NAT - need help

joe.clemmons · ‎03-09-2006

I have a scenario where I need to present on the outside interface of a PIX running 6.3(4) 3 different translated subnets for a single subnet inside, based on source networks. Please see attached. How can I best achieve this ?

Thanks for any guidance ! A pic is attached.

pkhatri · ‎03-09-2006

Try this:

access-list SourceNetABC permit ip any

access-list SourceNetDEF permit ip any

access-list SourceNetGHI permit ip any

nat (inside) 1 access-list SourceNetABC

nat (inside) 2 access-list SourceNetDEF

nat (inside) 3 access-list SourceNetGHI

global (outside) 1 10.199.0.0 255.255.255.0

global (outside) 2 38.225.43.0.0 255.255.255.0

global (outside) 3 172.16.0.0 255.255.255.0

Hope that helps - pls rate the post if it does.

Paresh

joe.clemmons · ‎03-10-2006

Ok great. I see thats good for one to one translation.

Now, here is another challenge I have. For the 172.16.0.0/24 to 172.16.0.0/24 it's no problem but for the 10.199.0.0/24 and 38.225.43.0/24 the host addresses dont line up. In other words, say on the 38.225.43.0 side I may need to do 172.16.0.1 to 38.225.43.129. It's a long story. It's similar in the 10.199.0.0/24 outside range as well.

And, these are NOT limite to outside NATs for outbound (inside>outside) connections to the inidicated sourcenets. I have these sourcenets connecting INBOUND to those translated addresses.

I'm looking to minimize the amount of ACLs, STATIC, etc entries that I have to enter but I may have no choice ?

I'm assuming I have to do Policy NAT on all of em, and that's gonna make the config huge ;-). Unless I can get some help from you guys on another way to do it.

Thanks for the suggestions and time ! Any other ideas based on above certainly appreciated !