cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
203
Views
0
Helpful
1
Replies

NAT by protocol

caspiers
Level 1
Level 1

We have both Internet routable addresses and RFC1918 addresses throughout our network. Currently we are using WCCP and Cisco CE550's to proxy http/https/ftp access to the Internet. Our CE's are at EOL and have become temperamental. What I would like to do on the PIX is to NAT only HTTP/HTTPS traffic to the Internet. I want to leave all of the other traffic alone since we have apps, such as VPN tunnels that cannot be NAT'ed. It is my understanding that NAT exemptions are processed first, followed by NAT rules. Since I only want to NAT http, and deny statements do not appear to be valid in NAT access-lists what options do I have?

1 Reply 1

gfullage
Cisco Employee
Cisco Employee

With 6.3(2) code you should be able use policy NAT to do something like the following (haven't tested this):

access-list 100 permit tcp any any eq 80

access-list 100 permit tcp any any eq 443

nat (inside) 20 access-list 100

global (outside) 20 interface

This (policy NAT) has a higher priority over standard NAT (not including "nat 0"), so this will take precedence over other nat/global pairs you have configured.

See http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/mr.htm#1032129 for details.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: