cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
273
Views
0
Helpful
5
Replies

NATing based on source AND destination

ritchieb
Level 1
Level 1

Hello all,

Is there any way on a pix to perform NAT based on source AND destination ?

For example, my internal network is 10.1.1.0/24 and I PAT all clients leaving the internal network using the external interface IP address. However, when an internal client wants to connect to a specific internet host x.x.x.x I want to NAT to a different IP in my public address space.

I am aware of associating a nat rule with an access-list, but this is only possible if you dont want to nat for VPN's etc (ie nat (inside) 0).

I've looked around and cant find any examples of how to do this, although I have seen it done on other firewall implementations, using Checkpoint for example or using route maps on a router.

Any help or work arounds are greatly appriciated.

FYI ...... I am using software version 6.1(4) and dont have any other devices to perform further NATing above or below the firewall.

Thanks in advance, Brian

5 Replies 5

kdurrett
Level 3
Level 3

Yes you can. Something like this here.

global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224

nat (inside) 1 192.168.1.0 255.255.255.0 198.133.219.25 255.255.255.255

So what that says is anyone coming from the 192.168.1.x/24 network going to 198.133.219.25 use the global group 1 and allow them to be NAT.

Kurtis Durrett

Thanks for your reply but the nat (if_name) command does not allow you to enter a destination address so this does not work.

The syntax for this command is

nat [(if_name)] id address [netmask [outside] [dns] [norandomseq] [timeout hh:mm:ss] [conn_limit [em_limit]]]

For more info go to

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/mr.htm#xtocid6

Regrds, Brian

tvanginneken
Level 4
Level 4

Hi,

you could create an access-list which includes al the traffic you want to be natted:

access-list 101 permit ip source_ip1 source_mask1 dest_ip1 dest_mask1

access-list 101 permit ip source_ip2 source_maské dest_ip2 dest_mask2

....

Afterwards you can use this access-list in the nat command:

nat (inside) 1 access-list 101

global (outside) 1 public_ip

Kind Regards,

Tom

Thanks for your reply but you can only associate an access-list with nat (inside) 0 , so this would not work.

nat (inside) 1 access-list 101

This is NOT possible. Only NAT 0 works with an access-list

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: