Skip to main content

how to select a certain traffic for NAT on a PIX?

More
18 years 2 months ago #17451 by eeee
Hi all,

I have a PIX 525 and it is on IOS 701. I have allowed all traffic to bypass PIX for outbound traffic. I want to add a new network behind PIX using the same inside interface for outbound connection. But I would like to use NAT just for this network for outbound.

how can I do this selection for NAT?

Regards,

e
More
18 years 2 months ago #17462 by Smurf

I have allowed all traffic to bypass PIX for outbound traffic.


I'm affraid i don't fully understand your question, above statement seems a little odd, why would have have a pix in place and then want to bypass it ?

Anyhow, here is what i think you need to know.

If you have configured something like this in your pix config

[code:1]global (outside) 1 interface[/code:1]

this is setting up a nat translated ip address for your natting. This will basically use PAT because its picking the IP Address thats bound to the outside interface. If you have a full subnet from your ISP you may have actually selected a pool of NAT addresses, like follows

[code:1]global (outside) 1 192.168.0.1 - 192.168.0.100[/code:1]

What that will do is setup a direct IP to IP NAT translation fo rthe first 99 clients that connect, the rest will use PAT on the last address 192.168.0.100

Finally, you need to select the address that will use this global nat statement, this is the bit you need...

If you have configured a new subnet say 10.10.10.0/24 in your inside network which routes through the inside interface to get to the internet, you config your pix like this to just let that subnet NAT through

[code:1]nat (inside) 1 10.10.10.0 255.255.255.0[/code:1]

The number 1 is just linking the two statments. If you had a DMZ off the pix on an interface called DMZ with a subnet of 172.16.0.0/24 and you wanted that to also translate, you would configure the following nat statment

[code:1]nat (dmz) 1 172.16.0.0 255.255.255.0 [/code:1]

See, how we have linked this statement also to the global pool of address to NAT agains by selecting the number 1

Hope it helps ya

Wayne[/code]

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.112 seconds