PIX - mixing "nat 0 access-list" with nat/global pools

Is it possible to mix "nat 0 access-list" for connections between two PIX
interfaces, and have nat/global for connections between two other
interfaces?

For example, if the three interfaces are 10.0.100.0/24, 10.0.50.0/24 and
10.0.30.0/24 (where the third octet also specifies security level), and
NAT isn't required between 10.0.100.0/24 and 10.0.50.0/24, but is needed
between 10.0.100.0/24 and 10.0.30.0/24, would the following work:

access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
255.255.255.0
access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
255.255.255.0

nat (inside) 0 access-list NONAT
nat (inside) 1 10.0.100.0 255.255.255.0
global (net-30) 1 10.0.30.254

Will the PIX still proxy ARP for NATed addresses on the net-30 interface?

Cheers,

Matt

 

I believe you can just:

nat (inside) 0 10.0.50.0 255.255.255.0

I also believe the access-list NONAT thing you refer to is mainly to make an
acception to the normal nat rule by specifying something specific in the
access-list to exclude.

 

Note sure about that; nat 0 is "identity NAT", and 10.0.50.0/24 isn't the
range for the inside interface. I require something different: basically,
to disable NAT between the inside interface and, say, interface A but also
perform NAT between the inside interface and interface B.

I'm sure it would be possible using net statics:

static (inside,net-50) 10.0.100.0 255.255.255.0 10.0.100.0 255.255.255.0
nat (inside) 1 10.0.100.0 255.255.255.0
global (net-30) 1 10.0.30.254

However, although the net static was configured previously, we did notice
that many individual statics were created, on a per-connection basis, even
though the ACL applied to the interface denied the traffic (almost as if
the static was created first, before the ACL was checked). This was an
issue when infected hosts were sending ICMP echos to random machines on
the inside interface (assuming each static translation requires a finite
amount of memory). NAT 0 access-list doesn't require static translations
to be maintained.

So, if we want to effectively disable NAT between the inside interface and
the net-50 interface, but enable NAT (PAT in this example) between the
inside interface and net-30, would the following work? The traffic between
the inside interface and net-30 interface does not match the NONAT ACL.

access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
255.255.255.0
access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
255.255.255.0

nat (inside) 0 access-list NONAT
nat (inside) 1 10.0.100.0 255.255.255.0
global (net-30) 1 10.0.30.254

Also, does the use of "nat 0 access-list" disable proxy ARP for NATed
addresses on other interfaces, e.g the PATed address on the net-30
interface?

Cheers,

Matt