Re: PIX 535 NAT problem

chrismoore63 · ‎07-30-2006

Hello,

Sorry but I'm having a problem with my PIX 535. I have a PIX 535 with 4 interfaces... inside, DMZ1, DMZ2, and outside.

inside 140.32.1.x

dmz 192.168.1.0

outside 140.32.1.x

I have this is in my config and everything works fine:

nat (inside) 0 0.0.0.0 0.0.0.0

My problem is this. I

need to NAT some traffic from my inside interface and then dump it into my VPN tunnel. The rest of the inside traffic should not be NAT'd and go out to the Internet. I could do this:

access-list JPS-Web permit host 140.32.x.10 152.10.32.4 255.255.255.254

global (outside) 5 140.32.x.30

nat (inside) 5 access-list JPS-Web

My question is...won't the NAT 0 override everything I'm trying to do??? I just need the one IP NAT'd when it tries to go to the two Web servers. It then would go into an IPSEC tunnel and come out at a remote site. The rest of my inside traffic needs to go out un-NAT'd. I don't want to break all my user's Internet access just so a couple of users can get to the remote Web servers.

Help!!!

granberg · ‎07-31-2006

I have never actually tried such a setup, but I believe you could solve your problem by using an acl with your NAT 0 (NAT exemption vs current identity NAT).

access-list nonat deny ip host 140.32.x.10 152.10.32.4 255.255.255.254

access-list nonat permit ip any any

no nat (inside) 0 0.0.0.0 0.0.0.0

nat (inside) 0 access-list nonat

Hope that helps you.

bfele · ‎07-31-2006

Here is a link to explain NAT/STATIC order of operation. Hope it helps...

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_guide_chapter09186a008063b1fa.html#wp1042696

Regards,

Bostjan