Showing results for 
Search instead for 
Did you mean: 

NAT question



What is for static (inside dmz) netmask 0 0? Is it no nat for the network? If I remove this line, what is happen?

Could I use following lines together

static (inside dmz) netmask 0 0

static (inside dmz) network 0 0



9 Replies 9



No you have the wrong netmask. But if you change the netmask to it would mean that you can access the network from the dmz using the real addresses (if the dmz acl permits).

And yes you can use a static for the network together with a static for one ip, if you use different netmasks.


What is difference use real address and NAT address in the inside and dmz network? Does infect application access?


There is no difference. Normally you do not have to translate addresses between the inside and dmz networks, but you can do it either way.

If you need to initiate connections from the DMZ to the inside you must use the static command for some addresses or the entire network (but you do not have to translate the addresses).

But if you only need the inside to access the dmz, you can instead use nat/global command. That will only allow outbound connections from the inside.


If use virtual server ip address(netscaler) in the dmz, real server ip address is with internal, do I need do static from dmz to internal?


Yes, you need static statements to permit access from any interface when you are going to the inside.

You also need an access-list to permit the traffic on the dmz interface.


I just try add one static line

static (inside,dmz) netmask 0 0,

but it is fail, message is real-address conflict with existing static

inside: to dmz: netmask

Looks have to remove static (inside,dmz) netmask 0 0 from pix.

What is risk to remove this line? Maybe some ip deny access?


Sorry, you need to use policy nat.

access-list HOST1 permit ip host

static (inside,dmz) access-list HOST1

I am not sure if you have to remove the other static, try it without first.

If it does not work you have to remove it, but then people will loose connectivity, and add it again with policy-nat:

access-list NET1 permit ip

static (inside,dmz) access-list NET1

If nat-control is enabled (assuming PIX/ASA OS 7.x and later), or if you're using PIX OS 6.x or earlier, you need to enable nat between any higher security level interface and any lower security level interface.

You can use any type of nat except identity nat if hosts on the lower security interface need to initiate connections back to the higher level security interface.

This means you can use any type of nat except the following:

nat (inside) 0


nat (inside) 0

...just for example.

nat exemption allows connections to be initiated both ways and looks like the following:

nat (inside) 0 access-list 101

Any nat involving the static command also allows connections to be initiated from either side.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: