Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > PIX - mixing "nat 0 access-list" with nat/global pools

Reply
Thread Tools

PIX - mixing "nat 0 access-list" with nat/global pools

 
 
Matthew Melbourne
Guest
Posts: n/a
 
      02-08-2005
Is it possible to mix "nat 0 access-list" for connections between two PIX
interfaces, and have nat/global for connections between two other
interfaces?

For example, if the three interfaces are 10.0.100.0/24, 10.0.50.0/24 and
10.0.30.0/24 (where the third octet also specifies security level), and
NAT isn't required between 10.0.100.0/24 and 10.0.50.0/24, but is needed
between 10.0.100.0/24 and 10.0.30.0/24, would the following work:

access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
255.255.255.0
access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
255.255.255.0

nat (inside) 0 access-list NONAT
nat (inside) 1 10.0.100.0 255.255.255.0
global (net-30) 1 10.0.30.254

Will the PIX still proxy ARP for NATed addresses on the net-30 interface?

Cheers,

Matt

--
Matthew Melbourne
 
Reply With Quote
 
 
 
 
Mark W. Dufault
Guest
Posts: n/a
 
      02-12-2005
I believe you can just:

nat (inside) 0 10.0.50.0 255.255.255.0

I also believe the access-list NONAT thing you refer to is mainly to make an
acception to the normal nat rule by specifying something specific in the
access-list to exclude.


"Matthew Melbourne" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Is it possible to mix "nat 0 access-list" for connections between two PIX
> interfaces, and have nat/global for connections between two other
> interfaces?
>
> For example, if the three interfaces are 10.0.100.0/24, 10.0.50.0/24 and
> 10.0.30.0/24 (where the third octet also specifies security level), and
> NAT isn't required between 10.0.100.0/24 and 10.0.50.0/24, but is needed
> between 10.0.100.0/24 and 10.0.30.0/24, would the following work:
>
> access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
> 255.255.255.0
> access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
> 255.255.255.0
>
> nat (inside) 0 access-list NONAT
> nat (inside) 1 10.0.100.0 255.255.255.0
> global (net-30) 1 10.0.30.254
>
> Will the PIX still proxy ARP for NATed addresses on the net-30 interface?
>
> Cheers,
>
> Matt
>
> --
> Matthew Melbourne



 
Reply With Quote
 
 
 
 
Matthew Melbourne
Guest
Posts: n/a
 
      02-12-2005
In article <%qoPd.663$DG5.109@lakeread07>,
Mark W. Dufault <(E-Mail Removed)> wrote:
> I believe you can just:
>
> nat (inside) 0 10.0.50.0 255.255.255.0
>
> I also believe the access-list NONAT thing you refer to is mainly to
> make an acception to the normal nat rule by specifying something
> specific in the access-list to exclude.


Note sure about that; nat 0 is "identity NAT", and 10.0.50.0/24 isn't the
range for the inside interface. I require something different: basically,
to disable NAT between the inside interface and, say, interface A but also
perform NAT between the inside interface and interface B.

I'm sure it would be possible using net statics:

static (inside,net-50) 10.0.100.0 255.255.255.0 10.0.100.0 255.255.255.0
nat (inside) 1 10.0.100.0 255.255.255.0
global (net-30) 1 10.0.30.254

However, although the net static was configured previously, we did notice
that many individual statics were created, on a per-connection basis, even
though the ACL applied to the interface denied the traffic (almost as if
the static was created first, before the ACL was checked). This was an
issue when infected hosts were sending ICMP echos to random machines on
the inside interface (assuming each static translation requires a finite
amount of memory). NAT 0 access-list doesn't require static translations
to be maintained.

So, if we want to effectively disable NAT between the inside interface and
the net-50 interface, but enable NAT (PAT in this example) between the
inside interface and net-30, would the following work? The traffic between
the inside interface and net-30 interface does not match the NONAT ACL.

access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
255.255.255.0
access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
255.255.255.0

nat (inside) 0 access-list NONAT
nat (inside) 1 10.0.100.0 255.255.255.0
global (net-30) 1 10.0.30.254

Also, does the use of "nat 0 access-list" disable proxy ARP for NATed
addresses on other interfaces, e.g the PATed address on the net-30
interface?

Cheers,

Matt

--
Matthew Melbourne
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Changing default subnet mask for ip local pools in PIX Woon Cisco 8 08-28-2007 02:24 PM
"secondary" PIX NAT/PAT pools Sam Wilson Cisco 5 08-10-2007 02:06 PM
multiple global pools PIX 525 rpomerleau Cisco 2 01-18-2005 03:05 PM
mixing pix-to-pix vpn and pptp-dial-in-vpn on pix501 Tom Cisco 4 11-17-2004 02:18 PM
Pix 506e, VPN, and overlapping pools... a love story Nate Smith Cisco 2 10-21-2003 03:38 PM



Advertisments