Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT Help

Hi All,

I am kind of new to the PIX/FWSM. I am trying to modify our NAT/PAT statements for inside so that any internet traffic bound for port 80 or 443 uses a PAT and all other traffic uses dynamic NAT.

I read some docs and looks like I can use policy NAT but still do not know all the configurations steps.

Currently all 10.x.x.x traffic from inside gets a dynamic NAT range of x.x.116.31-x.x.116.251 and a PAT address of x.x.117.251. But I would like the PAT address x.x.117.251 to be used for port 80/443 traffic and other traffic to use dynamic NAT.

Is this possible using policy NAT?

thanks

1 ACCEPTED SOLUTION

Accepted Solutions

Re: NAT Help

Hi .. yes you can definetely do it ...

For web access

nat (inside) 1 access-list Web_Outbound

global (outside) 1 x.x.117.251 netmask 255.255.255.255

access-list Web_Outbound permit tcp any any eq 443

access-list Web_Outbound permit tcp any any eq 80

for everything else

nat (inside)10 access-list All_Outbound

global (outside) 10 x.x.116.31-x.x.116.251 netmask 255.255.255.255

access-list All_Outbound permit ip any any

NOTE: the nat id you used for dynamic PAT ( i.e 10 )has to be greater than the one used for PAT ( i.e 1 ). in that way the NAT precedence will work as you need.

I hope it helps ... please rate it if it does !!

3 REPLIES

Re: NAT Help

yeah.. this is possible i guess.. using policy nat, u can configure something like this:

nat (inside) 1 access-list inside_nat_outbound

global (outside) 1 x.x.117.251

access-list should allow traffic on port 80 and 443.

u can define another nat statement, which globally defines the dynamic NAT.

hope this helps.. all the best.. rate replies if found useful..

Raj

Re: NAT Help

Hi .. yes you can definetely do it ...

For web access

nat (inside) 1 access-list Web_Outbound

global (outside) 1 x.x.117.251 netmask 255.255.255.255

access-list Web_Outbound permit tcp any any eq 443

access-list Web_Outbound permit tcp any any eq 80

for everything else

nat (inside)10 access-list All_Outbound

global (outside) 10 x.x.116.31-x.x.116.251 netmask 255.255.255.255

access-list All_Outbound permit ip any any

NOTE: the nat id you used for dynamic PAT ( i.e 10 )has to be greater than the one used for PAT ( i.e 1 ). in that way the NAT precedence will work as you need.

I hope it helps ... please rate it if it does !!

New Member

Re: NAT Help

It worked. Thanks for the response

93
Views
0
Helpful
3
Replies