Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Static NAT

I have a Vendor router connnected on DMZ of my Firewall who lets only one ip address of my server to connect to his network. I have a NAT on my Firewall to my inside address as follows;


nat (dmz1) 0

nat (inside) 1

static (inside,DMZ1)

conduit permit tcp any

route dmz1

where is vendor network address and is the gateway address of the vendor router.

The problem am facing is

1. I am not able to ping to the gateway and am not able to see any traffic on DMZ from internal address( nor on sniffer.

although the vendor router is able to ping my firewall DMZ interface.

when I initiate the connection from inside to DMZ1(higher to lower) i believe my internal ip address( will be PAT to global address of . How do i force the firewall to nat the address to so that i access vendor network.

Do i need to add any command on firewall ?


Re: Static NAT


Since ICMP echo reply packets are not part of an established TCP session, these have to be manually permitted. This can be done with:

conduit permit icmp any any



I can't see for which nat-pool your global statement since you've left out the nat-pool pointer. It must be just a cut&paste goof since the PIX would require a pointer.

It should look like this if all addresses (except from inside is to be PAT'ed to

global(dmz1) 1

which is from nat pool 1

You have actually a legal config for inside to become on dmz1

This should work.

Verify with sh xlate.

Why are you not NAT-ing addresses going from DMZ1 to lower security?

(nat (dmz1) 0

These are private addresses and should be NAT'ed.

CreatePlease login to create content