Cisco Support Community
Community Member

PIX 7.0 nat 0 not working???

have tried just about everything to get my inside users to get traffic back through this pix, but no go...we have no need for nat, so we did the whole nat (inside) 0 0 0 thing, so traffic gets out. then to get responses back in, applied an access-list permitting certain traffic, nat (inside) 0 access-list out_in.

am I thinking about this wrong? do I need to apply an access-list to the outside interface? do I need a static translation (outside, inside)? any suggestions? I have read everything I can find about PIX 7 without nat

Cisco Employee

Re: PIX 7.0 nat 0 not working???

So you configure the nat (inside) 0 0 0 to allow inside hosts to go out, please remember that nat 0 (identity nat) is not bidirectional. You coul try

inside network:

access-list nonat permit ip any

nat (inside) 0 access-list nonat

The above will exempt inside users from being translated and is bidirectional

The add the ACLs

access-list inbound permit tcp any host eq 80

The above permits tcp traffic from anyone to the host over port 80

The apply the ACL to the outside interface

access-group inbound in interface outside

or use a static instead of exemption nat

static (inside,outside) netmask

Also bidirectional, for more information please check:



Franco Zamora

Community Member

Re: PIX 7.0 nat 0 not working???

we have tried similar things, and it appears that going out is fine, but pix doesn't let traffic back in to inside hosts. what about a static (outside, inside) translation? is that a valid option?


Re: PIX 7.0 nat 0 not working???

Are you trying to prevent NAT for internet traffic? If yes than it will not work unless the LAN has public IP addresses.

When the request's go out they will get dropped quickly by an upstream router (the first one usually) as RFC 1918 addresses are not routable on the internet.

If this is your set up than you have to do NAT there is no other option unless the LAN is using public IP's.

A static from outside to inside would not be an option in my opinion. That requires ACL which means static hole's. You wouldn't want this for regular user traffic.


CreatePlease to create content