10-15-2003 02:58 PM - edited 03-09-2019 05:10 AM
Cisco PIX Firewall Version 6.3(1)
model: 515e
----
Is is possible to have the PIX use PAT for outbound traffic, like FTP and HTTP to any IP address, but then have it use NAT only to a few specific destinations?
Here is the problem I have which may help explain the question:
I have client PC's that need to access a remote site to another company via Nortel VPN. This requires a 1-1 mapping with NAT, and no PAT. I have gotten this to work in a test env with the global commands and with static commands. The problem I have is; there are more client computers that need access to the VPN than I have public IP's, but not all the clients use the VPN software at the same time.
So effectively what I want is:
an access-list that uses PAT for all regular traffic
and
an access-list that says:
if traffic is going to destination x.x.x.x, then use the global pool of x.x.x.1-x.x.x.20.
I know this is possible with Netscreen firewalls, I just hope it is with the PIX as well.
Dan
10-15-2003 05:44 PM
Hi Dan,
Please check out the policy NAT feature per this document.
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/config/bafwcfg.htm#1113601
Thanks
Nadeem
10-16-2003 09:59 AM
Thanks Nadeem,
This is exactly what I need, but the FOS will not let me set it up.
I have cleared the config and started from scratch, but this still does not help. Here is what I am doing:
---------
pix(config)# show access-l
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
alert-interval 300
pix(config)# access-l NET1 perm ip 10.1.1.0 255.255.255.0 host 12.40.x.x
pix(config)# access-l NET2 perm ip 10.1.1.0 255.255.255.0 any
pix(config)# nat (inside) 2 access-l NET1
ERROR: invalid nat ID, <2>, with access-list
Usage: [no] nat [(
[dns] [outside]
[
[no] nat [(if_name)] 0 [access-list
pix(config)#
------------
I always get an error stating that the NAT ID is incorrect, no matter what I change it to. Any thoughts on this. I've done some searching, and it seems that only and "nat (inside) 0" command will work with an access-list. But it sems that this will limit my possibilites.
Dan
10-16-2003 10:49 AM
Looks like this is a feature introduced in 6.3(2).
guess I need to figure out how to get that version now.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: