Basic NO NAT setups and concepts on a PIX.

I'm going to use an example from a book that I'm having trouble understanding because if someone can explain this example to me, I think I'll have a grasp on what I need to know.

This is a PIX with three interfaces. is attached to the outside interface. is attached to the DMZ interface.
192.168.2-4.0/24 are all behind the inside interface.

The snippet of the configuration provided is this:

pixfirewall(config)# global (outside) 1 netmask
pixfirewall(config)# nat (inside) 1 0 0
pixfirewall(config)# nat (dmz) 1 0 0
pixfirewall(config)# static (dmz, outside)
pixfirewall(config)# static (dmz, outside)
pixfirewall(config)# static (inside, dmz) netmask
pixfirewall(config)# access-list NO_NAT permit ip
pixfirewall(config)# access-list NO_NAT permit ip
pixfirewall(config)# access-list NO_NAT permit ip
pixfirewall(config)# nat (inside) 0 access-list NO_NAT

Now, I understand all of this config and most other configs, but for some reason I've just never gotten how no nat works exactly.  I'd like to understand it well.

The book says "If a device from the inside interface tries to access a device on the dmz interface, it will not have its address translated -- this is based on the very last static command in the configuration." Fine and dandy.  So, the static entry in question keeps things going from the inside -> dmz from being translated.  What does the NO_NAT ACL do?  

Originally, I thought it was some kind of similar thing, but in reverse.  (i.e., telling things going out from the DMZ to not try and NAT to the addresses in question (the 192.168.2-4.0/24 networks), but that makes no sense because it's applied to the inside interface.  Is that ACL applied with the "nat (inside)" statement just a redundancy of the static statement?

Also, what are the security implications of disabling NAT?  Do the security level implications still apply (i.e., things from on the security100 inside can still reach things on the security50 DMZ interface but not vice-versa (assuming that there is no other ACL involvement), or does disabling NAT remove that difference in security level?

Someone please help me.  I feel like I'm frustrated enough and asking such a hugely broad question that I'm going to go ahead and assign a high point value to hopefully make it worth someone's while.

Thanks very much.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

prueconsultingConnect With a Mentor Commented:
In that example its used to basically create a translation that keeps the from field the same because as packets traverse the interfaces they will undergo a translation.

So for example

lets use this

Exchange Server on LAN with an address of connecting to a DMZ mail server with an address of

DMZ interface is

When the exchange server connects to the DMZ host the DMZ host will see the packet as coming from 5.245 due to the static translation.

But if a workstation say on anothe subnet was to connect to the DMZ host the mail server would see its ip as the DMZ interface ip address.

Basically in a nut shell .

When nat is applied when a packet travels from one interface out another it will appear that the source address is coming from the address which it is exiting on


If a packet travels from inside to out it will appear to be coming from

Now if yuo apply a no nat statment anything that is hit by this no nat acl will not be natted and its src address will be where the packet initiates from originally. This is mostly utilized in VPN tunnels to push a packet as interesting traffic across the tunnel.

Now the static translations..

based on the above static if a packet coming from a src of attempts to hit a host in the DMZ the address is actually "translated" but in reality keeps the same address since the static translation is the same . But if a host say from was to hit the DMZ it would appear to have come from since it doesn't match the translation.

Did this make sense?
titan6400Author Commented:
I get that the NO_NAT access-list or generally using a "nat (interface) 0 <address>" command means that the "from" header in an applicable packet won't get rewritten as having come from an address in the global pool -- it just stays the same.

What is the use of the "pixfirewall(config)# static (inside, dmz) netmask" in the example above?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.