12-03-2002 08:46 AM - edited 03-09-2019 01:16 AM
Hello all,
Is there any way on a pix to perform NAT based on source AND destination ?
For example, my internal network is 10.1.1.0/24 and I PAT all clients leaving the internal network using the external interface IP address. However, when an internal client wants to connect to a specific internet host x.x.x.x I want to NAT to a different IP in my public address space.
I am aware of associating a nat rule with an access-list, but this is only possible if you dont want to nat for VPN's etc (ie nat (inside) 0).
I've looked around and cant find any examples of how to do this, although I have seen it done on other firewall implementations, using Checkpoint for example or using route maps on a router.
Any help or work arounds are greatly appriciated.
FYI ...... I am using software version 6.1(4) and dont have any other devices to perform further NATing above or below the firewall.
Thanks in advance, Brian
12-03-2002 09:40 AM
Yes you can. Something like this here.
global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224
nat (inside) 1 192.168.1.0 255.255.255.0 198.133.219.25 255.255.255.255
So what that says is anyone coming from the 192.168.1.x/24 network going to 198.133.219.25 use the global group 1 and allow them to be NAT.
Kurtis Durrett
12-04-2002 07:26 AM
Thanks for your reply but the nat (if_name) command does not allow you to enter a destination address so this does not work.
The syntax for this command is
nat [(if_name)] id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]
For more info go to
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#xtocid6
Regrds, Brian
12-04-2002 07:00 AM
Hi,
you could create an access-list which includes al the traffic you want to be natted:
access-list 101 permit ip source_ip1 source_mask1 dest_ip1 dest_mask1
access-list 101 permit ip source_ip2 source_maské dest_ip2 dest_mask2
....
Afterwards you can use this access-list in the nat command:
nat (inside) 1 access-list 101
global (outside) 1 public_ip
Kind Regards,
Tom
12-04-2002 07:21 AM
Thanks for your reply but you can only associate an access-list with nat (inside) 0 , so this would not work.
12-06-2002 04:54 AM
nat (inside) 1 access-list 101
This is NOT possible. Only NAT 0 works with an access-list
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: