NAT'ing to different outside addresses based on port _or_ destination address

Discussion in 'Cisco' started by theodorehope@gmail.com, Aug 31, 2006.

  1. Guest

    I am trying to find out if I can NAT to different "outside" interfaces
    based on the destination port and/or destination address specified by a
    machine on the inside. (What I've read so far in the PIX documentation
    hasn't shed enough light on this for me.)

    For example:

    * We have a single inside LAN (e.g., 10.x.x.x) and two outside
    interfaces, each on a different public network, let's say
    outside-1 = 1.1.1.x and outside-2 = 2.2.2.x.
    There is no routing protocol being used; each outside interface should
    have its own default route (to a different public-facing router).

    * We want HTTP traffic that originates from inside to the outside world
    (e.g., web surfing from the inside LAN) to be NAT'ed through outside-1.

    * We want all POP and SMTP traffic to be NAT'ed via outside-2.

    * We want all HTTP traffic that goes to a particular public address
    (e.g., 3.3.3.3) to also be NAT'ed via outside-2.

    * All other traffic should be NAT'd through outside-1 ("default NAT").

    I realize that the above is similar to "policy-based routing" if it
    were a router, but I think it doesn't quite work this way in a PIX. Is
    it possible to do what I'm proposing?
    The PIX in question is a 515E with 6.3(4) s/w (upgradable to 7.2 if
    necessary).

    Thanks for your help.
     
    , Aug 31, 2006
    #1
    1. Advertising

  2. mcaissie Guest

    It's all possible and it's called Policy Nat.

    you need to defined groups of nat + global statements with different ID
    and use
    access-list to classify your traffic.

    For example

    nat inside (1) access-list class1
    nat inside (2) access-list class2

    global outside-1 (1) interface ( or whatever address pool)
    global outside-2 (2) interface ( or whatever address pool)


    access-list class1 permit tcp any any eq 80

    access-list class2 permit tcp any host [whatever] eq 80
    access-list class2 permit tcp any any eq 25
    etc,...

    Then you would need a statement for the rest of the traffic to go through
    outside-1

    nat inside (3) 0.0.0.0 0.0.0.0
    global outside-2 (3) interface ( or whatever address pool)

    note: you wouldn't really need the class1 nat+global since this traffic
    is already included in the regular nat statement.

    One thing, you cannot use deny statements in your acl so you may not be
    able to get as granular as you wich.
    If you don't have any other needs that those mentionned you'll be ok.

    Finally if you start playing with this , read carefully the Order of NAT
    commands, it can get tricky.



    Order of NAT Commands Used to Match Local Addresses

    The firewall matches local traffic to NAT commands in the following order:

    1. nat 0 access-list (NAT exemption)-In order, until the first match. For
    example, you could have overlapping local/destination addresses in multiple
    nat commands, but only the first command is matched.

    2. static (static NAT)-In order, until the first match. Because you cannot
    use the same local address in static NAT or static PAT commands, the order
    of static commands does not matter. Similarly, for static policy NAT, you
    cannot use the same local/destination address and port across multiple
    statements.

    3. static {tcp | udp} (static PAT)-In order, until the first match. Because
    you cannot use the same local address in static NAT or static PAT commands,
    the order of static commands does not matter. Similarly, for static policy
    NAT, you cannot use the same local/destination address and port across
    multiple statements.

    4. nat nat_id access-list (policy NAT)-In order, until the first match. For
    example, you could have overlapping local/destination ports and addresses in
    multiple nat commands, but only the first command is matched.

    5. nat (regular NAT)-Best match. The order of the NAT commands does not
    matter. The nat statement that best matches the local traffic is used. For
    example, you can create a general statement to translate all addresses
    (0.0.0.0) on an interface. If you also create a statement to translate only
    10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for
    10.1.1.1 is used because it matches the local traffic best.

    If you configure multiple global statements on the same NAT ID, the global
    statements are used in this order:

    1. No global if using nat 0 (identity NAT).

    2. Dynamic NAT global.

    3. PAT global.







    <> wrote in message
    news:...
    >I am trying to find out if I can NAT to different "outside" interfaces
    > based on the destination port and/or destination address specified by a
    > machine on the inside. (What I've read so far in the PIX documentation
    > hasn't shed enough light on this for me.)
    >
    > For example:
    >
    > * We have a single inside LAN (e.g., 10.x.x.x) and two outside
    > interfaces, each on a different public network, let's say
    > outside-1 = 1.1.1.x and outside-2 = 2.2.2.x.
    > There is no routing protocol being used; each outside interface should
    > have its own default route (to a different public-facing router).
    >
    > * We want HTTP traffic that originates from inside to the outside world
    > (e.g., web surfing from the inside LAN) to be NAT'ed through outside-1.
    >
    > * We want all POP and SMTP traffic to be NAT'ed via outside-2.
    >
    > * We want all HTTP traffic that goes to a particular public address
    > (e.g., 3.3.3.3) to also be NAT'ed via outside-2.
    >
    > * All other traffic should be NAT'd through outside-1 ("default NAT").
    >
    > I realize that the above is similar to "policy-based routing" if it
    > were a router, but I think it doesn't quite work this way in a PIX. Is
    > it possible to do what I'm proposing?
    > The PIX in question is a 515E with 6.3(4) s/w (upgradable to 7.2 if
    > necessary).
    >
    > Thanks for your help.
    >
     
    mcaissie, Aug 31, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. shinhyuk
    Replies:
    5
    Views:
    9,124
    ishi_us
    May 22, 2009
  2. Everyman

    IP NAT OUTSIDE DESTINATION

    Everyman, Sep 22, 2004, in forum: Cisco
    Replies:
    8
    Views:
    9,337
    Ziomal
    Sep 23, 2004
  3. Lalo
    Replies:
    1
    Views:
    747
    Walter Roberson
    Apr 20, 2005
  4. Jack
    Replies:
    0
    Views:
    703
  5. tomasek
    Replies:
    1
    Views:
    4,650
    Greeley
    Dec 16, 2007
Loading...

Share This Page