FWSM nat question

pokwan · ‎07-20-2005

Hi,

If I have the configuration below where I nat a range of IP to another IP range going to 2 different sites.

Will it cause any problem?

access-list acl_test permit ip 99.99.1.0 255.255.255.0 203.203.203.0 255.255.255.0

access-list acl_test permit ip 99.99.1.0 255.255.255.0 204.204.204.0 255.255.255.0

nat (inside) 1 access-list acl_test

global (site1) 1 99.99.10.0-99.99.10.254 netmask 255.255.255.0

global (site2) 1 99.99.10.0-99.99.10.254 netmask 255.255.255.0

TIA.

PF

paddyxdoyle · ‎07-21-2005

Hi,

This should be possible using policy nat on the PIX.

You have almost got this correct, you don't need the second global (site2) statement as they both have the same addressing, see below :)

# access-list acl_test permit ip 99.99.1.0 255.255.255.0 203.203.203.0 255.255.255.0

# access-list acl_test permit ip 99.99.1.0 255.255.255.0 204.204.204.0 255.255.255.0

# nat (inside) 1 access-list acl_test

# global (outside) 1 99.99.10.0-99.99.10.254 netmask 255.255.255.0

If you want to read up on policy NAT have a look at the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html#wp1113601

Rgds

PJD

pokwan · ‎07-21-2005

PJD,

Thanks for the reply. I will read up on the link attached. Don't you need 2 global statements if site1 and site2 on different interfaces? Ie. site1 on interface dmz1 and site2 on interface dmz2?

Thanks.

PF