How to nat to different addresses based on destination on PIX

I have an inside host on a PIX 501 (6.3) that I want to nat going outside. I have two networks on the outside, A and B.  I want the inside host to nat to address IP1 when going to network A, and address IP2 when going to network B.

I had this previously solved with a IOS router using access-list based static nat, for example:

ip nat inside source list 108 pool netA overload

Where I would define the traffic going to Network A in the access-list and put the IP1 in pool netA.

I need to replicate this on the PIX 501 firewall.
jamssAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
For this example:

192.168.1.10 = inside host IP address
1.1.1.1 = translated address when destination is 5.5.5.0/24
1.1.1.2 = translated address when destination is 6.6.6.0/24

-----BEGIN COMMANDS----
access-list outbound_nat_1 permit ip host 192.168.1.10 5.5.5.0 255.255.255.0
access-list outbound_nat_2 permit ip host 192.168.1.10 6.6.6.0 255.255.255.0
global (outside) 10 1.1.1.1
global (outside) 20 1.1.1.2
nat (inside) 10 access-list outbound_nat_1
nat (inside) 20 access-list outbound_nat_2
-----END COMMANDS----

Post back with any questions.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jamssAuthor Commented:
This is just what I've been looking for.  Just one more question please, does the nat_id denote the order by which the rules will be processed.  For example, if I already have the following nat:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

will the access-list bound ones take precedence or do I need to change the nat_id of the general nat rule?
0
jamssAuthor Commented:
I've figured it out, the access-list nat rules obviously have precedence over default nat rules.  Also, static rules seem to have precedence over nat rules, but I've figured out that I can use policy based rules there too, ex:

static (inside,outside) 1.1.1.1 access-list outbound_acl 0 0

There is however one very unfortunate side effect to using policy based rules like this - the PDM (3.x) stops working.  

Anyway, the solution works great, thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.