Cisco Support Community
Community Member

PIX: Nat source based on destination.

I have not been able to find anything allowing me to perform the following.

I need to PAT a subnet residing on the outside interface when making a connection to a specific host (host A) reacheable via the inside interface. I don't want the outside addresses translated when connecting to anything else. My default gateway is via the inside interface.

I have tried using the nat (outside) command along with a global command on a specific interface (interface mins) I have added a route to HostA via a seperate interface. My thoughts were that traffic would pass this interface to reach the particular host and be nat'd. All other traffic would use the inside interface and not be nat'd. The location of this interface and the routing in place would cause the response to go this seperate interface.

I recieved the following error via syslog:

%PIX-3-305006: Regular translation creation failed for protocol src int_name:IP_addr/port dst int_name:IP_addr/port

Thanks in advance,


Cisco Employee

Re: PIX: Nat source based on destination.

The following should do the trick for you (you don't need to have a specific route to another interface just for this host, you can leave it on the inside):

> name hostA

> name OutsideNetwork

> access-list 150 deny ip OutsideNetwork host hostA

> access-list 150 permit ip any any

> global (inside) 2 interface

> nat (outside) 0 access-list 150 outside

> nat (outside) 2 OutsideNetwork outside 0 0

You'll also need the normal:

> global (outside) 1 interface

> nat (inside) 1 0 0 0

to allow your internal users to go out.

Community Member

Re: PIX: Nat source based on destination.

Thank you very much, I'll certainly give this a try. That is very clever!

The nat (outside) 0 access-list 150 outside will still allow both hosts outside and inside to initiate connections to each other via their actual IP's right? I will need to staticly NAT the inside hosts to their own addresses on the outside. Assuming my ACL's are correct, it seems like I should be ok.

I'm using PIX's in somewhat of an odd fashion. My Internet facing firewalls are Checkpoint. I then use Pix's between the DMZ and the corporate network. There is one host on the inside that charges fee's per connecting IP address, hence the need for the PAT. :)

I'm fairly new to PIX's, I've been a long time user of that other firewall. :)



Community Member

Re: PIX: Nat source based on destination.

That worked great!

Thanks for your help!

CreatePlease to create content