Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX - VPN users accessing a host which is Static NATed


I have a server connecting to the PIX DMZ interface with the IP of

This server is translated to an Inside IP and to an Outside internet routable IP.

When VPN users connect from outside, they want to access the DMZ server via the IP not the 172 IP.

They are able to connect to any host on the inside but unable to connect to the translated IP.

Has anyone encountered such an issue ?

This is the static statement.

static (dmz,inside) netmask

My Networks

Inside :


VPN Pool :

PIX 7.0

New Member

Re: PIX - VPN users accessing a host which is Static NATed

it sounds to me like a basic routing or nat issue, what are the pix logs indicating as the error ?

New Member

Re: PIX - VPN users accessing a host which is Static NATed


I have the same problem did you solved it??

Please help?



I have problem like that:

I hava two localozation

A - central with PIX:


WAN IP Internet=

DMZ= -server IP=

B- Remote router 2600:

Localization B



Vpn is working correctly. Host from network router) can ping through vpn host in inside zone ( behind PIX.

In DMZ I have a server and I want hosts(like by vpn get access to this server in DMZ, but i cant.

show run:

PIX Version 6.3(4)

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname PIX

access-list VPN permit ip

access-list ICMP permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside

ip address inside

ip address dmz

global (outside) 1 interface

global (inside) 22 netmask

global (dmz) 1 netmask

nat (inside) 0 access-list VPN

nat (inside) 1 0 0

nat (dmz) 2 0 0

static (dmz,inside) netmask 0 0 access-group ICMP in interface dmz

route outside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set SET ah-md5-hmac esp-des

crypto ipsec transform-set SZYFROWANIE ah-md5-hmac esp-des

crypto map MAPA 100 ipsec-isakmp

crypto map MAPA 100 match address VPN

crypto map MAPA 100 set peer

crypto map MAPA 100 set transform-set SET

crypto map MAPA interface outside

isakmp enable outside

isakmp key ******** address netmask

isakmp policy 100 authentication pre-share

isakmp policy 100 encryption des

isakmp policy 100 hash md5

isakmp policy 100 group 2

isakmp policy 100 lifetime 10000

telnet timeout 5

ssh timeout 5

console timeout 0

terminal width 80


Re: PIX - VPN users accessing a host which is Static NATed

static (dmz,inside) netmask

as the command sugguested, the translation is between the dmz and the inside interfaces. it only works when the packet originated from the inside, not the vpn clinet from the outside.

New Member

Re: PIX - VPN users accessing a host which is Static NATed

I have just started a new post for this (sorry) - what configuration is required to enable VPN users to access the DMZ using the NATed address? (or is this impossible?)