Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
422
Views
0
Helpful
5
Replies

For Cisco Engineers: Policy NAT support on PDM

rsommer
Level 1
Level 1

‎10-15-2003 05:01 AM - edited ‎03-09-2019 05:10 AM

We upgraded to 6.3(3) for policy NAT. Needed for single inside addresses on multiple IPSec VPN's - where addresses must be NAT'd.

Anyway, current PDM 3.0(1) does not support policy NAT - and can not be used to configure unless those policy NAT statements are removed. Most engineers around here prefer to use PDM.

I don't see a new PDM out there...is one available?

If not, I'd have to ask - why make a release without a PDM that can support it?

Labels:
0 Helpful
5 Replies 5

scoclayton
Level 7
Level 7

‎10-15-2003 07:33 PM

Hi,

You are correct that we do not have a version of PDM that supports the new features introduced in 6.3(2) such as policy NAT, EDNS0, etc... We do plan to support these features in an upcoming release of PDM but the next release is not planned for anytime soon. Best guess at this time is sometime next year when the next major release of PIX code becomes available. If this is something you guys really need, I strongly urge you to contact your account team and have them lobby the development team to release a new version of PDM with support for these features. I think the decision was made becuase the development team felt there would be very few people wanting to use these features in conjunction with PDM. Word from the account team is how we find out whether these decisions were incorrect.

Sorry, as I am sure this is not what you wanted to hear but I hope this helps.

Scott

0 Helpful

jjknuckle
Level 1
Level 1
In response to scoclayton

‎10-15-2003 10:50 PM

What is EDNS0? I searched Cisco's site and the result was empty

0 Helpful

scoclayton
Level 7
Level 7
In response to jjknuckle

‎10-16-2003 05:19 AM

Sorry for the unclear response. EDNS0 is what we call the DNS extensions that were added via RFC 2671. In the past, the PIX enforced a 512 byte limit to DNS queries but as of this RFC, it is now valid to have DNS queries that exceed this limit. So, we added a new fixup to the PIX to support this change. See the following from the release notes:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn632.htm#110415

Scott

0 Helpful

rsommer
Level 1
Level 1
In response to scoclayton

‎10-16-2003 05:43 AM

Appreciate the reply.

But maybe there is another way to accomplish what we think we need policy NAT for.

The issue is a single inside device on multiple VPN's - which require that inside address to be NAT'd. If I did a single static on there - that was it - only one VPN to that device then. Policy NAT also takes into account destination, and therefore provides the flexibility needed.

Is there some other way to accomplish this...which would then allow use of PDM?

Thanks.

0 Helpful

nkhawaja
Cisco Employee
Cisco Employee
In response to rsommer

‎10-16-2003 09:01 PM

Hi,

Using PDM, there is no other way, you have to disable policy NAT. Otherwise use epilog/prologe in CSPM or if using VMS then use begining / ending command portion.

Thanks

Nadeem

0 Helpful
Customers Also Viewed These Support Documents