Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
458
Views
0
Helpful
3
Replies

NAT to specific destination

danking65
Level 1
Level 1

‎10-15-2003 02:58 PM - edited ‎03-09-2019 05:10 AM

Cisco PIX Firewall Version 6.3(1)

model: 515e

----

Is is possible to have the PIX use PAT for outbound traffic, like FTP and HTTP to any IP address, but then have it use NAT only to a few specific destinations?

Here is the problem I have which may help explain the question:

I have client PC's that need to access a remote site to another company via Nortel VPN. This requires a 1-1 mapping with NAT, and no PAT. I have gotten this to work in a test env with the global commands and with static commands. The problem I have is; there are more client computers that need access to the VPN than I have public IP's, but not all the clients use the VPN software at the same time.

So effectively what I want is:

an access-list that uses PAT for all regular traffic

and

an access-list that says:

if traffic is going to destination x.x.x.x, then use the global pool of x.x.x.1-x.x.x.20.

I know this is possible with Netscreen firewalls, I just hope it is with the PIX as well.

Dan

Labels:
0 Helpful
3 Replies 3

nkhawaja
Cisco Employee
Cisco Employee

‎10-15-2003 05:44 PM

Hi Dan,

Please check out the policy NAT feature per this document.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601

Thanks

Nadeem

0 Helpful

danking65
Level 1
Level 1
In response to nkhawaja

‎10-16-2003 09:59 AM

Thanks Nadeem,

This is exactly what I need, but the FOS will not let me set it up.

I have cleared the config and started from scratch, but this still does not help. Here is what I am doing:

---------

pix(config)# show access-l

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)

alert-interval 300

pix(config)# access-l NET1 perm ip 10.1.1.0 255.255.255.0 host 12.40.x.x

pix(config)# access-l NET2 perm ip 10.1.1.0 255.255.255.0 any

pix(config)# nat (inside) 2 access-l NET1

ERROR: invalid nat ID, <2>, with access-list

Usage: [no] nat [()] [

[dns] [outside]

[ [emb_limit> []]]]

[no] nat [(if_name)] 0 [access-list [outside]]

pix(config)#

------------

I always get an error stating that the NAT ID is incorrect, no matter what I change it to. Any thoughts on this. I've done some searching, and it seems that only and "nat (inside) 0" command will work with an access-list. But it sems that this will limit my possibilites.

Dan

0 Helpful

danking65
Level 1
Level 1
In response to danking65

‎10-16-2003 10:49 AM

Looks like this is a feature introduced in 6.3(2).

guess I need to figure out how to get that version now.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents