09-08-2006 06:00 AM - last edited on 03-25-2019 05:08 PM by ciscomoderator
Hi All,
I am kind of new to the PIX/FWSM. I am trying to modify our NAT/PAT statements for inside so that any internet traffic bound for port 80 or 443 uses a PAT and all other traffic uses dynamic NAT.
I read some docs and looks like I can use policy NAT but still do not know all the configurations steps.
Currently all 10.x.x.x traffic from inside gets a dynamic NAT range of x.x.116.31-x.x.116.251 and a PAT address of x.x.117.251. But I would like the PAT address x.x.117.251 to be used for port 80/443 traffic and other traffic to use dynamic NAT.
Is this possible using policy NAT?
thanks
Solved! Go to Solution.
09-09-2006 02:42 PM
Hi .. yes you can definetely do it ...
For web access
nat (inside) 1 access-list Web_Outbound
global (outside) 1 x.x.117.251 netmask 255.255.255.255
access-list Web_Outbound permit tcp any any eq 443
access-list Web_Outbound permit tcp any any eq 80
for everything else
nat (inside)10 access-list All_Outbound
global (outside) 10 x.x.116.31-x.x.116.251 netmask 255.255.255.255
access-list All_Outbound permit ip any any
NOTE: the nat id you used for dynamic PAT ( i.e 10 )has to be greater than the one used for PAT ( i.e 1 ). in that way the NAT precedence will work as you need.
I hope it helps ... please rate it if it does !!
09-09-2006 01:25 AM
yeah.. this is possible i guess.. using policy nat, u can configure something like this:
nat (inside) 1 access-list inside_nat_outbound
global (outside) 1 x.x.117.251
access-list should allow traffic on port 80 and 443.
u can define another nat statement, which globally defines the dynamic NAT.
hope this helps.. all the best.. rate replies if found useful..
Raj
09-09-2006 02:42 PM
Hi .. yes you can definetely do it ...
For web access
nat (inside) 1 access-list Web_Outbound
global (outside) 1 x.x.117.251 netmask 255.255.255.255
access-list Web_Outbound permit tcp any any eq 443
access-list Web_Outbound permit tcp any any eq 80
for everything else
nat (inside)10 access-list All_Outbound
global (outside) 10 x.x.116.31-x.x.116.251 netmask 255.255.255.255
access-list All_Outbound permit ip any any
NOTE: the nat id you used for dynamic PAT ( i.e 10 )has to be greater than the one used for PAT ( i.e 1 ). in that way the NAT precedence will work as you need.
I hope it helps ... please rate it if it does !!
09-12-2006 09:44 PM
It worked. Thanks for the response
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide