NAT rules

nfox · ‎08-10-2005

Hi, I wonder if someone can help with this? I am trying to set NAT rules on PIX v7.0(2) that will allow a server to have static PAT for inbound TCP port 80 and port 443 on one external IP address, but will allow outbound access using a different external IP address. The reason for this is that a customer uses an external ScanSafe proxy (port 8080) that will only accept connections from two particular external IPs, but the internal server is also a webserver that is accessed on an external IP that is different from the allowed ScanSafe addresses. Apparently the previous Nokia Checkpoint firewall allowed this, but I cannot seem to replicate this on a PIX. I have tried various combinations of static NAT/PAT, policy NAT/PAT, etc, but I always seem to get caught up in the Cisco 'order of NAT commands' http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/nat.htm#wp1042696

The static rules always take precedence, and my outbound connections use the 'wrong' external IP. Any ideas, or is this impossible on a PIX?

BTW - not sure if I made this clear above, but this problem is just with the servers with static PATs that need to access the ScanSafe proxy. All dynamic clients are fine.

shijogeorge · ‎08-11-2005

Hi,

From what I understood, the below config should meet your requirement.

For web access,

static (inside,outside) tcp 10.1.1.1 80 x.x.x.x 80 netmask 255.255.255.255

static (inside,outside) tcp 10.1.1.1 443 x.x.x.x 443 netmask 255.255.255.255

Now for the ScanSafe proxy access

nat (inside) 1 10.1.1.1

global (outside) 1 y.y.y.y

Regards,

Shijo George.