PIX NONAT Questions

Posted on 2006-05-05
Last Modified: 2013-11-16

I am a bit fuzzy on a few different topics regarding the management of our PIX.  Originally it was setup by a contractor and I am just hoping to better understand the logic behind the config.

We have three interfaces:  Inside, Outside, and DMZ
We have a Client VPN.
VPN Group IP Pool: –
DMZ network: 172.16.4 .0 “addresses have been changed for example”
VPN network:
Internal network:


1. access-list NONAT permit ip
2. access-list NONAT permit ip host
3. access-list NONAT-DMZ permit ip
4. access-list NONAT-DMZ permit ip
5. global (outside) 1 interface
6. nat (inside) 0 access-list NONAT
7. nat (inside) 1 0 0
8. nat (DMZ) 0 access-list NONAT-DMZ
9. nat (DMZ) 1 0 0


1.      My understanding is that 6. above tells all inside addresses to use PAT to go outside using the global address “interface”?
2.      Then 8. would indicate all DMZ traffic as well to use PAT?
3.      What is the importance of 7. and 9. ?
4.      I also am fuzzy on the access-list what are they doing?  It would appear that NONAT lets DMZ and VPN traffic access the inside addresses.
5.      NONAT-DMZ seems the same?
6.      I was also trying to setup the VPN client to only access on the internal network and line 2. seems to have achieved this, but I am not sure it is the best method?  I see that line 3. allows the VPN network to the entire internal network, but I access anything other than the single address which is good.

Any assistance is greatly appreciated.

Question by:strangej
    LVL 25

    Accepted Solution

    1) line 6 says that any traffic from inside to network or from host to VPN network should skip any NAT translations
    2) line 8 is saying to skip NAT translations on traffic from the inside to the VPN and DMZ networks
    3) line 7 and 9 work in conjunction with line 5.  basically any IP on the inside interface will be PAT'd to the outside interface address.  same for the dmz hosts
    4) the nonat is applied to nat (<interface>) 0 command which means skip any translations and don't change the source ip on the packet
    5) look at 4
    6) you are right for the NONAT acl, but the NONAT-DMZ is a different acl, did you add those acls or someone else?

    Author Comment

    NONAT-DMZ was added by someone else.  There are a few things in the config like that, that I wonder should it really be there.


    LVL 25

    Expert Comment

    depends on the rest of the config, what that looks like

    Author Comment

    Going back to your answer 4):

    If I am understanding correct this is stating don't change the source IP from anything on the inside to the network (I typed this wrong it should have said network DMZ), and if I had different networks inside such as then those would be pat'd and the source IP changed to the global (outside) 1 interface?   I would imagine this is done for the inside network to create ACL's in the DMZ access-list for granularity?

    Thanks again!

    LVL 25

    Expert Comment

    >if I had different networks inside such as then those would be pat'd and the source IP changed to the global (outside) 1 interface?
    yes, but not necessarily to the outside interface, going from inside to dmz could PAT the source IP/port combo to the DMZ interface of the firewall as well.

    normally i would say you shouldn't NAT/PAT between non-public interfaces.  gives you more control over your network and logging ability.  for instance, your email server is in your dmz, you want to see what IP a certain user is checking his/her email from (why? who knows, just an example) however if there is a PAT going on, then you'll only ever see the dmz interface IP of the firewall instead of the IP of the host on the inside.

    my firewall at work is configured to PAT my hosts from inside to DMZ because I had someone configure the firewall before I was able to learn the PIX OS myself.  so when I ssh into my servers on my dmz, all i see is my dmz interface ip so if someone else is trying to ssh into the servers, I won't know who (obviously I'm going to change this, but its working for now so I'm not touching it)

    normally you'd want something like this in  your config
    static (inside, dmz)
    static (dmz, inside)

    the first one makes it so any client on the inside going to a host on the dmz will essentially keep its IP thru the firewall, and line 2 does the same for dmz to inside host traffic.  this way you know the true IP of the host

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now