Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

PIX NAT to certain global range based on destination address

I'm looking for a way to let our PIX 525s (running OS 6.2(1)) use a select global range of addresses when the users in our network are trying to reach select external sites.

Situation:

On the inside interface we're using 10.194.134.0/23

- When trying to reach 1.1.1.0/24 (inside-2) the pix should not nat

- When trying to reach 2.2.2.0/24 (inside-3) the pix should not nat

- When trying to reach 10.234.0.0/16 (external partner network) the pix should nat to 10.234.3.0/28

- When trying to reach anything else (internet) the pix should nat to 3.3.3.0/27

I was hoping to get this to work using the following config snippet

!

access-list from-inside-to-local-lan permit ip 10.194.134.0 255.255.254.0 1.1.1.0 255.255.255.0

access-list from-inside-to-local-lan permit ip 10.194.134.0 255.255.254.0 2.2.2.0 255.255.255.0

!

access-list from-inside-to-partner-lan permit ip 10.194.134.0 255.255.254.0 10.234.0.0 255.255.0.0

!

! 1st global range

global (outside) 1 10.234.3.1-10.234.3.14 netmask 255.255.255.240

!

! overload 1st range

global (outside) 1 10.234.3.15

!

! 2nd global range

global (outside) 2 3.3.3.1-3.3.3.29 netmask 255.255.255.224

!

! overload 2nd range

global (outside) 2 3.3.3.30

!

!

nat (inside) 0 access-list from-inside-to-local-lan

!

! use 1st global range for partner traffic

nat (inside) 1 access-list from-inside-to-partner-lan

!

! use 2nd global range for all other traffic

nat (inside) 2 0.0.0.0 0.0.0.0 0 0

!

end

Consider the nat statements sort-of equivalent to a route-map on an IOS device, in this case the nat statement is meant to fall through to the 2nd option if the first doesn't match and to fall through to the 3rd option if the 2nd doesn't match (and so on...)

Unfortunately it seems that access-lists can only be combined with the "nat 0" statement.

If there is somebody out there that has ever faced a similar challenge and who has found a solution, I'd be very interested to hear it. If not, I'd like to to file a feature request ;-)

Many thanks!

Frans

1 REPLY
New Member

Re: PIX NAT to certain global range based on destination address

- When trying to reach 1.1.1.0/24 (inside-2) the pix should not nat

- When trying to reach 2.2.2.0/24 (inside-3) the pix should not nat

"Bypassing nat "

nat (inside) 0 access-list command will do

- When trying to reach 10.234.0.0/16 (external partner network) the pix should nat to 10.234.3.0/28

- When trying to reach anything else (internet) the pix should nat to 3.3.3.0/27

"policy natting":

It is very easy to do it in a router with "route-map" command, but in a PIX, we do not support it at this moment.

If you really need this feature, please go ahead to file a feature request.

Best Regards,

107
Views
0
Helpful
1
Replies
CreatePlease to create content