Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Pix 7.2(1) Nat Control

Hi everyone,

Hope someone can help on this one. I am currently testing the installation of a Pix 535 in the core of our network to segment different areas of our organisation. I dont want to use NAT on any of the Pix Interfaces and thought the nat-control option disabled this. After reading up further it says that this is only for outbound access.

Is there an easy way to configure this then using NAT Exemption or is this the only way to go ?

Thanks in advance

Cisco Employee

Re: Pix 7.2(1) Nat Control

If you configure "no nat-control" then you don't need any nat/global or static commands in the PIX config.

The same sort of access-rules aplly though, in that you need an access-list for inbound traffic, whereas outbound traffic flows freely.

So in short, it works like this:


- Outbound traffic requires a nat/global pair or a static

- Inbound traffic requires a static and an access-list

no nat-control

- Outbound traffic flows freely, without any config changes

- Inbound traffic just requires an access-list permitting it.

Hope that helps.

New Member

Re: Pix 7.2(1) Nat Control

Thanks very much for your time in replying. I thought that this was the case but for some reason i am unable to cross through the pix interfaces, even with an access-list ALLOW-ALL extended permit ip any any on every interface.

Is it to do with the Security Levels ? In that a lower one cannot go to a higher one ? This wouldn't make sense in that you need to have statics for all your ip ranges ?



New Member

Re: Pix 7.2(1) Nat Control

Hi gfullage,

I have done some further digging on this and if i have all the Interfaces on the same security level and enabled the same-security-level command to allow inter-interface communication, it works ok.

Is this the best way to acheive this ?