question about NAT on Firewall - Page 2

cisco24x7 · ‎09-11-2008

I do not have a Pix firewall to test at the moment so I am going

to ask experts in forum if this is possible:

I have a host on the "inside" interface with an ip address of 192.168.3.10

Pix firewall "inside" ip address is 192.168.3.1/28

Pix firewall "outside" ip address 1.1.1.1/28

Pix firewall default gateway is 1.1.1.14

I have the following in the configuration:

static (inside,outside) 1.1.1.10 192.168.3.10 netmask 255.255.255.255 dns

access-list External permit ip any any log

access-list Internal permit ip any any log

access-group External in interface outside

access-group Internal in interface inside

Now here are my requirements:

1- Internet users will get to this host via 1.1.1.10,

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going to

64.100.1.0/24 and 192.95.25.0/24 will be natted to 1.1.1.10

2- telnet, ssh and smtp traffics originate from host 192.168.3.10 going

to ANY will be NATted to the Pix firewall's external interface (1.1.1.1),

3- http and https traffics originate from host 192.168.3.10 going to

72.1.100.0/24 will be NATted to 1.1.1.10,

4- http and https traffics originate from host 192.168.3.10 going to ANY

will be NAT'ed to firewall's external interface (1.1.1.1).

Is this possible? If so, how?

Thanks.

cisco24x7 · ‎09-14-2008

"as long as u want any traffic coming to 1.1.1.10 go to 192.168.3.10

creat an ACL lets say ACL 103

deny all traffic permit in ACL 101 and 102 then permit any

and make it like

static (inside, outside) 1.1.1.10 access-list 103

I think you're wrong with this one. I

remembered from my previous experiences that

you can NOT have deny statement in the policy NAT ACL. If my memory serves me

correctly, it will not work.

Marwan ALshawi · ‎09-14-2008

as u like

but i think u need to try it first

no other way to do

only nat with ACLs