Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


I have a problem.

I have 8 ip addresses on the outside of my PIX.

I want to use the first ip address for the global statement and the 2nd for a static translation.

I want all computers to use the global address but my server should use only the 2nd ip address.

hope you can help me


Re: PIX Static, NAT & NONAT

Here's a document that might be useful to your needs:


Hope this helps --

New Member

Re: PIX Static, NAT & NONAT

Thanks but this paper tells me how to use statics but the static translation is not the problem. The problem is that the server connects a l2tp tunnel.

So the server has to listen and speak with the same ip address.



Re: PIX Static, NAT & NONAT

Here's what you should do:

nat (inside) 0 access-list nonat

nat (inside) 1

global (outside) 1

static (inside, outside) netmask

access-list nonat deny ip host any

access-list nonat permit ip any any

And ofcourse your normal access-list bound to the outside interface for the permitted protocols to your server, but I guess you have that allready.

The trick here is, as you can see, to put the normally used nat and global command on it, and also the normally used static command, but, in addition to that, you have to prevent the returning traffic from your server from being natted by the nat and global commands. That is where the nat 0 with access-list nonat kicks in, this will prevent returning traffic from being dynamicly translated (nat 0 is no translations), but since there is also a static translation in place translation does occure since there is an entrie in the xlate table for every static used.

This will do the trick. I hope this makes sence to you. Otherwise do not hesitate to ask :-)))

Kind Regards,


New Member

Re: PIX Static, NAT & NONAT

Thank's for the reply.

I've got one question, I allready have a nonat statement in the cconfig. It's for the vpn users.

## nat (inside) 0 access-list vpnusers

## access-list vpnusers permit ip .........

I called the access-list vpnusers. then I use ## access-list vpnusers deny ip host any ??

With Regards,



Re: PIX Static, NAT & NONAT

Hi Bas -

Change ACL 'vpnusers' to permit, i.e.

> access-list vpnusers permit ip host any

Basically, with the 'no nat' cmd you are saying NOT to NAT the access-list vpnusers and using the ACL vpnusers you are permiting the traffic for the vpn tunnel, which will not be nat'd.

Hope this helps --