Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT by protocol

We have both Internet routable addresses and RFC1918 addresses throughout our network. Currently we are using WCCP and Cisco CE550's to proxy http/https/ftp access to the Internet. Our CE's are at EOL and have become temperamental. What I would like to do on the PIX is to NAT only HTTP/HTTPS traffic to the Internet. I want to leave all of the other traffic alone since we have apps, such as VPN tunnels that cannot be NAT'ed. It is my understanding that NAT exemptions are processed first, followed by NAT rules. Since I only want to NAT http, and deny statements do not appear to be valid in NAT access-lists what options do I have?

Cisco Employee

Re: NAT by protocol

With 6.3(2) code you should be able use policy NAT to do something like the following (haven't tested this):

access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 443

nat (inside) 20 access-list 100

global (outside) 20 interface

This (policy NAT) has a higher priority over standard NAT (not including "nat 0"), so this will take precedence over other nat/global pairs you have configured.

See for details.

CreatePlease to create content