Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


PIX NONAT Questions

Posted on 2006-05-05
Medium Priority
Last Modified: 2013-11-16

I am a bit fuzzy on a few different topics regarding the management of our PIX.  Originally it was setup by a contractor and I am just hoping to better understand the logic behind the config.

We have three interfaces:  Inside, Outside, and DMZ
We have a Client VPN.
VPN Group IP Pool: –
DMZ network: 172.16.4 .0 “addresses have been changed for example”
VPN network:
Internal network:


1. access-list NONAT permit ip
2. access-list NONAT permit ip host
3. access-list NONAT-DMZ permit ip
4. access-list NONAT-DMZ permit ip
5. global (outside) 1 interface
6. nat (inside) 0 access-list NONAT
7. nat (inside) 1 0 0
8. nat (DMZ) 0 access-list NONAT-DMZ
9. nat (DMZ) 1 0 0


1.      My understanding is that 6. above tells all inside addresses to use PAT to go outside using the global address “interface”?
2.      Then 8. would indicate all DMZ traffic as well to use PAT?
3.      What is the importance of 7. and 9. ?
4.      I also am fuzzy on the access-list what are they doing?  It would appear that NONAT lets DMZ and VPN traffic access the inside addresses.
5.      NONAT-DMZ seems the same?
6.      I was also trying to setup the VPN client to only access on the internal network and line 2. seems to have achieved this, but I am not sure it is the best method?  I see that line 3. allows the VPN network to the entire internal network, but I access anything other than the single address which is good.

Any assistance is greatly appreciated.

Question by:strangej
  • 3
  • 2
LVL 25

Accepted Solution

Cyclops3590 earned 500 total points
ID: 16615893
1) line 6 says that any traffic from inside to network or from host to VPN network should skip any NAT translations
2) line 8 is saying to skip NAT translations on traffic from the inside to the VPN and DMZ networks
3) line 7 and 9 work in conjunction with line 5.  basically any IP on the inside interface will be PAT'd to the outside interface address.  same for the dmz hosts
4) the nonat is applied to nat (<interface>) 0 command which means skip any translations and don't change the source ip on the packet
5) look at 4
6) you are right for the NONAT acl, but the NONAT-DMZ is a different acl, did you add those acls or someone else?

Author Comment

ID: 16616002
NONAT-DMZ was added by someone else.  There are a few things in the config like that, that I wonder should it really be there.


LVL 25

Expert Comment

ID: 16616212
depends on the rest of the config, what that looks like

Author Comment

ID: 16616525
Going back to your answer 4):

If I am understanding correct this is stating don't change the source IP from anything on the inside to the network (I typed this wrong it should have said network DMZ), and if I had different networks inside such as then those would be pat'd and the source IP changed to the global (outside) 1 interface?   I would imagine this is done for the inside network to create ACL's in the DMZ access-list for granularity?

Thanks again!

LVL 25

Expert Comment

ID: 16616616
>if I had different networks inside such as then those would be pat'd and the source IP changed to the global (outside) 1 interface?
yes, but not necessarily to the outside interface, going from inside to dmz could PAT the source IP/port combo to the DMZ interface of the firewall as well.

normally i would say you shouldn't NAT/PAT between non-public interfaces.  gives you more control over your network and logging ability.  for instance, your email server is in your dmz, you want to see what IP a certain user is checking his/her email from (why? who knows, just an example) however if there is a PAT going on, then you'll only ever see the dmz interface IP of the firewall instead of the IP of the host on the inside.

my firewall at work is configured to PAT my hosts from inside to DMZ because I had someone configure the firewall before I was able to learn the PIX OS myself.  so when I ssh into my servers on my dmz, all i see is my dmz interface ip so if someone else is trying to ssh into the servers, I won't know who (obviously I'm going to change this, but its working for now so I'm not touching it)

normally you'd want something like this in  your config
static (inside, dmz)
static (dmz, inside)

the first one makes it so any client on the inside going to a host on the dmz will essentially keep its IP thru the firewall, and line 2 does the same for dmz to inside host traffic.  this way you know the true IP of the host

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
2017 was a scary year for cyber security.  Hear what our security experts say that hackers have in store for us in 2018.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question