Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX-515 v8.0(4)28 NAT issue


I am running a PIX515 with V8.0(4)28 IOS.

I have an issue with NAT.

I would like traffic from DMZ1 to DMZ2 to have no NAT applied. I have created an access-list no-nat-DMZ1 for this. I also have a static line for DMZ1 traffic to connect to the inside.

However doing a packet-trace gives the following result:

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW


static (inside,DMZ1) netmask

match ip inside DMZ1 any

static translation to

translate_hits = 0, untranslate_hits = 2

Additional Information:

NAT divert to egress interface inside

Untranslate to using netmask

This shows the static line being used to try to un-NAT the packet. The Cisco security appliance configuration guide for V8.0 shows the order of NAT commands used to match addresses as follows :

1. Nat exemption (nat 0 access-list)

2. Static NAT and Static PAT.

3. Policy dynamic NAT

4. Regular dynamic NAT

Therefore I expect the packet to be picked up by the nat 0 access-list line.

Any ideas anyone?



Config :

interface Ethernet0

nameif inside

security-level 100

ip address


interface Ethernet1

nameif outside

security-level 0

ip address


interface Ethernet2

description DMZ1

nameif DMZ1

security-level 90

ip address


interface Ethernet3

nameif DMZ2

security-level 5

ip address

access-list inside extended permit tcp any eq www

access-list inside extended permit tcp any eq https

access-list inside extended permit tcp any eq ftp

access-list inside extended permit udp any eq domain

access-list no-nat-DMZ1 extended permit ip

access-list DMZ1 extended permit ip host host

global (outside) 1 interface

nat (inside) 1

nat (DMZ1) 0 access-list no-nat-DMZ1

static (inside,DMZ1) netmask

access-group inside in interface inside

access-group DMZ1 in interface DMZ1

New Member

Re: PIX-515 v8.0(4)28 NAT issue

When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists.

For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.

CreatePlease login to create content