Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
0
Helpful
3
Replies

NAT Help

Go to solution
mchockalingam
Level 1
Level 1

‎09-08-2006 06:00 AM - last edited on ‎03-25-2019 05:08 PM by Community Manager

Hi All,

I am kind of new to the PIX/FWSM. I am trying to modify our NAT/PAT statements for inside so that any internet traffic bound for port 80 or 443 uses a PAT and all other traffic uses dynamic NAT.

I read some docs and looks like I can use policy NAT but still do not know all the configurations steps.

Currently all 10.x.x.x traffic from inside gets a dynamic NAT range of x.x.116.31-x.x.116.251 and a PAT address of x.x.117.251. But I would like the PAT address x.x.117.251 to be used for port 80/443 traffic and other traffic to use dynamic NAT.

Is this possible using policy NAT?

thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Fernando_Meza
Level 7
Level 7

‎09-09-2006 02:42 PM

Hi .. yes you can definetely do it ...

For web access

nat (inside) 1 access-list Web_Outbound

global (outside) 1 x.x.117.251 netmask 255.255.255.255

access-list Web_Outbound permit tcp any any eq 443

access-list Web_Outbound permit tcp any any eq 80

for everything else

nat (inside)10 access-list All_Outbound

global (outside) 10 x.x.116.31-x.x.116.251 netmask 255.255.255.255

access-list All_Outbound permit ip any any

NOTE: the nat id you used for dynamic PAT ( i.e 10 )has to be greater than the one used for PAT ( i.e 1 ). in that way the NAT precedence will work as you need.

I hope it helps ... please rate it if it does !!

View solution in original post

0 Helpful
3 Replies 3

Go to solution
sachinraja
Level 9
Level 9

‎09-09-2006 01:25 AM

yeah.. this is possible i guess.. using policy nat, u can configure something like this:

nat (inside) 1 access-list inside_nat_outbound

global (outside) 1 x.x.117.251

access-list should allow traffic on port 80 and 443.

u can define another nat statement, which globally defines the dynamic NAT.

hope this helps.. all the best.. rate replies if found useful..

Raj

0 Helpful

Go to solution
Fernando_Meza
Level 7
Level 7

‎09-09-2006 02:42 PM

Hi .. yes you can definetely do it ...

For web access

nat (inside) 1 access-list Web_Outbound

global (outside) 1 x.x.117.251 netmask 255.255.255.255

access-list Web_Outbound permit tcp any any eq 443

access-list Web_Outbound permit tcp any any eq 80

for everything else

nat (inside)10 access-list All_Outbound

global (outside) 10 x.x.116.31-x.x.116.251 netmask 255.255.255.255

access-list All_Outbound permit ip any any

NOTE: the nat id you used for dynamic PAT ( i.e 10 )has to be greater than the one used for PAT ( i.e 1 ). in that way the NAT precedence will work as you need.

I hope it helps ... please rate it if it does !!

0 Helpful

Go to solution
mchockalingam
Level 1
Level 1
In response to Fernando_Meza

‎09-12-2006 09:44 PM

It worked. Thanks for the response

0 Helpful
Customers Also Viewed These Support Documents