Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

PIX 6.3.3 policy NAT problems

I'm curious to see if anyone can help with my situation. I currently do not NAT on my inside interface:

NAT 0 0.0.0.0 0.0.0.0

I need to start doing policy NAT for some internal hosts going from inside private IPs to certain sites off of one of my DMZ interfaces. My problem is that this:

Global (DMZ4) 5 199.19.19.2

NAT (inside) 5 access-list DMZ-NAT

NAT (inside) 0 0.0.0.0 0.0.0.0

I need to only NAT inside traffic that matches the access list. If it doesn't match the access-list I don't want to NAT it all. When I try to test this out I see the inside traffic matching the inside access-list and being routed to the DMZ4 interface. However the traffic is never NAT'd. I never see the source IP getting translated to 199.19.19.2 Any suggestions???

5 REPLIES

Re: PIX 6.3.3 policy NAT problems

Hi .. I suggest to use Policy NAT for nat 0 as well .. instead of nat exemption for the whole inside segment. ..

nat (inside) 0 access-list NO_NAT

access-list NO_NAT permit ... etc

I hope it helps ... please rate if it does !!!

Community Member

Re: PIX 6.3.3 policy NAT problems

My problem is I only need to NAT one IP on the inside interface when it goes to a specific server. I'll NAT it and dump it into my VPN tunnel. The problem is it's going to a Web server (port 80). The IP is the NAT address of my internal firewall. If the traffic doesn't match the ACL then it should go out to the Internet as is. How can I do policy NAT for nat 0 and tell it to NAT to one location, but don't NAT for the rest of the Internet???

Community Member

Re: PIX 6.3.3 policy NAT problems

If you are going to implement policy nat, pdm will not function properly. You will only be able to use the home and monitor tab. I am using PDM version 3.04.

Silver

Re: PIX 6.3.3 policy NAT problems

This allow you to nat an address to a specific address going to a specific server on port 80.

access-list WEB permit tcp 10.1.2.0 255.255.255.0 65.x.x.1 255.255.255.255 eq 80

nat (inside) 1 access-list WEB

global (outside) 1 209.x.x.1 255.255.255.255

Community Member

Re: PIX 6.3.3 policy NAT problems

Hi!

I have the same topology.

In my case I use:

static (inside,DMZ_Client) 192.168.162.201 access-list inside_client

access-list inside_client extended permit ip host 10.10.1.1 10.250.0.0 255.255.192.0

Regards,

Adriano Porcaro

490
Views
0
Helpful
5
Replies
CreatePlease to create content