marc_lafferty
asked on
Configure a NAT rule on Cisco PIX
I need to set up a NAT rule on a PIX515 ver 6.3(1).
The rule would NAT an internal range 10.24.96.0/24 to 149.250.95.81
The DMZ segment is internally addressed and I will route this traffic to a router (third party) 10.220.245.18 residing in the DMZ. The traffic from 10.24.96.0/24 should only be NAT'd when destined for 195.203.118.102
The rule would NAT an internal range 10.24.96.0/24 to 149.250.95.81
The DMZ segment is internally addressed and I will route this traffic to a router (third party) 10.220.245.18 residing in the DMZ. The traffic from 10.24.96.0/24 should only be NAT'd when destined for 195.203.118.102
Generally you will want something like :-
! translate all traffic to this ip address
global (outside) 1 149.250.95.81
! if it comes from the internal network on this ip range
nat (inside) 1 10.24.96.0 255.255.0.0 0 0
! but any traffic between the internal network and the DMZ should not be nat'd
static (inside,dmz) 10.24.96.0 10.24.96.0 netmask 255.255.0.0 0 0
! translate all traffic to this ip address
global (outside) 1 149.250.95.81
! if it comes from the internal network on this ip range
nat (inside) 1 10.24.96.0 255.255.0.0 0 0
! but any traffic between the internal network and the DMZ should not be nat'd
static (inside,dmz) 10.24.96.0 10.24.96.0 netmask 255.255.0.0 0 0
ASKER
195.203.118.102 is an address reachable via the third party router 10.220.245.18. There is already a rule that translates all traffic to the Internet global (outside) 1 x.x.x.x
I need to NAT only 10.24.96.0/24 > 149.250.95.81 when trying to reach 195.203.118.102 via router 10.220.245.28
Does that make the question any clearer? Thanks!
I need to NAT only 10.24.96.0/24 > 149.250.95.81 when trying to reach 195.203.118.102 via router 10.220.245.28
Does that make the question any clearer? Thanks!
I cant think of any way that can be done. Perhaps if you upgraded to a later version of the operating system the added functionality might enable you to do it but I am not particularly familiar with the newer operating system so I will have to leave that for someone else to answer.
You can use conditional nat, but I think you are going to have to update the PIX OS to at least 6.3(5). 6.3(1) has many many bugs in it.
Here's an example of conditional nat. Notice that the nat # and the global # match, and are unique from the existing global/nat:
access-list conditional_nat permit ip 10.24.96.0 255.255.255.0 host 195.203.118.102
nat (dmz) 12 access-list conditional_nat
global (outside) 12 149.250.95.81
Here's an example of conditional nat. Notice that the nat # and the global # match, and are unique from the existing global/nat:
access-list conditional_nat permit ip 10.24.96.0 255.255.255.0 host 195.203.118.102
nat (dmz) 12 access-list conditional_nat
global (outside) 12 149.250.95.81
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
That may be it. Without a traffic flow diagram, I get easily confused, but the idea is the same.
ASKER
that is correct, grblades. I was able to get the first line to work,but having trouble with the syntax of the second two. Will work to figure it out and let you knwo if it works! Thanks again
ASKER
When I try to enter 'nat (inside) 12 access-list conditional_nat' I get the error below. The access list has been created along with the 'lobal (dmz) 12 149.250.95.81' Am I missing a step?
nat (inside) 12 access-list conditional_nat
ERROR: invalid nat ID, <12>, with access-list
Usage: [no] nat [(<if_name>)] <nat_id> <local_ip> [<mask>
[dns] [outside]
[<max_conns> [emb_limit> [<norandomseq>]]]]
[no] nat [(if_name)] 0 [access-list <acl-name> [outside]]
nat (inside) 12 access-list conditional_nat
ERROR: invalid nat ID, <12>, with access-list
Usage: [no] nat [(<if_name>)] <nat_id> <local_ip> [<mask>
[dns] [outside]
[<max_conns> [emb_limit> [<norandomseq>]]]]
[no] nat [(if_name)] 0 [access-list <acl-name> [outside]]
I think you can use any number apart from 1 and 0. Maybe there is an upper limit aswell. Try :-
nat (inside) 2 access-list conditional_nat
global (dmz) 2 149.250.95.81
nat (inside) 2 access-list conditional_nat
global (dmz) 2 149.250.95.81
ASKER
I get the same error - Must be something else its not liking.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Thanks to both, will do so and re-post if there is a problem after the upgrade
I assume it is the router connecting you to the internet and what you really mean is that NAT should be used for any traffic going out to the internet and not just that single IP address?