06-03-2005 11:23 AM - edited 03-09-2019 11:28 AM
Could anyone tell me what the command would look like for a FWSM PIX to exclude an IP and/or Subnet from natting?
For example:
If I have all of my internal network traffic nated via the external interface IP, how could I tell the firewall, if I send packets to the subnet 10.3.0.0, do NOT nat my IP?
Thanks...
06-04-2005 10:17 AM
You could use the nat 0 command (NAT exemption).
Let's say I have this scheme:
Internal network: 192.168.1.0/24
If there was a network 10.3.0.0/16 on the outside interface that I did not want to translate my internal IPs to, I could do this:
access-list nonat permit ip 192.168.1.0 255.255.255.0 10.3.0.0 255.255.0.0
nat (inside) 0 access-list nonat
This will also allow you to allow traffic from the 10.3.0.0/16 network to access the 192.168.1.0/24 network without NAT, as long as the access-list bound to the outside interface permits it.
If I wanted the users on 10.3.0.0/16 to access an smtp server at 192.168.1.5, I could have:
access-list outside_in permit tcp 10.3.0.0 255.255.0.0 host 192.168.1.5 eq smtp
access-group outside_in in interface outside
Hope that helps.
06-07-2005 06:37 AM
So if I wanted the internal traffic to be NATTED to anything other than the 10.3 I can add the nat(inside) 1 0.0.0.0 0.0.0.0 and it will work, right? Also, if I wanted to add another segment to be excluded like the 10.3, can I still use the nat 0 command?
06-07-2005 11:30 AM
Yes to the first question and for the second question just add a line in the the nonat access-list.
The PIX will process the nat 0 command first
on all traffic matching the access-list nonat. And if there is no match it will then process the nat 1
command
06-08-2005 05:15 AM
Thanks. I'll try it this weekend.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide