Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Outside NAT

Not sure if I'm missing the obvious here (like this isn't possible) but I need to provide Internet access to users on a PIX (6.3(3)) outside interface, the PIX is on a remote network, Internet access is via our private WAN then out through a central firewall to the Internet, so the inside interface is on our private network, the DMZ is on the outside interface. I need to use outside nat to allow hosts on the DMZ to access the net but restrict them with ACL's from being able to see our Internal network.

There are many CISCO references to the new outside nat feature but I can't see any documented examples of what I'm trying to do.

Here's what I think I need to do

interface ethernet0 auto

interface ethernet1 100full

nameif ethernet0 outside security0

nameif ethernet1 inside security100

access-list inside_access_in permit ip any any

access-list outside_access_in permit ip any any

access-list NAT-Outside-Policy permit tcp any any

access-list NAT-Outside-Policy permit udp any any

ip address outside

ip address inside

global (outside) 1 interface

global (inside) 1 interface

nat (outside) 1 access-list NAT-Outside-Policy outside 0 0

access-group outside_access_in in interface outside

access-group inside_access_in in interface inside

My outside host address is and has as it's default gateway. When I try and make a connection through the PIX from this host I can see an xlate created

305011: Built dynamic UDP translation from outside: to inside(NAT-Outside-Policy):

But then I see

305005: No translation group found for udp src outside: dst

Where xxx is an inside host.

If I take the nat (outside) command out I can communicate from inside to outside ok. If I use static nat I can create static connections from outside to an inside host, but I need to be able to connect to any inside host from the outside. A simple solution would be to connect the inside interface to my "outside" network, but this would mean connecting the inside interface to an untrusted network.

Any comments would be appreciated.


Re: Outside NAT


I didnt go completely through your notes, but, first of all what you are trying to do is possible.

Secondly you might need to try out the nat (outside) with the "outside" keyword

nat (outside) 1 access-list NAT-Outside-Policy outside 0 0 outside



Community Member

Re: Outside NAT

I am using the "outside" keyword :

nat (outside) 1 access-list NAT-Outside-Policy outside 0 0

I don't think the command line with the two "outside" keywords in it that you quoted is valid:

nat (outside) 1 access-list NAT-Outside-Policy outside 0 0 outside



CreatePlease to create content