• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 264
  • Last Modified:

How to nat to different addresses based on destination on PIX

I have an inside host on a PIX 501 (6.3) that I want to nat going outside. I have two networks on the outside, A and B.  I want the inside host to nat to address IP1 when going to network A, and address IP2 when going to network B.

I had this previously solved with a IOS router using access-list based static nat, for example:

ip nat inside source list 108 pool netA overload

Where I would define the traffic going to Network A in the access-list and put the IP1 in pool netA.

I need to replicate this on the PIX 501 firewall.
0
jamss
Asked:
jamss
  • 2
1 Solution
 
batry_boyCommented:
For this example:

192.168.1.10 = inside host IP address
1.1.1.1 = translated address when destination is 5.5.5.0/24
1.1.1.2 = translated address when destination is 6.6.6.0/24

-----BEGIN COMMANDS----
access-list outbound_nat_1 permit ip host 192.168.1.10 5.5.5.0 255.255.255.0
access-list outbound_nat_2 permit ip host 192.168.1.10 6.6.6.0 255.255.255.0
global (outside) 10 1.1.1.1
global (outside) 20 1.1.1.2
nat (inside) 10 access-list outbound_nat_1
nat (inside) 20 access-list outbound_nat_2
-----END COMMANDS----

Post back with any questions.
0
 
jamssAuthor Commented:
This is just what I've been looking for.  Just one more question please, does the nat_id denote the order by which the rules will be processed.  For example, if I already have the following nat:

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0

will the access-list bound ones take precedence or do I need to change the nat_id of the general nat rule?
0
 
jamssAuthor Commented:
I've figured it out, the access-list nat rules obviously have precedence over default nat rules.  Also, static rules seem to have precedence over nat rules, but I've figured out that I can use policy based rules there too, ex:

static (inside,outside) 1.1.1.1 access-list outbound_acl 0 0

There is however one very unfortunate side effect to using policy based rules like this - the PDM (3.x) stops working.  

Anyway, the solution works great, thank you.
0

Featured Post

Learn to develop an Android App

Want to increase your earning potential in 2018? Pad your resume with app building experience. Learn how with this hands-on course.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now