interface by protocols (access-lists), but we do not want any address translation (NAT, PAT) to take place, neither inbound nor outbound.

Can you show me how a sample configuration should look like, which prevents any translation (no NAT, PAT,keep the original addresses).

I tried with nat (inside) 0 0 0 for outbound traffic, which works


static entries like

static (inside,secure) RZ_FwdProxy RZ_FwdProxy netmask 0 0

static (inside,secure) int_dns_pri int_dns_pri netmask 0 0

static (inside,secure) int_dns_sec int_dns_sec netmask 0 0

static (inside,secure) NMS NMS netmask 0 0

static (inside,secure) timeSrvU310 timeSrvU310 netmask 0 0

static (inside,secure) timeSrvU320 timeSrvU320 netmask 0 0

for inbound traffic, which works as well, but would be for many inbound addresses a very administrativ way to do.

Is there an easier way?

How do we define the PIX in order not to have any translations inside to outside and back?

The purpose behind all this to have a more secured "internal" Lan/Subnet than the rest of our intranet.

New Member

Re: no translation between intranet networks needed on PIX 520

I am doing almost the same thing, I use the PDM to add a NAT group but under the address pools option, use same address. This added the following line to the PIX configuration

nat(inside) 0 0 0

but I am try to find out what does all the "0" mean in the line, but that fix my problem, allow me to use access rule to restrict from the inside to any lower secure interface.

New Member

Re: no translation between intranet networks needed on PIX 520

The first 0 is the natID.

The both zeroes at the end stand for the translate ip address and mask. since you use the same, they are 0 (I suppose).

My problem is not, having no translation outbound - this works by such a NAT statement (see initial message)- , but how do I tell a PIX520 NOT to do any inbound translation? Defining individual static statements is too boring, I think there should be one statement or even better none at all.

Who knows how?

New Member

Re: no translation between intranet networks needed on PIX 520


Assuming that you use as your internal address block, the following command allows you to setup a static without translation:

static (inside, outside)

You do need to setup an access-list for the traffic allowed in.

New Member

Re: no translation between intranet networks needed on PIX 520

Thanks for your answers.

Just to understand you right:

Does this mean that each outside address accessing any address within this range on the inside will not be translated at all and appear on the inside as it was on the outside?

f.e on the outside accessing on the inside would still appear as on the inside?

Side remark:

I suppose the exact statement syntax(in V6.1) should be:

static (inside, outside) netmask 0 0

shouldn't it?

Isn't there a static statement which says any address form the outside to any address on the inside shall not be translated?

Probably something like:

static (inside, outside) netmask 0 0

Does this work?

Any answer's are appriciated very much. Thank you in advance.