PIX 515 Version 6.3 nat'ing question

Unanswered Question
Jul 23rd, 2007

is the following ok? I am unsure if I can nat my 47.15 address to 3.21 with the interface alreading having a NAT that appears to be for all traffic going over the interface. Any guidence on this would be great.

global (outside_datae) 1 192.168.1.25

global (outside_datap) 2 192.168.3.25

global (outside_datap) 3 192.168.3.21

nat (inside) 1 access-list datae

nat (inside) 2 access-list datap

nat (inside) 3 192.168.47.15

access-group data_e in interface outside_datae

access-group data_p in interface outside_datap

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
srue Mon, 07/23/2007 - 07:09

assuming 192.168.47.15 is a single host address and not a network address, it's better to use the static command.

static (inside,outside_datap) 192.168.3.21 192.168.47.15

this also depends on what you're trying to accomplish. the way you have it, it's actually set up for PAT (aka NAT overloading) and not a true 1:1 static NAT. If you want inbound connections to be allowed to 192.168.47.15, you should use the static command.

depending on what ACL's datae and datap look like, the nat 3 statement may never take affect.

ericluoma Mon, 07/23/2007 - 07:39

I am trying to make it so that only the data going from my internal 47.15 gets nat'd to 3.21 and info going to all other locations continues as was stated before. The firewall is currently working in the enviroment as:

global (outside_datae) 1 192.168.1.25

global (outside_datap) 2 192.168.3.25

nat (inside) 1 access-list datae

nat (inside) 2 access-list datap

access-group data_e in interface outside_datae

access-group data_p in interface outside_datap

I have added the enteries in my first post to get access to a different location on the outside, but have a specific translation on that address. The first post I made has the changes I added and I was just wondering the implications of my changes. Hopefully they don't break what was already there.

ggilbert Thu, 07/26/2007 - 07:38

According to your configuration, you have an access-list called as "datae" and "data_e" & "datap" and "data_p"

the access-list with "_" is applied to the interface.

The access-list without "_" is applied to the nat statements.

Let me know if there is anything you would need help with in this issue.

Actions

This Discussion