PIX - mixing "nat 0 access-list" with nat/global pools

Is it possible to mix "nat 0 access-list" for connections between two PIX interfaces, and have nat/global for connections between two other interfaces?

For example, if the three interfaces are 10.0.100.0/24, 10.0.50.0/24 and

10.0.30.0/24 (where the third octet also specifies security level), and NAT isn't required between 10.0.100.0/24 and 10.0.50.0/24, but is needed between 10.0.100.0/24 and 10.0.30.0/24, would the following work:

access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0

255.255.255.0 access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0 255.255.255.0

nat (inside) 0 access-list NONAT nat (inside) 1 10.0.100.0 255.255.255.0 global (net-30) 1 10.0.30.254

Will the PIX still proxy ARP for NATed addresses on the net-30 interface?

Cheers,

Matt

Reply to
Matthew Melbourne
Loading thread data ...

I believe you can just:

nat (inside) 0 10.0.50.0 255.255.255.0

I also believe the access-list NONAT thing you refer to is mainly to make an acception to the normal nat rule by specifying something specific in the access-list to exclude.

Reply to
Mark W. Dufault

Note sure about that; nat 0 is "identity NAT", and 10.0.50.0/24 isn't the range for the inside interface. I require something different: basically, to disable NAT between the inside interface and, say, interface A but also perform NAT between the inside interface and interface B.

I'm sure it would be possible using net statics:

static (inside,net-50) 10.0.100.0 255.255.255.0 10.0.100.0 255.255.255.0 nat (inside) 1 10.0.100.0 255.255.255.0 global (net-30) 1 10.0.30.254

However, although the net static was configured previously, we did notice that many individual statics were created, on a per-connection basis, even though the ACL applied to the interface denied the traffic (almost as if the static was created first, before the ACL was checked). This was an issue when infected hosts were sending ICMP echos to random machines on the inside interface (assuming each static translation requires a finite amount of memory). NAT 0 access-list doesn't require static translations to be maintained.

So, if we want to effectively disable NAT between the inside interface and the net-50 interface, but enable NAT (PAT in this example) between the inside interface and net-30, would the following work? The traffic between the inside interface and net-30 interface does not match the NONAT ACL.

access-list NONAT permit ip 10.0.100.0 255.255.255.0 10.0.50.0

255.255.255.0 access-list NONAT permit ip 10.0.50.0 255.255.255.0 10.0.100.0 255.255.255.0

nat (inside) 0 access-list NONAT nat (inside) 1 10.0.100.0 255.255.255.0 global (net-30) 1 10.0.30.254

Also, does the use of "nat 0 access-list" disable proxy ARP for NATed addresses on other interfaces, e.g the PATed address on the net-30 interface?

Cheers,

Matt

Reply to
Matthew Melbourne

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.