Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

translation question

I have a PIX firewall with a dmz interface that VPN users come into. I would like to be able to define that a range of 4 source ip addresses coming into the dmz interface be able to go anywhere on the inside interface. I know I need an acl permitting the ip range through, but I need to set the translations so that they can go to any destination on the inside via its true inside address. I can't create a blanket config like "static (dmz,inside), because that will conflict with other statics between those interfaces and I don't want any ip coming into the VPN dmz to be able to go to these inside addresses. How do I set it up so that only the 4 static ip addresses can go to any destination inside address without the normal need for creating a static statement for each destination they need to go, at the same time without this config interfering with anything else?


Re: translation question

Use NAT exemption (nat 0 access-list)

Something like

permit ip (your 4 range) to (your internal network)

It's less flexible than static statement but if you dont have any need(now and in the future) for nat between those two interface, it's a simple config and can handle two way trafic.

Work's for me, I have 6 networks in my DMZ(VPN and AS) and I use that solution. NAT toward outside and NAT exemtion to inside.

Re: translation question


I think the feature you're looking at is more or less similar to "outside NAT".

Maybe you can follow basic guide at the following url:

Maybe you can do something like this, since you mentioned it was for 4 IP Addresses:

nat (outside) 1 x.x.x.1 outside

nat (outside) 2 x.x.x.2 outside

nat (outside) 3 x.x.x.3 outside

nat (outside) 4 x.x.x.4 outside

global (inside) 1 y.y.y.1

global (inside) 2 y.y.y.2

global (inside) 3 y.y.y.3

global (inside) 4 y.y.y.4

Then use ACL to permit the 4 addresses to reach any internal IP/subnets.

Hope this helps.



New Member

Re: translation question

I'm a little confused. Doesn't doing the nat(outside) translate the source ip addresses to whatever is defined with the matching global statement? If I'm going from a dmz interface to a inside interface, I need a translation on the destination, not the source. Correct?

My internal network on the inside of the PIX is a, I want these 4 vpn users to be able to access any destination address without having to translate each destination host individually. If I wasn't worried about it conflicting with other config, I'd just do a "static (inside,dmz) netmask". However, that would be a blanket translation for anyone going to the inside network, I only want it to affect the 4 vpn users. right now, for example, if I want a specific vpn user to access the server, I have to do a "static (inside,dmz) netmask". As there are countless inside hosts that these 4 vpn users could be accessing, I don't want to have to do an individual translation for each possible destination address.

Re: translation question

So you want to allow certain IPs on a DMZ (not the outside) to get to the inside?

This is low -> high security level, therefore you need static NAT (for inside IPs) and ACL entries, along the lines of:

static (inside,dmz) inside_subnet inside_subnet netmask ...

access-list in_dmz permit specific_IPs inside_IPs

New Member

Re: translation question

If I did that:

static (inside,dmz) inside_subnet inside_subnet netmask ...

How would this lock it down to only the 4 vpn users? Wouldn't that be a global command that affected everything? Is there a way to static against an access-list?

Re: translation question

I still think you can use nat exemption

access-list no-nat permit ip

access-list no-nat permit icmp

nat (dmz) 0 access-list no-nat