Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.


Outside NAT


We have a Cisco PIX 525 running 6.3(3)

I am trying to NAT the source address of a server on a DMZ only when the server needs to talk to a specific server on the inside interface.

All other traffic from the dmz to any interface should not be NATed.

i.e. when server (dmz) talks to server (inside) its source address is NATed to

and when server (dmz) talks to any other networks on the inside, no NAT takes place (nat 0)

Could you tell me if this is possible please?

I have played around with the following:

# static (dmz, inside) access-list NAT-dmz

# access-list NAT-dmz permit ip host host

# nat (dmz) 0 access-list NoNAT-dmz

# access-list NoNAT-dmz permit ip host

# access-list NoNAT-dmz permit ip host

I could ping the NAT address from the LAN, however i couldn't ping the server address (inside) from server (dmz) which made me think that the NAT is not bi-directional?

This is a problem as the NAT needs to happen when the server on the DMZ ( establishes a connection to the server on the inside (

Please note that access-lists have been applied to the inside and dmz interfaces permitting traffic to flow between the two interfaces.

Thanks, Paddy

New Member

Re: Outside NAT

Unfortunately, i don't have enough time to explain the solution in details but you can achieve what you want. One way of doing this is:

- Configure a Global statement to inside interface with IP address of

- Configure NAT+Access List on the DMZ interface related with the global statement and where the ACL is triggered only by

Don't forget to configure ACL+ACG on the DMZ interface since it's a lower security interface who wish to communicate with a higher security interface.



New Member

Re: Outside NAT


You can try this (you can do it both with ACLs -policy NAT- or the 'old' fashion, just regular NAT):

static (dmz,inside)

!-- Outside static NAT

!-- or,

static (dmz,inside) access-list NAT-dmz

access-list NAT-dmz permit ip host host

!-- Just the way that you have it.

!-- This is what you are missing perhaps:

static (inside,dmz)

Now, if you have something like this on the inside:

nat (inside) 0

This NAT 0 is not bi-directional.

If you have something like:

nat (inside) 0 access-list nonat-inside

access-list nonat-inside permit ip any

This NAT 0 is bidirectional, and you should be able to ping the server on the inside from the dmz, and the server on the dmz should be translated to

Anyway, you can do a 'show xlate debug' to see the translations created and check that both are made. The NAT0+ACL does not create an xlate.

The outside NAT is NOT BI-DIRECTIONAL so this is why you would need a translation rule between the inside and the dmz (second static).

Hope it helps,


CreatePlease login to create content