Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

About natting


I have Cisco PIX 515E With Cisco PIX Security Appliance Software Version 7.0(6).

We are using three interfaces. One outside, second WEB(for web server) & third DB(for database server)

We have published our web server and so available from public network.

Now, I want to access my website(web server) from inside network(servers connected to WEB interface) with public IP address. But it is not working.

When I try from inside of the network, the packet is handled by the default route and sent onto the outside interface. At that point, the packet disappears because the PIX does not turn the packet around and send it back inside. In fact, I'm not even sure that the NAT

rules come into play in this scenario.

So, is it possible to hit external IP of my web server from internally?

If yes than how?


Anil Oza


Re: About natting


You'll want to configure bi-directional NAT. Here's a link on how to do that.

Hope it helps.

Re: About natting

I just gave you the answer on the firewall thread for this issue.


Community Member

Re: About natting


I have followed the same step but still I can not access it from my dmz(in my case WA interface) network.

I am getting bellow error.

%PIX-3-305005: No translation group found for tcp src WA:x.x.x.x/4447 dst outside:x.x.x.x/443

Below is some part of my PIX config

There are 4 inerface.

1 interface - outside 92.60.xx.x

2 interface - WA 10.38.33.x

3 interface - DB 10.38.35.x

4 interface - inside 10.38.37.x

object-group icmp-type TRACERT-PING-RESPONSE
icmp-object echo-reply
icmp-object time-exceeded
icmp-object unreachable

object-group network WEB-HOSTS
network-object host 92.60.xx.x

object-group network WEB-HOSTS-SSL
network-object host 92.60.xx.x

object-group service WEB-PORTS tcp
port-object eq www
port-object eq https

access-list OUTSIDE extended permit icmp any any object-group TRACERT-PING-RESPONSE
access-list OUTSIDE extended permit tcp any object-group WEB-HOSTS object-group WEB-PORTS
access-list OUTSIDE extended permit tcp any object-group WEB-HOSTS-SSL eq https
access-list WA extended permit tcp any any object-group WEB-PORTS

global (outside) 1 92.60.xx.x
global (outside) 2 92.60.xx.x
global (WA) 1
global (DB) 1
nat (inside) 0 access-list NO-NAT
nat (inside) 1
nat (WA) 0 access-list NO-NAT
nat (WA) 1
nat (DB) 0 access-list NO-NAT
nat (DB) 2
static (WA,outside) 92.60.xx.xx netmask
static (outside,WA) 92.60.xx.xx netmask
access-group OUTSIDE in interface outside
access-group WA in interface WA
access-group DB in interface DB
route outside 92.60.xx.x 1

Let me know if you need more information .


Anil Oza

CreatePlease to create content