Showing results for 
Search instead for 
Did you mean: 

disabling nat after the pix

Level 1
Level 1

dear sir,

I want to prevent users from connecting routers after my 525 pix firewall,through disabling nat for them or other way?

I appreciate your help in advanced.

thank you,


5 Replies 5

Level 5
Level 5

If you have a public address on the inside network, and you want the inside hosts to go out to the outside without translation, you can disable NAT. You would also need to change the static command.

nat (inside) 0

If you are using ACLs in PIX software versions 5.0.1 and later, use the following commands.

access-list 103 permit ip any

nat (inside) 0 access-list 103

This command disables NAT for the network. The static command for the web server would be changed as shown below.

static (inside, outside)

The following command defines the conduit for the web server.

conduit permit tcp host eq www any

If you are using ACLs in PIX software versions 5.0.1 and later, use the following commannds.

access-list 102 permit tcp any host eq www

access-group 102 in interface outside

Note that the difference between using nat 0 with specifying network/mask as opposed to using an ACL that uses a network/mask that permits initiation of connections from inside only. The use of ACLs permits initiation of connections by inbound or outbound traffic. The PIX interfaces should be in different subnets to avoid reachability issues.

Dear pradeepde

I know how disable the NAT on my pix, I just want to disable the NAT after the pix and keep my pix doning NATing.

My problem is that some of my inside users are using routers to establish asmall network inside my network, I want to prevent that with out affecting the other users that are using DHCP to gane their IPs and NATed through the PIX to the outside????

I appreciate your kind reply...

Thank you,


Level 1
Level 1

There are two ways of looking at this.

Where your LAN is

Where your WAN is

Where the Routers WAN is

Where the Routers LAN is

First perspective:

If you are working with simple nat configurations on the firewall such as:

nat (inside) 99

global (outside) 99 interface

In this example, users would not be able to configure a router behind your firewall as only the inside LAN addresses are NATed by the firewall. The subnet is not valid for NAT translations.

Second Perspective:

If the router has NAT configured and translates address from to 10.1.1.x and then forwards them to the firewall for a second translation (double NAT), then the connection will succeed. You can't really do much about this without somehow identifying valid source addresses or sessions.

Consider configuring all of the switch ports to only allow a single mac address? - Presumably the router would be the first and all other connections would fail.


how can I configure the switch ports to only allow a single mac address, Bythe way I have Cisco C2950 switches???

Thank you,


Hi Thaier

This article discusses port security on the 2950 switch.

Although, on second thought - All of the source MAC addresses will be the router anyway. MAC src/dst addresses are always the forwarding and receiving hosts which in your case is the unwanted router and your firewall.

You could preconfigure every port with the proper mac address, but that would quickly become far to complex and administratively intense.

Sorry - I can't think of an easy way to do this.


Review Cisco Networking for a $25 gift card