Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Public and Private IPs on the Same Interface using NAT Exemption/Policy NAT

I'm looking for some feedback on whether my thoughts on the setup below will work.

Equipment: PIX 515E 6.2(2)

Scenario:

The inside interface of the PIX will host 3 IP address blocks - 2 public /24 blocks and 1 private /16 block. (All IPs have been replaced with dummy blocks.)

Public Blocks:

* 192.168.10.0/24

* 192.168.20.0/24

Private Block:

* 10.50.0.0/16

Traffic from the 2 public /24 blocks should pass through the firewall without address translation.

The two public blocks will need to be able to receive connections initiated from the Internet.

The public blocks will need to be able to send/receive traffic over a static VPN tunnel to our corporate office without being subject to address translation

Outbound traffic from the private /16 block should be subject to PAT before passing through the firewall.

The private /16 block will not be receiving inbound traffic from the Internet (aside from responses to outbound connections initiated from within the private block).

However, the private block will also need to be able to send/receive traffic over a static VPN tunnel to our corporate office *without* being subject to address translation (i.e. hosts on our corporate network will need to be able to initiate connections to the private block, and vice versa).

The inside interface of the PIX will be connected to a Catalyst 3xxx series layer 3 switch, which will handle all internal routing (so the PIX will never be routing traffic back on the interface it was received).

My ideas on how to set this up are as follows:

* Use NAT exemption to exempt the public blocks from address translation. This will allow inbound and outbound connections through the firewall.

* Use NAT exemption to exempt the private block from address translation when connecting to our corporate office over the VPN tunnel.

* Use policy NAT w/ PAT to translate the private block when connecting to all other hosts.

I've translated these thoughts into the configuration excerpt below.

Because NAT exemption is processed before policy NAT when evaluating NAT rules, my understanding is that this should allow the public IP blocks to handle inbound/outbound traffic without translation, while subjecting the private block to translation (except when handling inbound/outbound connections to/from our corporate office network).

Can anyone confirm my suppositions on this?

# ----------------------------------------------------------------------

# traffic that should be exempt from translation

access-list nat_exempt permit ip 192.168.10.0 255.255.255.0 any

access-list nat_exempt permit ip 192.168.20.0 255.255.255.0 any

access-list nat_exempt permit ip 10.50.0.0 255.255.0.0 10.100.0.0/16

# traffic that should be subject to translation

access-list policy_nat permit ip 10.50.0.0 255.255.0.0 any

# assume 192.168.5.1 is the address to be used for PAT

global (outside) 1 192.168.5.1

nat (inside) 0 access-list nat_exempt

nat (inside) 1 access-list policy_nat

# assume 192.168.10.7 is the IP of the inside layer 3 switch

route inside 192.168.10.0 255.255.255.0 192.168.10.7 1

route inside 192.168.20.0 255.255.255.0 192.168.10.7 1

route inside 10.50.0.0 255.255.0.0 192.168.10.7 1

#assume the following config sections appear elsewhere: static VPN tunnel, ACLs, ifconfig, etc.

# ----------------------------------------------------------------------

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Public and Private IPs on the Same Interface using NAT Exemp

Yeah, that'll work, although you don't need policy NAT for the 10.50.0.0 network. To PAT the 10.50.0.0 network when destined for anywhere (except over the VPN) just do:

global (outside) 1 192.168.15.1

nat (inside) 1 10.50.0.0 255.255.0.0

As I said, what you've got will work fine, the above is just a simpler way to do it.

1 REPLY
Cisco Employee

Re: Public and Private IPs on the Same Interface using NAT Exemp

Yeah, that'll work, although you don't need policy NAT for the 10.50.0.0 network. To PAT the 10.50.0.0 network when destined for anywhere (except over the VPN) just do:

global (outside) 1 192.168.15.1

nat (inside) 1 10.50.0.0 255.255.0.0

As I said, what you've got will work fine, the above is just a simpler way to do it.

206
Views
0
Helpful
1
Replies