Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
301
Views
0
Helpful
3
Replies

NAT - inside interface behavior

Bojan Zivancevic
Level 1
Level 1

‎07-25-2003 03:19 AM - edited ‎03-09-2019 04:11 AM

Is it possible to configure internal interface (on which is the NAT inside command) to pass the traffic from the inside other than that was defined for translation?

I mean, if I have NAT and a pool of addresses bound to ACL which permits internal users to pass, can I at the same time let go some other traffic which I don't want to be translated, just to be allowed to pass to the outside?

Labels:
0 Helpful
3 Replies 3

l.mourits
Level 5
Level 5

‎07-25-2003 05:54 AM

Yes, this is possible

You should use the following:

nat (inside) 0 access-list nonat

access-list nonat permit ip any

access-list nonat deny ip any any

This is how it works, all permitted items in access-list nonat are not translated, cause if traffic arives at the inside interface, first rule that is being inspected is the nat (inside) 0 rule (nat 0 stand for no translation does occure)...., since the nat 0 is bound to the access-list the access-list is used to determine which packets do not have to be tranlated, so all permit statements in this list are not translated, but an xlate entrie will be created (saying that it is translated to the same address, simply said :-))

If there is no permitted match on the ACL bound to nat 0 the PIX conntinues with the other nat statements (if there are any) and creates the xlate entries if needed.

If no other nat commands are in place the PIX simply drops the packet because no translated slot could be created.

After re-configuring your PIX you might have to use the clear xlate command because probably there is allready a xlate table created right now for this connection. Since the PIX first checks existing xlate entries you have to get rid of the allready existing entrie.

Hope this helps.

Leo

0 Helpful

Bojan Zivancevic
Level 1
Level 1
In response to l.mourits

‎07-25-2003 12:29 PM

Hey, thanks. But I am not sure if it can be applied to my case. I have a plain old 2610 router on my hands, not the PIX. I am waiting IP firewall image to arrive, but still it is not the PIX.

Maybe I posted to the wrong group? Is there a better group for NAT questions?

0 Helpful

jmia
Level 7
Level 7
In response to Bojan Zivancevic

‎07-26-2003 04:11 AM

Hi Bojan -

You are trying to implement NAT on 2610, am I correct? If so, try the following:

Here is a example -

Internal addrs space = 10.10.1.0/24

External addrs space = 172.168.1.0/24

We are going to NAT our internal addrs to external addrs.

Using Dynamic NAT,

>Define the IP addrs pool, remember to leave out 172.168.1.1 as this is the serial 0 interface.

>ip nat pool poolone 172.168.1.2 172.168.1.254 netmask 255.255.255.0

>ip nat inside source list 20 pool poolone

>interface ethernet0

>ip address 10.10.1.1 255.255.255.0

>ip nat inside

>interface serial0

>ip nat outside

Now we need to use access-list for our pool above, which is used to select which IP addresses can be translated

>access-list 20 permit 10.10.0.0 0.0.255.255

PS. This question should have been posted on the Network Infrastructure forum.

Hope this helps --

0 Helpful
Customers Also Viewed These Support Documents