Pix Multi Interface Interface PAT question

Posted on 2006-05-03
Last Modified: 2010-04-11
If we have a PIX with multiple interfaces, let's say inside / DMZ / outside and we use an interface PAT from the inside to the outside and this is working fine and we would like to do the same thing from the DMZ to the outside, it looks like we can't have two "sources" for an interface PAT to the outside.  So does this mean that we will have to use to outside interface ip addresses to allow the inside and the DMZ to get to the outside and overload an outside IP?

Thanks in advance.
Question by:ort11
    LVL 4

    Expert Comment

    I don't have a pix handy but did you try this?
    global (outside) 0 netmask
    global (outside) 1 netmask
    nat (dmz) 0 0 0
    nat (inside) 1 0 0

    This doc will most likley have the answer:

    LVL 20

    Accepted Solution

    >it looks like we can't have two "sources" for an interface PAT to the outside
      Yes, you can have 2 sources, such as the following:
    global (outside) 1 interface
    nat (inside) 1 0 0
    nat (dmz) 1 0 0

    Both the dmz & inside subnets would be PAT'd via the outside interface's IP.

    Sorry neoponder, '0' isn't a valid NAT ID for global statements, & you normally don't want to use "nat (inside) 0..." in this case, since a 'nat 0' statement disables NAT.  In your post above, "nat (dmz) 0 0 0" would make the PIX send outbound traffic from the dmz unchanged: ie, if the dmz subnet is 192.168.1.x, then outbound traffic from the dmz would be sent out as 192.168.1.x addresses.

    LVL 1

    Author Comment

    Hi:  have not forgot about this.  Have to check it out soon and get back

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Suggested Solutions

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    This video discusses moving either the default database or any database to a new volume.

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now