Re: NAT Exclusions

cyberlinx2000 · ‎06-03-2005

Could anyone tell me what the command would look like for a FWSM PIX to exclude an IP and/or Subnet from natting?

For example:

If I have all of my internal network traffic nated via the external interface IP, how could I tell the firewall, if I send packets to the subnet 10.3.0.0, do NOT nat my IP?

Thanks...

mlowery · ‎06-04-2005

You could use the nat 0 command (NAT exemption).

Let's say I have this scheme:

Internal network: 192.168.1.0/24

If there was a network 10.3.0.0/16 on the outside interface that I did not want to translate my internal IPs to, I could do this:

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.3.0.0 255.255.0.0

nat (inside) 0 access-list nonat

This will also allow you to allow traffic from the 10.3.0.0/16 network to access the 192.168.1.0/24 network without NAT, as long as the access-list bound to the outside interface permits it.

If I wanted the users on 10.3.0.0/16 to access an smtp server at 192.168.1.5, I could have:

access-list outside_in permit tcp 10.3.0.0 255.255.0.0 host 192.168.1.5 eq smtp

access-group outside_in in interface outside

Hope that helps.

cyberlinx2000 · ‎06-07-2005

So if I wanted the internal traffic to be NATTED to anything other than the 10.3 I can add the nat(inside) 1 0.0.0.0 0.0.0.0 and it will work, right? Also, if I wanted to add another segment to be excluded like the 10.3, can I still use the nat 0 command?

michelcaissie · ‎06-07-2005

Yes to the first question and for the second question just add a line in the the nonat access-list.

The PIX will process the nat 0 command first

on all traffic matching the access-list nonat. And if there is no match it will then process the nat 1

command

cyberlinx2000 · ‎06-08-2005

Thanks. I'll try it this weekend.