Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

For Cisco Engineers: Policy NAT support on PDM

We upgraded to 6.3(3) for policy NAT. Needed for single inside addresses on multiple IPSec VPN's - where addresses must be NAT'd.

Anyway, current PDM 3.0(1) does not support policy NAT - and can not be used to configure unless those policy NAT statements are removed. Most engineers around here prefer to use PDM.

I don't see a new PDM out there...is one available?

If not, I'd have to ask - why make a release without a PDM that can support it?

5 REPLIES

Re: For Cisco Engineers: Policy NAT support on PDM

Hi,

You are correct that we do not have a version of PDM that supports the new features introduced in 6.3(2) such as policy NAT, EDNS0, etc... We do plan to support these features in an upcoming release of PDM but the next release is not planned for anytime soon. Best guess at this time is sometime next year when the next major release of PIX code becomes available. If this is something you guys really need, I strongly urge you to contact your account team and have them lobby the development team to release a new version of PDM with support for these features. I think the decision was made becuase the development team felt there would be very few people wanting to use these features in conjunction with PDM. Word from the account team is how we find out whether these decisions were incorrect.

Sorry, as I am sure this is not what you wanted to hear but I hope this helps.

Scott

New Member

Re: For Cisco Engineers: Policy NAT support on PDM

What is EDNS0? I searched Cisco's site and the result was empty

Re: For Cisco Engineers: Policy NAT support on PDM

Sorry for the unclear response. EDNS0 is what we call the DNS extensions that were added via RFC 2671. In the past, the PIX enforced a 512 byte limit to DNS queries but as of this RFC, it is now valid to have DNS queries that exceed this limit. So, we added a new fixup to the PIX to support this change. See the following from the release notes:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63rnotes/pixrn632.htm#110415

Scott

New Member

Re: For Cisco Engineers: Policy NAT support on PDM

Appreciate the reply.

But maybe there is another way to accomplish what we think we need policy NAT for.

The issue is a single inside device on multiple VPN's - which require that inside address to be NAT'd. If I did a single static on there - that was it - only one VPN to that device then. Policy NAT also takes into account destination, and therefore provides the flexibility needed.

Is there some other way to accomplish this...which would then allow use of PDM?

Thanks.

Cisco Employee

Re: For Cisco Engineers: Policy NAT support on PDM

Hi,

Using PDM, there is no other way, you have to disable policy NAT. Otherwise use epilog/prologe in CSPM or if using VMS then use begining / ending command portion.

Thanks

Nadeem

219
Views
0
Helpful
5
Replies