Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

nat issue

Hi all. I have a pix 515 with 6.3(4) ios. The pix is connected to my office/dmz/internet networks. Due to some sql requirements, the web server on my dmz network is allowed to access my sql server on office network. My web server is using ip while my sql server is using ip I then created an accesslist "accesslist dmz_access_in permit tcp host host eq 1433". But it couldn't work. I then had to do a translation for to a dmz ip And add an accesslist "accesslist dmz_access_in permit tcp host host eq 1433". Then the thing would work. Why is this so? Why do i need nat for my sql server? Thks in advance.


Re: nat issue

Hello wenbin

for any two zones to communicate in PIX, there has to be an entry in the translation table (Xlate). Connections are basically built upon the translation (show conn). Hence if you want your sql server to communicate with your webserver, you can do two things:

1) do a no-nat for either of your servers from dmz1 to dmz2. In this case, the other server can see your server with the same IP address.

2) Do a nat for the server in dmz1 to a corresponding IP address in DMZ 2 (as you have done). this makes sure the server sees the sql server on some reachable IP address space..

Normally people prefer option 1, since the IP addresses are retained !

Hope this helps.. rate replies if found useful..


New Member

Re: nat issue

Hi Raj,

Sorry for the late response. Since both networks are connected to pix, why do i still need to do a nat? The pix should be able to route automatically. Pls advise. Thks in advance.

Re: nat issue

hello wenbin

PIX , being a security device works differently from another layer 3 device like router.. Routers are meant to do layer 3 forwarding based on the destination ip address. But since PIX is a firewall, there is an additional layer of translation check which is done, to ensure right hosts are communicating between the directly connected interfaces.. This basically increases security and makes sure any unknown hacker or unnecessary hosts do not disrupt other DMZ zones..

As said previously, you can also do a forceful no-nat and disable natting for a particular subnet to access another server in DMZ.. You can refer to CCO for the configurations of NAT and no-nat..

Hope this helps.. rate replies if found useful