Hi guys,
We have a nat 0 (nat exemption) network setup that uses PIX firewalls, I am trying to implement policy NAT to ensure that certain traffic types are NATed out to an external IP address and others stay internal and pass over the PIX retaining their orginal IP address, it is causing me a problem as it appears that NAT exemption does not support policy nat, does anyone have any idea if this will be possible, if not then any alternative suggestions would be appreciated
Cheers Guy
Can you post relevant part of your configuration? In general, using NAT exemption and policy NAT together shouldn't be a problem.
Regards, Andrey.
I don't have it to hand right now as I have left the site - I am due back for a couple of days but I will try and get hold of it in the meantime. I took a look on Cisco's site this afternoon and found the following in the section on policy NAT:
Note: All types of NAT support policy NAT except for NAT exemption (nat 0 access-list). NAT exemption uses an access control list in order to identify the local addresses, but differs from policy NAT in that the ports are not considered.
Have you had Policy NAT running with NAT exemption before, I am trying to policy NAT POP3 traffic to an external address to be routed straight out and leave all other traffic passed through the PIX using its internal address - do you think this should work?
Cheers Guy
Yes I did. Hint - it doesn't have to be the same NAT ;-)
nat (nameif) 0 access-list nat (nameif) 1 global (nameif) 1
Make sure that destination in NAT exemption ACL does not overlap with policy-NAT. In other words - "any" in both is bad idea.
Regards, Andrey.
Thanks very much for that - I will give it another go, I was begining to think it was a non starter. If I cant get it working I will post the config later.
Cheers Guy
Hi,
It seems to be working fine now - just needed to tweak my acccess lists a little, thanks for your help
Cheers Guy
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.