PIX question Policy NAT - quite urgent -

I am over the same question. The reference is the following article

formatting link
section Policy NAT

What does it mean that access list for policy NAT can note have DENY statements?

I thought to create two complementary ACL for a pool of addresses and ports and for the rest of the world using DENY statements but the specifications don't allow me to do that.

Perhaps do the nat ids become important, I mean, they represent the order which ACL are processed with?

Briefly, I have built a VPN to a remote site, say VPN_remote_IP; I have 2 interface on the Internet with 2 IPs,

4_Internet IP and VPN__IP. I have published the mail server on the outside interface (packets coming from and going to it pass through outside interface)

Following the article suggestions I wish create

access-list 2VPN-Endpoints permit tcp 192.168.4.0 255.255.255.0 VPN_remote_IP

255.255.255.255 eq 500 access-list 2VPN-Endpoints permit tcp 192.168.4.0 255.255.255.0 VPN_remote_IP 255.255.255.255 eq 4500 access-list 2VPN-Endpoints permit tcp 192.168.4.0 255.255.255.0 VPN_remote_IP 255.255.255.255 eq 5000

access-list 2WEB permit ip 192.168.4.0 255.255.255.0 0.0.0.0 0.0.0.0

and applying them in the following order

nat (inside) 1 access-list 2VPN-Endpoints nat (inside) 2 access-list 2WEB

global (outside) 1 255.255.255.255 global (outside) 2 255.255.255.255

The question is:

as told above, is it correct or have nat Ids numbers priority meaning so putting the 2VPNendpoint at the top of the translation process let the IPsec packets to be translated by the 1st IP and all of the rest of the packets by the 2nd IP? I needn't a deny statement at the bottom of the 1st access list, do I?

The article doesn't talk about a PIX with 2 interface on the Internet side. What is your opinion? Any comments are welcomed,

Alex.

Reply to
AM
Loading thread data ...

In article , AM wrote: :What does it mean that access list for policy NAT can note have DENY statements?

Just that -- they don't allow deny statements in those ACLs.

:I thought to create two complementary ACL for a pool of addresses and ports and for the rest of the world using DENY :statements but the specifications don't allow me to do that.

:Perhaps do the nat ids become important, I mean, they represent the order which ACL are processed with?

No, the nat id's have *no* significance other than the special value 0 and the fact that they act as groupings. No prioritization of any sort is implied.

Policy nat is matched "in order, until the first match". That means literally in the order that the nat statements occur in your configuration.

:Following the article suggestions I wish create

:and applying them in the following order

:nat (inside) 1 access-list 2VPN-Endpoints :nat (inside) 2 access-list 2WEB

:The question is:

:as told above, is it correct or have nat Ids numbers priority meaning so putting the 2VPNendpoint at the top of the :translation process let the IPsec packets to be translated by the 1st IP and all of the rest of the packets by the 2nd :IP? I needn't a deny statement at the bottom of the 1st access list, do I?

No prioritization by nat id (but nat 0 access-list is always first):

2VPN-Endpoints will be used first because that's the first one in your configuration. If you had

nat (inside) 2 access-list 2WEB nat (inside) 1 access-list 2VPN-Endpoints

then 2WEB would be evaluated first because that would be the first one in the configuration.

Reply to
Walter Roberson

and for the rest of the world using DENY

which ACL are processed with?

fact that they act as groupings.

in the order that the

putting the 2VPNendpoint at the top of the

all of the rest of the packets by the 2nd

2VPN-Endpoints will be used first

configuration.

Thanks Walter, but how to invert, or better, how to specify order for nat. I haven't tried still now but can I specify the line as in commands for access-lists? I will try, but if you know please let me know. Thanks,

Alex.

Reply to
AM

Perhaps removing all NATs and inserting new ones in wanted order? :)

Alex.

Reply to
AM

In article , AM wrote: :AM wrote: :> Thanks Walter, but how to invert, or better, how to specify order for :> nat. I haven't tried still now but can I specify the line as in commands :> for access-lists? I will try, but if you know please let me know. Thanks,

:Perhaps removing all NATs and inserting new ones in wanted order? :)

Exactly. Either that or redefine the meaning of the access-lists ;-)

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.