?
Solved

Configure a NAT rule on Cisco PIX

Posted on 2007-10-04
13
Medium Priority
?
1,252 Views
Last Modified: 2013-11-16
I need to set up a NAT rule on a PIX515 ver 6.3(1).

The rule would NAT an internal range 10.24.96.0/24 to 149.250.95.81
The DMZ segment is internally addressed and I will route this traffic to a router (third party) 10.220.245.18 residing in the DMZ.  The traffic from 10.24.96.0/24 should only be NAT'd when destined for 195.203.118.102
0
Comment
Question by:marc_lafferty
  • 5
  • 5
  • 3
13 Comments
 
LVL 36

Expert Comment

by:grblades
ID: 20015921
What is 195.203.118.102?
I assume it is the router connecting you to the internet and what you really mean is that NAT should be used for any traffic going out to the internet and not just that single IP address?
0
 
LVL 36

Expert Comment

by:grblades
ID: 20015946
Generally you will want something like :-

! translate all traffic to this ip address
global (outside) 1 149.250.95.81
! if it comes from the internal network on this ip range
nat (inside) 1 10.24.96.0 255.255.0.0 0 0
! but any traffic between the internal network and the DMZ should not be nat'd
static (inside,dmz) 10.24.96.0 10.24.96.0 netmask 255.255.0.0 0 0
0
 

Author Comment

by:marc_lafferty
ID: 20015995
195.203.118.102 is an address reachable via the third party router 10.220.245.18. There is already a rule that translates all traffic to the Internet  global (outside) 1 x.x.x.x

I need to NAT only 10.24.96.0/24 > 149.250.95.81 when trying to reach 195.203.118.102 via router 10.220.245.28

Does that make the question any clearer?  Thanks!
0
Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

 
LVL 36

Expert Comment

by:grblades
ID: 20016119
I cant think of any way that can be done. Perhaps if you upgraded to a later version of the operating system the added functionality might enable you to do it but I am not particularly familiar with the newer operating system so I will have to leave that for someone else to answer.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20016203
You can use conditional nat, but I think you are going to have to update the PIX OS to at least 6.3(5).  6.3(1) has many many bugs in it.
Here's an example of conditional nat. Notice that the nat # and the global # match, and are unique from the existing global/nat:

 access-list conditional_nat permit ip 10.24.96.0 255.255.255.0 host 195.203.118.102
 nat (dmz) 12 access-list conditional_nat
 global (outside) 12 149.250.95.81

0
 
LVL 36

Accepted Solution

by:
grblades earned 1600 total points
ID: 20016268
Re-reading the authors posting I believe the traffic is going from the internal network through another router connected to the dmz interface.
Can you confirm whether that is correct?

So :-
access-list conditional_nat permit ip 10.24.96.0 255.255.255.0 host 195.203.118.102
nat (inside) 12 access-list conditional_nat
global (dmz) 12 149.250.95.81
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 20016293
That may be it. Without a traffic flow diagram, I get easily confused, but the idea is the same.
0
 

Author Comment

by:marc_lafferty
ID: 20016693
that is correct, grblades.  I was able to get the first line to work,but having trouble with the syntax of the second two.  Will work to figure it out and let you knwo if it works! Thanks again
0
 

Author Comment

by:marc_lafferty
ID: 20016774
When I try to enter 'nat (inside) 12 access-list conditional_nat' I get the error below.  The access list has been created along with the 'lobal (dmz) 12 149.250.95.81'  Am I missing a step?

nat (inside) 12 access-list conditional_nat
ERROR: invalid nat ID, <12>, with access-list
Usage:  [no] nat [(<if_name>)] <nat_id> <local_ip> [<mask>
                [dns] [outside]
                [<max_conns> [emb_limit> [<norandomseq>]]]]
[no] nat [(if_name)] 0 [access-list <acl-name> [outside]]
0
 
LVL 36

Expert Comment

by:grblades
ID: 20016804
I think you can use any number apart from 1 and 0. Maybe there is an upper limit aswell. Try :-

nat (inside) 2 access-list conditional_nat
global (dmz) 2 149.250.95.81
0
 

Author Comment

by:marc_lafferty
ID: 20016928
I get the same error - Must be something else its not liking.
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 400 total points
ID: 20016950
You have to upgrade to 6.3(5) to get the conditional nat to work...
0
 

Author Comment

by:marc_lafferty
ID: 20017040
Thanks to both, will do so and re-post if there is a problem after the upgrade
0

Featured Post

Granular recovery for Microsoft Exchange

With Veeam Explorer for Microsoft Exchange you can choose the Exchange Servers and restore points you’re interested in, and Veeam Explorer will present the contents of those mailbox stores for browsing, searching and exporting.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question