Policy NAT
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||||||||
|
Posted by Guyster on October 15, 2007, 9:06 am
Please log in for more thread options We have a nat 0 (nat exemption) network setup that uses PIX firewalls, I am trying to implement policy NAT to ensure that certain traffic types are NATed out to an external IP address and others stay internal and pass over the PIX retaining their orginal IP address, it is causing me a problem as it appears that NAT exemption does not support policy nat, does anyone have any idea if this will be possible, if not then any alternative suggestions would be appreciated Cheers Guy | ||||||||||||||||||||||||||||
|
Posted by Andrey Tarasov on October 15, 2007, 11:21 am
Please log in for more thread options Can you post relevant part of your configuration? In general, using NAT exemption and policy NAT together shouldn't be a problem. Regards, Andrey. | ||||||||||||||||||||||||||||
|
Posted by Guyster on October 15, 2007, 11:39 am
Please log in for more thread options > Guyster wrote:
> > Hi guys,
>
> > We have a nat 0 (nat exemption) network setup that uses PIX firewalls,
> > I am trying to implement policy NAT to ensure that certain traffic > > types are NATed out to an external IP address and others stay internal > > and pass over the PIX retaining their orginal IP address, it is > > causing me a problem as it appears that NAT exemption does not support > > policy nat, does anyone have any idea if this will be possible, if not > > then any alternative suggestions would be appreciated >
> Can you post relevant part of your configuration? In general, using NAT > exemption and policy NAT together shouldn't be a problem. > > Regards, > Andrey. I don't have it to hand right now as I have left the site - I am due back for a couple of days but I will try and get hold of it in the meantime. I took a look on Cisco's site this afternoon and found the following in the section on policy NAT: Note: All types of NAT support policy NAT except for NAT exemption (nat 0 access-list). NAT exemption uses an access control list in order to identify the local addresses, but differs from policy NAT in that the ports are not considered. Have you had Policy NAT running with NAT exemption before, I am trying to policy NAT POP3 traffic to an external address to be routed straight out and leave all other traffic passed through the PIX using its internal address - do you think this should work? Cheers Guy | ||||||||||||||||||||||||||||
|
Posted by Andrey Tarasov on October 15, 2007, 11:57 am
Please log in for more thread options Guyster wrote:
> I don't have it to hand right now as I have left the site - I am due
> back for a couple of days but I will try and get hold of it in the > meantime. I took a look on Cisco's site this afternoon and found the > following in the section on policy NAT: > > Note: All types of NAT support policy NAT except for NAT exemption > (nat 0 access-list). NAT exemption uses an access control list in > order to identify the local addresses, but differs from policy NAT in > that the ports are not considered. > > Have you had Policy NAT running with NAT exemption before, I am trying > to policy NAT POP3 traffic to an external address to be routed > straight out and leave all other traffic passed through the PIX using > its internal address - do you think this should work? Yes I did. Hint - it doesn't have to be the same NAT ;-) nat (nameif) 0 access-list nat (nameif) 1 <your policy-NAT for POP3>
global (nameif) 1 <external IP for policy-NAT> Make sure that destination in NAT exemption ACL does not overlap with policy-NAT. In other words - "any" in both is bad idea. Regards, Andrey. | ||||||||||||||||||||||||||||
|
Posted by Guyster on October 15, 2007, 12:06 pm
Please log in for more thread options > Guyster wrote:
> > I don't have it to hand right now as I have left the site - I am due
> > back for a couple of days but I will try and get hold of it in the > > meantime. I took a look on Cisco's site this afternoon and found the > > following in the section on policy NAT: >
> > Note: All types of NAT support policy NAT except for NAT exemption
> > (nat 0 access-list). NAT exemption uses an access control list in > > order to identify the local addresses, but differs from policy NAT in > > that the ports are not considered. >
> > Have you had Policy NAT running with NAT exemption before, I am trying
> > to policy NAT POP3 traffic to an external address to be routed > > straight out and leave all other traffic passed through the PIX using > > its internal address - do you think this should work? >
> Yes I did. Hint - it doesn't have to be the same NAT ;-) > > nat (nameif) 0 access-list > nat (nameif) 1 <your policy-NAT for POP3> > global (nameif) 1 <external IP for policy-NAT> > > Make sure that destination in NAT exemption ACL does not overlap with > policy-NAT. In other words - "any" in both is bad idea. > > Regards, > Andrey. Thanks very much for that - I will give it another go, I was begining to think it was a non starter. If I cant get it working I will post the config later. Cheers Guy | ||||||||||||||||||||||||||||
| Similar Threads | Posted |
| PIX Policy-NAT | October 17, 2005, 10:50 am |
| Policy NAT | October 15, 2007, 9:06 am |
| GRE & Policy Routing | July 28, 2005, 8:46 am |
| Service Policy | October 13, 2005, 7:41 am |
| ASA Policy NAT Question | September 14, 2006, 9:12 am |
| ASA Policy NAT not working at all... | September 14, 2006, 11:58 am |
| Traffic policy. | October 2, 2006, 9:04 am |
| Cisco 877 - Policy Map | December 11, 2006, 1:59 pm |
| IOS Upgrading "Policy" | November 20, 2007, 9:33 pm |
| qos policy and ip sla integration | February 7, 2008, 3:55 am |
| Question about NAT (maybe need to use policy NAT)? | June 30, 2008, 6:09 pm |
| policy routing on PIX | October 10, 2008, 9:37 am |
| Simple QoS Policy On 877 | October 24, 2008, 10:59 am |
| pix policy nat small oddity | July 12, 2005, 2:07 pm |
| PIX group-policy attributes | July 27, 2005, 1:05 pm |
>
> We have a nat 0 (nat exemption) network setup that uses PIX firewalls,
> I am trying to implement policy NAT to ensure that certain traffic
> types are NATed out to an external IP address and others stay internal
> and pass over the PIX retaining their orginal IP address, it is
> causing me a problem as it appears that NAT exemption does not support
> policy nat, does anyone have any idea if this will be possible, if not
> then any alternative suggestions would be appreciated