Showing results for 
Search instead for 
Did you mean: 
Level 10
Level 10


Scenario 1:

This is the sequence in which the translation commands are prioritized by the PIX Firewall:

  1. nat 0 access-list (nat-exempt)
  2. match against existing xlates
  3. static statements
    1. static nat with and without access-list (first match)
    2. static pat with and without access-list (first match) 
  4. nat
       nat access-list (first match) 

    1. Note: The nat 0 access-list command is not part of this command.
    2. nat (best match) 

      Note: When choosing a global address from multiple pools with the same NAT ID, this order is attempted:
      1. If the ID is 0, create an identity xlate.
      2. Use the global pool for the dynamic NAT.
      3. Use the global pool for the dynamic PAT.      
  5. Error

    nat (inside_interface_name) 0

    NAT 0 has two affects:
    1. nat (inside_interface_name) 0 access-list 101 

      This works exactly the same way as static, except it bypasses NAT.  It does not require the connection to be initiated from the higher security interface before the host on the lower security interface can create a connection to the host on the higher security level interface.
    2. nat (inside_interface_name) 0 

      This bypasses NAT, but requires the host on the higher security interface to first initiate a connection to the host on the lower security interface before the host on the lower security interface can initiate
      a connection.

Scenario 2:


User wants a router (887) behind ASA with a public address, to get to internet without been NATED from the ASA. Everything else is working

   |          |
    border router(877W) ---79.x.x.112/29----> Asa firewall ----79.x.x.120/29-----> router(887) ---------->client

The nat rules already applied are mentioned below:


nat (inside,outside) source static inside-network inside-network destination static ALL ALL  (not Working)


nat (inside,outside) source static DEFAULT-PAT-SOURCE DEFAULT-PAT-SOURCE destination static DEFAULT-PAT-SOURCE DEFAULT-PAT-SOURCE  (Working)


nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface destination static ALL ALL (Working)

object-group network ALL

network-object object ANY-

network-object object ANY-

object network ANY-


object network ANY-


object-group network DEFAULT-PAT-SOURCE

 network-object object 172ari

 network-object object 192ari

 network-object object dekari

object network 172ari


object network 192ari


object network dekari


object network inside-network

subnet 79.x.x.120



The boarder router also needs a route back to the 179.x.x.120/29 network.Anyway as user can see traffic is going through the firewall but the ISP is not routing back the traffic to you.

Make sure the border router(877W) has a route to the internal Public subnet. 

User should implement below commands and should check the output.

cap capout interface outside match icmp host x.x.x.x (Internal router IP address) host
cap capin interface inside match icmp host x.x.x.x (Internal router IP address) host

Then ping to from the router.

Commands used to check output:
show cap capin
show cap capout



Refer to these documents for more information on these commands:


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: