Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: how to select a certain traffic for NAT on a PIX?

how to select a certain traffic for NAT on a PIX? 10 years 1 month ago #17451

  • eeee
  • eeee's Avatar
  • Offline
  • New Member
  • Posts: 9
  • Karma: 0
Hi all,

I have a PIX 525 and it is on IOS 701. I have allowed all traffic to bypass PIX for outbound traffic. I want to add a new network behind PIX using the same inside interface for outbound connection. But I would like to use NAT just for this network for outbound.

how can I do this selection for NAT?

Regards,

e
The administrator has disabled public write access.

Re: how to select a certain traffic for NAT on a PIX? 10 years 1 month ago #17462

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
I have allowed all traffic to bypass PIX for outbound traffic.

I'm affraid i don't fully understand your question, above statement seems a little odd, why would have have a pix in place and then want to bypass it ?

Anyhow, here is what i think you need to know.

If you have configured something like this in your pix config

[code:1]global (outside) 1 interface[/code:1]

this is setting up a nat translated ip address for your natting. This will basically use PAT because its picking the IP Address thats bound to the outside interface. If you have a full subnet from your ISP you may have actually selected a pool of NAT addresses, like follows

[code:1]global (outside) 1 192.168.0.1 - 192.168.0.100[/code:1]

What that will do is setup a direct IP to IP NAT translation fo rthe first 99 clients that connect, the rest will use PAT on the last address 192.168.0.100

Finally, you need to select the address that will use this global nat statement, this is the bit you need...

If you have configured a new subnet say 10.10.10.0/24 in your inside network which routes through the inside interface to get to the internet, you config your pix like this to just let that subnet NAT through

[code:1]nat (inside) 1 10.10.10.0 255.255.255.0[/code:1]

The number 1 is just linking the two statments. If you had a DMZ off the pix on an interface called DMZ with a subnet of 172.16.0.0/24 and you wanted that to also translate, you would configure the following nat statment

[code:1]nat (dmz) 1 172.16.0.0 255.255.255.0 [/code:1]

See, how we have linked this statement also to the global pool of address to NAT agains by selecting the number 1

Hope it helps ya

Wayne[/code]
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.077 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup