I am trying to find out if I can NAT to different "outside" interfaces based on the destination port and/or destination address specified by a machine on the inside. (What I've read so far in the PIX documentation hasn't shed enough light on this for me.)
For example:
We have a single inside LAN (e.g., 10.x.x.x) and two outside interfaces, each on a different public network, let's say outside-1 = 1.1.1.x and outside-2 = 2.2.2.x. There is no routing protocol being used; each outside interface should have its own default route (to a different public-facing router).
We want HTTP traffic that originates from inside to the outside world (e.g., web surfing from the inside LAN) to be NAT'ed through outside-1.
We want all POP and SMTP traffic to be NAT'ed via outside-2.
We want all HTTP traffic that goes to a particular public address (e.g., 3.3.3.3) to also be NAT'ed via outside-2.
All other traffic should be NAT'd through outside-1 ("default NAT").
I realize that the above is similar to "policy-based routing" if it were a router, but I think it doesn't quite work this way in a PIX. Is it possible to do what I'm proposing? The PIX in question is a 515E with 6.3(4) s/w (upgradable to 7.2 if necessary).
global outside-1 (1) interface ( or whatever address pool) global outside-2 (2) interface ( or whatever address pool)
access-list class1 permit tcp any any eq 80
access-list class2 permit tcp any host [whatever] eq 80 access-list class2 permit tcp any any eq 25 etc,...
Then you would need a statement for the rest of the traffic to go through outside-1
nat inside (3) 0.0.0.0 0.0.0.0 global outside-2 (3) interface ( or whatever address pool)
note: you wouldn't really need the class1 nat+global since this traffic is already included in the regular nat statement.
One thing, you cannot use deny statements in your acl so you may not be able to get as granular as you wich. If you don't have any other needs that those mentionned you'll be ok.
Finally if you start playing with this , read carefully the Order of NAT commands, it can get tricky.
Order of NAT Commands Used to Match Local Addresses
The firewall matches local traffic to NAT commands in the following order:
nat 0 access-list (NAT exemption)-In order, until the first match. For example, you could have overlapping local/destination addresses in multiple nat commands, but only the first command is matched.
static (static NAT)-In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.
static {tcp | udp} (static PAT)-In order, until the first match. Because you cannot use the same local address in static NAT or static PAT commands, the order of static commands does not matter. Similarly, for static policy NAT, you cannot use the same local/destination address and port across multiple statements.
nat nat_id access-list (policy NAT)-In order, until the first match. For example, you could have overlapping local/destination ports and addresses in multiple nat commands, but only the first command is matched.
nat (regular NAT)-Best match. The order of the NAT commands does not matter. The nat statement that best matches the local traffic is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you also create a statement to translate only
10.1.1.1, when 10.1.1.1 makes a connection, the specific statement for
10.1.1.1 is used because it matches the local traffic best.
If you configure multiple global statements on the same NAT ID, the global statements are used in this order:
No global if using nat 0 (identity NAT).
Dynamic NAT global.
PAT global.
begin 666 blank.gif K1TE&.#EA`@`"`( ``/___P```"'Y! $`````+ `````"``(```("A%$`.P`` ` end
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.