Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
236
Views
0
Helpful
1
Replies

PIX - NAT & PAT

joeldc
Level 1
Level 1

‎01-25-2005 10:59 PM - edited ‎02-20-2020 11:53 PM

We have a PIX that we are using for NATting to an external address. We currently have 12 valid addresses for NAT and when the 13th user connects he would use PAT.

We'd like to have everybody use PAT except particular users who we'd like to use NAT. Is there a way to force a particular user to use NAT? Maybe through a login id (in conjunction with AAA) or subnet IP?

0 Helpful
1 Reply 1

paddyxdoyle
Level 6
Level 6

‎01-26-2005 12:23 AM

Hi,

I believe you can do this using the following example.

Internal net to be PATed: 10.10.10.0 /24

Internat host to be NATed: 10.10.10.1 /32

nat inside (1) 10.10.10.1 255.255.255.255

nat insude (2) 10.10.10.0 255.255.255.0

global (outside) 1

global (outside) 2

So your specific host will always use your global NAT address, and the remaining hosts on this network will use your global PAT address.

The documentation states that the order of your NAT statements doesn't matter as the PIX will use the NAT statememt that best matches the source address.

"nat (regular NAT)—Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only 10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the local traffic best"

HTH

Paddy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card