I'm trying to get my head around NAT etc
I am writing new code onto a new PIX. In the original PIX 6.3 I used access-lists and binded them to interface cards for all traffic-flow.
On the new PIX 7.2 I have Policy NAT on dynamic NAT traffic - under the impression its a better way of doing it and easier to admin ? However I have read I still need to bind a access-list to each the interface for them to work ?? So should I policy NAT dynamic NAT traffic and use access-lists on the interface for the static NAT info. Or should I use access-lists, binding them to all static and dynamcic NAT pools and have a blank access-list for the interfaces ??
Or should I just do the way I used to ??
Whats the difference - are some ways slower than others for processing ??
The ports that clients open to source traffic from are typically called ephemeral ports which range from 1024 to 5000. When writing your Access list entried you should leave the source port out of the equation and only define the destination port.
Policy NAT is usually used when you want change the source IP address but based on where it is going to eg.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
access-list pnat permit ip host 192.168.5.1 host 184.108.40.206
nat (inside) 2 access-list pnat
global (outside) 2 220.127.116.11
The above says for all outbound traffic translate the source IP addresses to the outside interface ip address. So if host 192.168.5.1 sends traffic to any outside host tranlsate it to the outside ip of your pix
the source is 192.168.5.1 and the destination is 18.104.22.168 in which case translate 192.168.5.1 to 22.214.171.124.
A more commom occurence of policy NAT is when you wnat to do a NAT exemption for traffic going down a VPN tunnel.
Persoanlly i would always use the access-lists on the interfaces to restrict and allow traffic and use policy NAT purely for address translation.