Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
0
Helpful
5
Replies

PIX 6.3.3 policy NAT problems

chrismoore63
Level 1
Level 1

‎07-26-2006 09:09 PM - edited ‎02-21-2020 01:04 AM

I'm curious to see if anyone can help with my situation. I currently do not NAT on my inside interface:

NAT 0 0.0.0.0 0.0.0.0

I need to start doing policy NAT for some internal hosts going from inside private IPs to certain sites off of one of my DMZ interfaces. My problem is that this:

Global (DMZ4) 5 199.19.19.2

NAT (inside) 5 access-list DMZ-NAT

NAT (inside) 0 0.0.0.0 0.0.0.0

I need to only NAT inside traffic that matches the access list. If it doesn't match the access-list I don't want to NAT it all. When I try to test this out I see the inside traffic matching the inside access-list and being routed to the DMZ4 interface. However the traffic is never NAT'd. I never see the source IP getting translated to 199.19.19.2 Any suggestions???

0 Helpful
5 Replies 5

Fernando_Meza
Level 7
Level 7

‎07-26-2006 10:07 PM

Hi .. I suggest to use Policy NAT for nat 0 as well .. instead of nat exemption for the whole inside segment. ..

nat (inside) 0 access-list NO_NAT

access-list NO_NAT permit ... etc

I hope it helps ... please rate if it does !!!

0 Helpful

chrismoore63
Level 1
Level 1
In response to Fernando_Meza

‎07-30-2006 07:26 PM

My problem is I only need to NAT one IP on the inside interface when it goes to a specific server. I'll NAT it and dump it into my VPN tunnel. The problem is it's going to a Web server (port 80). The IP is the NAT address of my internal firewall. If the traffic doesn't match the ACL then it should go out to the Internet as is. How can I do policy NAT for nat 0 and tell it to NAT to one location, but don't NAT for the rest of the Internet???

0 Helpful

todd.kelly
Level 1
Level 1
In response to chrismoore63

‎08-14-2006 08:48 AM

If you are going to implement policy nat, pdm will not function properly. You will only be able to use the home and monitor tab. I am using PDM version 3.04.

0 Helpful

cpembleton
Level 4
Level 4
In response to chrismoore63

‎08-14-2006 12:06 PM

This allow you to nat an address to a specific address going to a specific server on port 80.

access-list WEB permit tcp 10.1.2.0 255.255.255.0 65.x.x.1 255.255.255.255 eq 80

nat (inside) 1 access-list WEB

global (outside) 1 209.x.x.1 255.255.255.255

0 Helpful

aporcaro01
Level 1
Level 1

‎08-15-2006 06:01 AM

Hi!

I have the same topology.

In my case I use:

static (inside,DMZ_Client) 192.168.162.201 access-list inside_client

access-list inside_client extended permit ip host 10.10.1.1 10.250.0.0 255.255.192.0

Regards,

Adriano Porcaro

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card