Solved: Policy NAT from level low to level high on PIX 525 v.6.3

rajko.bogdanovic · ‎09-12-2007

I am trying to do policy NAT from Level 20 to Level 40 for certain Server inside Level 20

From level 40 one side should see it for example as 10.10.10.10 and other 10.10.20.10.

access-list type permit ip x.x.x.x sm y.y.y.y xm - connected to static nat

Is this possible?

Did anyone did this?

And ofcourse example woould be gold worth.

All of you who even think about my problem I thank you.

:-)

mattiaseriksson · ‎09-12-2007

Don't forget that you need a 'normal' inside higher-to-lower source NAT defined as well for the L40 addresses using NAT, PAT or static. For example add 'nat (L40) 1 0 0' and 'global (L20) 1 interface'

And check the logfile.

View solution in original post

mattiaseriksson · ‎09-12-2007

Yes, it is possible.

Try this:

access-list PNAT1 permit ip host

access-list PNAT2 permit ip host

static (outside,inside) 10.10.10.10 access-list PNAT1

static (outside,inside) 10.10.20.10 access-list PNAT2

The interface names need to match your configuration obviously.

Regards,

/Mattias

rajko.bogdanovic · ‎09-12-2007

I've tried this but doesn't work.

I used the same type of conf, packet enters L40 interface but doesn't leave L20 interface.

There in no nonat assigned to interface but it doesn't work, and it has matches in L40 interface access-list.

I am just checking Alias, where it is possible to use Alias for destination NAT

Thank you for suggestion.

mattiaseriksson · ‎09-12-2007

Don't forget that you need a 'normal' inside higher-to-lower source NAT defined as well for the L40 addresses using NAT, PAT or static. For example add 'nat (L40) 1 0 0' and 'global (L20) 1 interface'

And check the logfile.