Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1045
Views
0
Helpful
3
Replies

PIX: Nat source based on destination.

c-price
Level 1
Level 1

‎08-05-2002 04:51 PM - edited ‎02-20-2020 10:11 PM

I have not been able to find anything allowing me to perform the following.

I need to PAT a subnet residing on the outside interface when making a connection to a specific host (host A) reacheable via the inside interface. I don't want the outside addresses translated when connecting to anything else. My default gateway is via the inside interface.

I have tried using the nat (outside) command along with a global command on a specific interface (interface mins) I have added a route to HostA via a seperate interface. My thoughts were that traffic would pass this interface to reach the particular host and be nat'd. All other traffic would use the inside interface and not be nat'd. The location of this interface and the routing in place would cause the response to go this seperate interface.

I recieved the following error via syslog:

%PIX-3-305006: Regular translation creation failed for protocol src int_name:IP_addr/port dst int_name:IP_addr/port

Thanks in advance,

Clayton

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎08-05-2002 06:01 PM

The following should do the trick for you (you don't need to have a specific route to another interface just for this host, you can leave it on the inside):

> name 10.1.1.1 hostA

> name 200.200.200.0 OutsideNetwork

> access-list 150 deny ip OutsideNetwork 255.255.255.0 host hostA

> access-list 150 permit ip any any

> global (inside) 2 interface

> nat (outside) 0 access-list 150 outside

> nat (outside) 2 OutsideNetwork 255.255.255.0 outside 0 0

You'll also need the normal:

> global (outside) 1 interface

> nat (inside) 1 0 0 0

to allow your internal users to go out.

0 Helpful

c-price
Level 1
Level 1
In response to gfullage

‎08-05-2002 06:44 PM

Thank you very much, I'll certainly give this a try. That is very clever!

The nat (outside) 0 access-list 150 outside will still allow both hosts outside and inside to initiate connections to each other via their actual IP's right? I will need to staticly NAT the inside hosts to their own addresses on the outside. Assuming my ACL's are correct, it seems like I should be ok.

I'm using PIX's in somewhat of an odd fashion. My Internet facing firewalls are Checkpoint. I then use Pix's between the DMZ and the corporate network. There is one host on the inside that charges fee's per connecting IP address, hence the need for the PAT. :)

I'm fairly new to PIX's, I've been a long time user of that other firewall. :)

Thanks,

Clayton

0 Helpful

c-price
Level 1
Level 1
In response to gfullage

‎08-06-2002 07:16 PM

That worked great!

Thanks for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card