Restrictive NAT exemption configuration issue

Discussion in 'Cisco' started by archow, Jan 23, 2008.

  1. archow

    archow Guest

    I have a situation in which I am trying to disable translation between
    a source on the inside and a destination on the outside, but only over
    certain ports. The remaining ports between the same source and
    destination should be translated as defined in the nat/global rules.

    My first inclination was to use nat 0 list to bypass translation
    between specific source/destination IPs over specific ports.
    Unfortunately, the PIX did not feel the same way and yelled at me when
    I tried:
    ERROR: access-list has protocol or port
    I was forced to seek another solution.

    To better explain my situation, let's assume I have two interfaces:

    The inside subnet is translated with the following rules when
    accessing the outside:
    nat (inside) 1
    global (outside) 1 interface

    A host on the inside,, needs to access a host on the
    outside,, and for whatever reason the traffic going over
    tcp/23 from the inside host to the outside host should be exempt from
    NAT. The outside host,, should see the real address of
    the inside host when accesses the outside host over tcp/
    23. For all other allowed traffic from to,
    the inside host should be NAT'd to the outside interface. to over tcp/23 (NAT-exempt) to over tcp/80,tcp/443,etc. (NAT)

    Is it possible to accomplish the above situation on the PIX? Because
    the nat 0 list does not allow protocol or port specification, I have
    tried a variety of static translations to achieve the desired
    functionality, but have not come across a solution.

    archow, Jan 23, 2008
    1. Advertisements

  2. archow

    archow Guest

    I want to add that I was very confused when trying policy static with
    the following PIX commands:
    access-list test extended permit tcp host host eq https
    static (internal,external) access-list test

    The policy static commands above create the following entry in the NAT
    policies (show nat):

    NAT policies on Interface inside:
    match tcp inside host outside host eq 443
    static translation to
    translate_hits = 0, untranslate_hits = 0
    match ip inside inside any
    dynamic translation to pool 1 (No matching global)
    translate_hits = 0, untranslate_hits = 0
    match ip inside outside any
    dynamic translation to pool 1 ( [Interface PAT])
    translate_hits = 3, untranslate_hits = 0

    When I access over 443 from, the first rule is
    skipped and the dynamic match to the outside interface is used.
    Why is that static match skipped? And what is the /0 in

    archow, Jan 23, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.