Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

no nat-control and global NAT

I have a PIX with 7.2.1 code with 3 interfaces- inside sec level 100, outside sec level 0, and dmz sec level 50. I issued the no nat-control command. I configured an ACL on both outside and dmz interfaces that permits IP. Communication between interface works perfectly nothing is being blocked. I decide I'm going to hide my inside IP addresses when going out my outside interface. I issue the command:

global (outside) 1 interface

nat (inside) 1

Now when I go out the outside interface I'm PAT to the firewalls interface which is correct. But when I try to access the DMZ I get port translation fail messages in the log. I need to add this command to access the dmz:

static (inside,dmz) netmask

It looks like whatever IP address is used with the command nat(interface) x.x.x.x now works as though the nat-control command was issued. For example, if I change the nat command to use an ACL with specific IP

access-list nat permit ip host

global (outside) 1 interface

nat (inside) 1 access-list nat

static (inside,dmz) netmask

This allows to PAT to the outside interface and allows me to access the DMZ. Since wasn't included in the ACL for the nat (inside) command it follows the no nat-control policy and can access the DMZ but will not be PAT to the outside interface.

Is this a feature or bug? Why does global nat force an IP network to be nat-controlled? In this example it's not a big deal but if this was a firewall with multiple customers and alot of networks using a global nat to hide some IP addresses from one customer would break connectivity to another customer on a different interface unless you use the static nat to fix it. Is there anyway around this?


CreatePlease to create content