Nat translation/exemption decision based on source address

Discussion in 'Cisco' started by Cen, Sep 15, 2005.

  1. Cen

    Cen Guest

    Hi,
    I would like to do the following:
    I have 2 inside hosts, 10.1.1.1 and 10.1.1.2.
    On the outside interface, for external hosts, these 2 addresses are servers
    that are translated as, say, 203.23.23.23 and 203.23.23.24 respectively.
    But I have also a private host 10.3.3.3 on the outside interface which need
    to reach 10.1.1.1 and 10.1.1.2 untranslated.

    Is this the way I go about doing it:

    access-list bypass permit icmp host 10.1.1.1 host 10.3.3.3
    access-list bypass permit icmp host 10.1.1.2 host 10.3.3.3
    nat (inside) 0 access-list bypass
    static (inside,outside) 203.23.23.23 10.1.1.1 netmask 255.255.255.255
    static (inside,outside) 203.23.23.24 10.1.1.2 netmask 255.255.255.255

    thanks.
     
    Cen, Sep 15, 2005
    #1
    1. Advertisements

  2. :I have 2 inside hosts, 10.1.1.1 and 10.1.1.2.
    :On the outside interface, for external hosts, these 2 addresses are servers
    :that are translated as, say, 203.23.23.23 and 203.23.23.24 respectively.
    :But I have also a private host 10.3.3.3 on the outside interface which need
    :to reach 10.1.1.1 and 10.1.1.2 untranslated.

    :Is this the way I go about doing it:

    :access-list bypass permit icmp host 10.1.1.1 host 10.3.3.3
    :access-list bypass permit icmp host 10.1.1.2 host 10.3.3.3
    :nat (inside) 0 access-list bypass
    :static (inside,outside) 203.23.23.23 10.1.1.1 netmask 255.255.255.255
    :static (inside,outside) 203.23.23.24 10.1.1.2 netmask 255.255.255.255

    Not if you are using an IOS router ;-)

    If you are using a PIX with 6.x software as is implied by the
    above commands, then what you have is generally speaking a good
    approach.

    It can, though, fall down in that the PIX never proxy-arp's for an IP
    which is mat 0 access-list'd. If the outside device can have its
    routing table adjusted, then you can configure the outside device to
    route to 10.1.1.x via the PIX's outside IP. But then you run into
    the possibility that there is no outside router with a presence
    in both 10.3.3.x and 203.23.23.x ...

    An alternate approach, starting in PIX 6.3, is to use "policy static".
    That's a static with an access-list attached. You'll have to read
    the examples in the reference manual several times to figure out
    how to get it to work right, as there is important information missing
    in the documentation [which will especially beguile you if you are trying
    to work with a subnet instead of individual hosts.]
     
    Walter Roberson, Sep 15, 2005
    #2
    1. Advertisements

  3. Cen

    Cen Guest

    Thanks. Yeah, i'm planning this on PIX 6.3
    I'm not using proxy arp - so shouldn't be a problem here.
    Will check out the suggested alternative approach.
     
    Cen, Sep 15, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.