PIX - mixing "nat 0 access-list" with nat/global pools

Discussion in 'Cisco' started by Matthew Melbourne, Feb 8, 2005.

  1. Is it possible to mix "nat 0 access-list" for connections between two PIX
    interfaces, and have nat/global for connections between two other
    interfaces?

    For example, if the three interfaces are 10.0.100.0/24, 10.0.50.0/24 and
    10.0.30.0/24 (where the third octet also specifies security level), and
    NAT isn't required between 10.0.100.0/24 and 10.0.50.0/24, but is needed
    between 10.0.100.0/24 and 10.0.30.0/24, would the following work:

    access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
    255.255.255.0
    access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
    255.255.255.0

    nat (inside) 0 access-list NONAT
    nat (inside) 1 10.0.100.0 255.255.255.0
    global (net-30) 1 10.0.30.254

    Will the PIX still proxy ARP for NATed addresses on the net-30 interface?

    Cheers,

    Matt
     
    Matthew Melbourne, Feb 8, 2005
    #1
    1. Advertisements

  2. I believe you can just:

    nat (inside) 0 10.0.50.0 255.255.255.0

    I also believe the access-list NONAT thing you refer to is mainly to make an
    acception to the normal nat rule by specifying something specific in the
    access-list to exclude.
     
    Mark W. Dufault, Feb 12, 2005
    #2
    1. Advertisements

  3. Note sure about that; nat 0 is "identity NAT", and 10.0.50.0/24 isn't the
    range for the inside interface. I require something different: basically,
    to disable NAT between the inside interface and, say, interface A but also
    perform NAT between the inside interface and interface B.

    I'm sure it would be possible using net statics:

    static (inside,net-50) 10.0.100.0 255.255.255.0 10.0.100.0 255.255.255.0
    nat (inside) 1 10.0.100.0 255.255.255.0
    global (net-30) 1 10.0.30.254

    However, although the net static was configured previously, we did notice
    that many individual statics were created, on a per-connection basis, even
    though the ACL applied to the interface denied the traffic (almost as if
    the static was created first, before the ACL was checked). This was an
    issue when infected hosts were sending ICMP echos to random machines on
    the inside interface (assuming each static translation requires a finite
    amount of memory). NAT 0 access-list doesn't require static translations
    to be maintained.

    So, if we want to effectively disable NAT between the inside interface and
    the net-50 interface, but enable NAT (PAT in this example) between the
    inside interface and net-30, would the following work? The traffic between
    the inside interface and net-30 interface does not match the NONAT ACL.

    access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0
    255.255.255.0
    access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0
    255.255.255.0

    nat (inside) 0 access-list NONAT
    nat (inside) 1 10.0.100.0 255.255.255.0
    global (net-30) 1 10.0.30.254

    Also, does the use of "nat 0 access-list" disable proxy ARP for NATed
    addresses on other interfaces, e.g the PATed address on the net-30
    interface?

    Cheers,

    Matt
     
    Matthew Melbourne, Feb 12, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.