Showing results for 
Search instead for 
Did you mean: 

PIX 515E 6.3 NAT Question



I'm having some issues trying to get connectivity from the inside to the DMZ on a PIX515 (6.3).

Here's the scenario (diagram attached).

Inside interface IP:

DMZ interface IP:

There is a server in the DMZ with an IP of

The DMZ network routes are not to be published. To access the server, clients on the inside network must target an IP on the local subnet, which has been provided as, so a static NAT is required.

The internal networks must remain hidden from the server in the DMZ.

I think i'm approaching the NAT all wrong, but not sure what's the correct way to configure it.

Config below:

PIX Version 6.3(5)

interface ethernet0 auto shutdown

interface ethernet1 auto

interface ethernet2 auto

interface ethernet3 auto shutdown

interface ethernet4 auto shutdown

interface ethernet5 auto shutdown

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

nameif ethernet3 intf3 security6

nameif ethernet4 intf4 security8

nameif ethernet5 intf5 security10

hostname PIX01


access-list acl_dmz_in permit ip any any

access-list acl_dmz_in permit icmp any any

access-list acl_inside_in permit icmp any any

access-list acl_inside_in permit ip any any

pager lines 24

mtu outside 1500

mtu inside 1500

mtu dmz 1500

mtu intf3 1500

mtu intf4 1500

mtu intf5 1500

no ip address outside

ip address inside

ip address dmz

no ip address intf3

no ip address intf4

no ip address intf5

ip audit info action alarm

ip audit attack action alarm

no failover

failover timeout 0:00:00

failover poll 15

no failover ip address outside

no failover ip address inside

no failover ip address dmz

no failover ip address intf3

no failover ip address intf4

no failover ip address intf5

pdm history enable

arp timeout 14400

static (dmz,inside) netmask 0 0

access-group acl_inside_in in interface inside

access-group acl_dmz_in in interface dmz

route inside 1




HTH Paul ****Please rate useful posts****
9 Replies 9

Jouni Forss


The attachements arent currently working on the forums for some reason. I wonder if you can just simply copy a screencapture of the picture and copy/paste it directly to the post/reply.

I guess if you are looking for an option to the above NAT you could consider Policy NAT

access-list DMZ-SERVER-POLICYNAT permit ip host


access-list DMZ-SERVER-POLICYNAT permit ip host any

static (dmz,inside) access-list DMZ-SERVER-POLICYNAT

I'm not 100% sure if it will work. Dont remember if the old softwares had their own limitations. Use them very rarely nowadays.

- Jouni

Hi Jouni,

Thanks for your feedback, the diagram was really just to illustrate what I wrote in the post.

I got the nat working from inside to dmz, by using:

global (dmz) 1 interface

nat (inside) 1 0 0

static (dmz,inside) netmask 0 0

I can ping and it replies with, and I can also ping

I haven't managed to get traffic that's initiated from the dmz to the inside to work yet.



HTH Paul ****Please rate useful posts****


The configuration above that you bolded will only create a PAT translation for traffic entering from "inside" to "dmz". Traffic to the "dmz" server will be using the "dmz" interface IP address as the PAT address.

To my understanding the Policy NAT configuration I pasted above should work for both directions.

What it should do is:

  • When "dmz" host initiates connections to the network it will translate to the specified IP address of
  • In the same way if a host on "inside" network initiates connections towards the host address it should forward the traffic to the "dmz" host.
  • So it should make it possible to initiate connections from either side. The ACL version (destination addres/network(s) used) will specify for what traffic the Policy NAT applies

Atleast that is how it should work to my understanding. If you happen to try the Policy NAT I would suggest removing the existing NAT.

If it doesnt work possibly check "show xlate" to see if there is some old Xlate still in use that needs to be cleared.

- Jouni