PIX - mixing "nat 0 access-list" with nat/global pools

Discussion in 'Cisco' started by Matthew Melbourne, Feb 8, 2005.

  1. Is it possible to mix "nat 0 access-list" for connections between two PIX
    interfaces, and have nat/global for connections between two other
    interfaces?

    For example, if the three interfaces are 10.0.100.0/24, 10.0.50.0/24 and
    10.0.30.0/24 (where the third octet also specifies security level), and
    NAT isn't required between 10.0.100.0/24 and 10.0.50.0/24, but is needed
    between 10.0.100.0/24 and 10.0.30.0/24, would the following work:

    access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
    255.255.255.0
    access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
    255.255.255.0

    nat (inside) 0 access-list NONAT
    nat (inside) 1 10.0.100.0 255.255.255.0
    global (net-30) 1 10.0.30.254

    Will the PIX still proxy ARP for NATed addresses on the net-30 interface?

    Cheers,

    Matt

    --
    Matthew Melbourne
     
    Matthew Melbourne, Feb 8, 2005
    #1
    1. Advertising

  2. I believe you can just:

    nat (inside) 0 10.0.50.0 255.255.255.0

    I also believe the access-list NONAT thing you refer to is mainly to make an
    acception to the normal nat rule by specifying something specific in the
    access-list to exclude.


    "Matthew Melbourne" <> wrote in message
    news:...
    > Is it possible to mix "nat 0 access-list" for connections between two PIX
    > interfaces, and have nat/global for connections between two other
    > interfaces?
    >
    > For example, if the three interfaces are 10.0.100.0/24, 10.0.50.0/24 and
    > 10.0.30.0/24 (where the third octet also specifies security level), and
    > NAT isn't required between 10.0.100.0/24 and 10.0.50.0/24, but is needed
    > between 10.0.100.0/24 and 10.0.30.0/24, would the following work:
    >
    > access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
    > 255.255.255.0
    > access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
    > 255.255.255.0
    >
    > nat (inside) 0 access-list NONAT
    > nat (inside) 1 10.0.100.0 255.255.255.0
    > global (net-30) 1 10.0.30.254
    >
    > Will the PIX still proxy ARP for NATed addresses on the net-30 interface?
    >
    > Cheers,
    >
    > Matt
    >
    > --
    > Matthew Melbourne
     
    Mark W. Dufault, Feb 12, 2005
    #2
    1. Advertising

  3. In article <%qoPd.663$DG5.109@lakeread07>,
    Mark W. Dufault <> wrote:
    > I believe you can just:
    >
    > nat (inside) 0 10.0.50.0 255.255.255.0
    >
    > I also believe the access-list NONAT thing you refer to is mainly to
    > make an acception to the normal nat rule by specifying something
    > specific in the access-list to exclude.


    Note sure about that; nat 0 is "identity NAT", and 10.0.50.0/24 isn't the
    range for the inside interface. I require something different: basically,
    to disable NAT between the inside interface and, say, interface A but also
    perform NAT between the inside interface and interface B.

    I'm sure it would be possible using net statics:

    static (inside,net-50) 10.0.100.0 255.255.255.0 10.0.100.0 255.255.255.0
    nat (inside) 1 10.0.100.0 255.255.255.0
    global (net-30) 1 10.0.30.254

    However, although the net static was configured previously, we did notice
    that many individual statics were created, on a per-connection basis, even
    though the ACL applied to the interface denied the traffic (almost as if
    the static was created first, before the ACL was checked). This was an
    issue when infected hosts were sending ICMP echos to random machines on
    the inside interface (assuming each static translation requires a finite
    amount of memory). NAT 0 access-list doesn't require static translations
    to be maintained.

    So, if we want to effectively disable NAT between the inside interface and
    the net-50 interface, but enable NAT (PAT in this example) between the
    inside interface and net-30, would the following work? The traffic between
    the inside interface and net-30 interface does not match the NONAT ACL.

    access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
    255.255.255.0
    access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
    255.255.255.0

    nat (inside) 0 access-list NONAT
    nat (inside) 1 10.0.100.0 255.255.255.0
    global (net-30) 1 10.0.30.254

    Also, does the use of "nat 0 access-list" disable proxy ARP for NATed
    addresses on other interfaces, e.g the PATed address on the net-30
    interface?

    Cheers,

    Matt

    --
    Matthew Melbourne
     
    Matthew Melbourne, Feb 12, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. rpomerleau

    multiple global pools PIX 525

    rpomerleau, Jan 17, 2005, in forum: Cisco
    Replies:
    2
    Views:
    2,153
    rpomerleau
    Jan 18, 2005
  2. Hoffa
    Replies:
    0
    Views:
    704
    Hoffa
    Oct 25, 2006
  3. Hoffa
    Replies:
    1
    Views:
    1,534
    Walter Roberson
    Oct 25, 2006
  4. Sam Wilson

    "secondary" PIX NAT/PAT pools

    Sam Wilson, Aug 10, 2007, in forum: Cisco
    Replies:
    5
    Views:
    464
    Lutz Donnerhacke
    Aug 10, 2007
  5. Scooty

    PIX & Global Address Pools

    Scooty, Apr 24, 2008, in forum: Cisco
    Replies:
    3
    Views:
    1,012
    Darren
    Apr 24, 2008
Loading...

Share This Page