topic Re: PIX 6.3.3 policy NAT problems in Network Security

PIX 6.3.3 policy NAT problems

chrismoore63 — Fri, 21 Feb 2020 09:04:24 GMT

I'm curious to see if anyone can help with my situation. I currently do not NAT on my inside interface:

NAT 0 0.0.0.0 0.0.0.0

I need to start doing policy NAT for some internal hosts going from inside private IPs to certain sites off of one of my DMZ interfaces. My problem is that this:

Global (DMZ4) 5 199.19.19.2

NAT (inside) 5 access-list DMZ-NAT

NAT (inside) 0 0.0.0.0 0.0.0.0

I need to only NAT inside traffic that matches the access list. If it doesn't match the access-list I don't want to NAT it all. When I try to test this out I see the inside traffic matching the inside access-list and being routed to the DMZ4 interface. However the traffic is never NAT'd. I never see the source IP getting translated to 199.19.19.2 Any suggestions???

Re: PIX 6.3.3 policy NAT problems

Fernando_Meza — Thu, 27 Jul 2006 05:07:08 GMT

Hi .. I suggest to use Policy NAT for nat 0 as well .. instead of nat exemption for the whole inside segment. ..

nat (inside) 0 access-list NO_NAT

access-list NO_NAT permit ... etc

I hope it helps ... please rate if it does !!!

Re: PIX 6.3.3 policy NAT problems

chrismoore63 — Mon, 31 Jul 2006 02:26:11 GMT

My problem is I only need to NAT one IP on the inside interface when it goes to a specific server. I'll NAT it and dump it into my VPN tunnel. The problem is it's going to a Web server (port 80). The IP is the NAT address of my internal firewall. If the traffic doesn't match the ACL then it should go out to the Internet as is. How can I do policy NAT for nat 0 and tell it to NAT to one location, but don't NAT for the rest of the Internet???

Re: PIX 6.3.3 policy NAT problems

todd.kelly — Mon, 14 Aug 2006 15:48:24 GMT

If you are going to implement policy nat, pdm will not function properly. You will only be able to use the home and monitor tab. I am using PDM version 3.04.

Re: PIX 6.3.3 policy NAT problems

cpembleton — Mon, 14 Aug 2006 19:06:11 GMT

This allow you to nat an address to a specific address going to a specific server on port 80.

access-list WEB permit tcp 10.1.2.0 255.255.255.0 65.x.x.1 255.255.255.255 eq 80

nat (inside) 1 access-list WEB

global (outside) 1 209.x.x.1 255.255.255.255

Re: PIX 6.3.3 policy NAT problems

aporcaro01 — Tue, 15 Aug 2006 13:01:57 GMT

Hi!

I have the same topology.

In my case I use:

static (inside,DMZ_Client) 192.168.162.201 access-list inside_client

access-list inside_client extended permit ip host 10.10.1.1 10.250.0.0 255.255.192.0

Regards,

Adriano Porcaro