I'm looking for a way to let our PIX 525s (running OS 6.2(1)) use a select global range of addresses when the users in our network are trying to reach select external sites.

Situation:

On the inside interface we're using 10.194.134.0/23

- When trying to reach 1.1.1.0/24 (inside-2) the pix should not nat

- When trying to reach 2.2.2.0/24 (inside-3) the pix should not nat

- When trying to reach 10.234.0.0/16 (external partner network) the pix should nat to 10.234.3.0/28

- When trying to reach anything else (internet) the pix should nat to 3.3.3.0/27

I was hoping to get this to work using the following config snippet

!

access-list from-inside-to-local-lan permit ip 10.194.134.0 255.255.254.0 1.1.1.0 255.255.255.0

access-list from-inside-to-local-lan permit ip 10.194.134.0 255.255.254.0 2.2.2.0 255.255.255.0

!

access-list from-inside-to-partner-lan permit ip 10.194.134.0 255.255.254.0 10.234.0.0 255.255.0.0

!

! 1st global range

global (outside) 1 10.234.3.1-10.234.3.14 netmask 255.255.255.240

!

! overload 1st range

global (outside) 1 10.234.3.15

!

! 2nd global range

global (outside) 2 3.3.3.1-3.3.3.29 netmask 255.255.255.224

!

! overload 2nd range

global (outside) 2 3.3.3.30

!

!

nat (inside) 0 access-list from-inside-to-local-lan

!

! use 1st global range for partner traffic

nat (inside) 1 access-list from-inside-to-partner-lan

!

! use 2nd global range for all other traffic

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

!

end

Consider the nat statements sort-of equivalent to a route-map on an IOS device, in this case the nat statement is meant to fall through to the 2nd option if the first doesn't match and to fall through to the 3rd option if the 2nd doesn't match (and so on...)

Unfortunately it seems that access-lists can only be combined with the "nat 0" statement.

If there is somebody out there that has ever faced a similar challenge and who has found a solution, I'd be very interested to hear it. If not, I'd like to to file a feature request ;-)

Many thanks!

Frans