Solved: Reg: Pix Nat Question

kuldeep.kaur · ‎09-08-2011

Hi there,

I have a question on Nat. All my inside hosts currently are natted to the pix outside interface. Now I would like to nat two inside ip addresses to one different global address. How should I configure this.

Tks

Jennifer Halim · ‎09-08-2011

The general NAT statement that you already have does not matter.

It will look for the more specific NAT and match it on that specific one. So the preference is based on the more specific subnet/host, not base on the NAT ID.

View solution in original post

Jennifer Halim · ‎09-08-2011

You can use static NAT to NAT an inside IP to a different global address.

Eg:

Inside host: 10.1.1.1, global address: 200.1.1.1:

static (inside,outside) 200.1.1.1 10.1.1.1 netmask 255.255.255.255

If you have a different inside host, for eg: 10.1.1.2, to be NATed to global address: 200.1.1.2:

static (inside,outside) 200.1.1.2 10.1.1.2 netmask 255.255.255.255

Hope this helps.

kuldeep.kaur · ‎09-08-2011

Hi Jennifer,

Thanks for the reply.

In my case I want two internal hosts to be natted to one global ip address. (Rest of the hosts on the inside are getting natted via the pix outside interface). Is there a way to achieve this?

I tried static but the pix is not accepting the command.

Tks

kuldeep.kaur · ‎09-08-2011

what I mean about static is static with one global ip address and two local addresses. Tks

Jennifer Halim · ‎09-08-2011

You can't NAT 2 different internal hosts to 1 global IP with static NAT.

Is this going to be used for both inbound and outbound traffic? or just outbound traffic?

kuldeep.kaur · ‎09-08-2011

Hi Jennifer,

Is there a option available to do both? If not please let me know how to configure this for only outbound traffic.

Thank you very much for the help Jennifer.

Jennifer Halim · ‎09-08-2011

If you need both, the answer is NO, not supported.

If you only need outbound, then you can configure the following:

nat (inside) 5 10.1.1.1 255.255.255.255

nat (inside) 5 10.1.1.2 255.255.255.255

global (outside) 5 200.1.1.1

kuldeep.kaur · ‎09-08-2011

Hi Jennifer,

Thanks for the above. In my case all the inside hosts are already natted using

nat (inside) 1 0.0.0.0 0.0.0.0

Can I still use the above commands for the hosts which are already natted. I mean for example 10.1.1.1 and 10.1.1.2 is

already natted by the above command 0.0.0.0 0.0.0.0

Also if I do the this, will nat with ID 1 or nat with ID 5 will take preference ?

Tks

Jennifer Halim · ‎09-08-2011

The general NAT statement that you already have does not matter.

It will look for the more specific NAT and match it on that specific one. So the preference is based on the more specific subnet/host, not base on the NAT ID.

prashantrecon · ‎09-09-2011

Hi jennifer ,

can we use object group to bundle list of private ip.

Jennifer Halim · ‎09-09-2011

yes, you can, with access-list.

object-group network servers-group

network-object host 10.1.1.1

network-object host 10.1.1.2

access-list nat-servers permit ip object-group servers-group any

nat (inside) 5 access-list nat-servers

global (outside) 5 200.1.1.1

kuldeep.kaur · ‎09-09-2011

Hi Jen,

Thank you very much for your help. Really appreciate it. Tks again for clearing up things.