07-15-2002 10:50 AM - edited 02-20-2020 10:09 PM
I'm looking for a way to let our PIX 525s (running OS 6.2(1)) use a select global range of addresses when the users in our network are trying to reach select external sites.
Situation:
On the inside interface we're using 10.194.134.0/23
- When trying to reach 1.1.1.0/24 (inside-2) the pix should not nat
- When trying to reach 2.2.2.0/24 (inside-3) the pix should not nat
- When trying to reach 10.234.0.0/16 (external partner network) the pix should nat to 10.234.3.0/28
- When trying to reach anything else (internet) the pix should nat to 3.3.3.0/27
I was hoping to get this to work using the following config snippet
!
access-list from-inside-to-local-lan permit ip 10.194.134.0 255.255.254.0 1.1.1.0 255.255.255.0
access-list from-inside-to-local-lan permit ip 10.194.134.0 255.255.254.0 2.2.2.0 255.255.255.0
!
access-list from-inside-to-partner-lan permit ip 10.194.134.0 255.255.254.0 10.234.0.0 255.255.0.0
!
! 1st global range
global (outside) 1 10.234.3.1-10.234.3.14 netmask 255.255.255.240
!
! overload 1st range
global (outside) 1 10.234.3.15
!
! 2nd global range
global (outside) 2 3.3.3.1-3.3.3.29 netmask 255.255.255.224
!
! overload 2nd range
global (outside) 2 3.3.3.30
!
!
nat (inside) 0 access-list from-inside-to-local-lan
!
! use 1st global range for partner traffic
nat (inside) 1 access-list from-inside-to-partner-lan
!
! use 2nd global range for all other traffic
nat (inside) 2 0.0.0.0 0.0.0.0 0 0
!
end
Consider the nat statements sort-of equivalent to a route-map on an IOS device, in this case the nat statement is meant to fall through to the 2nd option if the first doesn't match and to fall through to the 3rd option if the 2nd doesn't match (and so on...)
Unfortunately it seems that access-lists can only be combined with the "nat 0" statement.
If there is somebody out there that has ever faced a similar challenge and who has found a solution, I'd be very interested to hear it. If not, I'd like to to file a feature request ;-)
Many thanks!
Frans
07-15-2002 08:40 PM
- When trying to reach 1.1.1.0/24 (inside-2) the pix should not nat
- When trying to reach 2.2.2.0/24 (inside-3) the pix should not nat
"Bypassing nat "
nat (inside) 0 access-list
- When trying to reach 10.234.0.0/16 (external partner network) the pix should nat to 10.234.3.0/28
- When trying to reach anything else (internet) the pix should nat to 3.3.3.0/27
"policy natting":
It is very easy to do it in a router with "route-map" command, but in a PIX, we do not support it at this moment.
If you really need this feature, please go ahead to file a feature request.
Best Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide