Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PIX / DMZ / NAT only outside


I have a customer with following conditions:


DMZ with 172.18.x.x

LAN with 10.x.x.x

There is a Proxy in the DMZ 172.x.x.x. The proxy see's all client with the DMZ Interface Address. The guys who config the pix says it comes from NAT and they can not handle this.

So my question: can they use a kind of "NAT outside" instead of "NAT inside".

so that network 10.x and 172.x are not nated but everything by outside...

Thanks Robert

Community Member

Re: PIX / DMZ / NAT only outside

You can use a static command to create a 1-1 static address mapping with the inside address the same as the address on the DMZ. You are probably using a global command and a nat statement. You can use the static command and map 10.xx.xx.xx to 10.xx.xx.xx from inside to dmz instead.

static ( inside, dmz) netmask

you will need to remove or change the nat statement.

Here is docs on the static statement.

Re: PIX / DMZ / NAT only outside

What you can do is disable the nat translation from the inside to the dmz. The the proxy server will see the real addresses of the inside clients

access-list no_nat permit ip 10.x.x.x 255..0.0.0 172.18.x.x

nat (inside) 0 access-list no_nat

Kind Regards,


Re: PIX / DMZ / NAT only outside

This cisco document describes how to disable nating between two networks using an access-list that specifies the traffic that should not be natted:

Kind Regards,


CreatePlease to create content