I have a situation in which I am trying to disable translation between a source on the inside and a destination on the outside, but only over certain ports. The remaining ports between the same source and destination should be translated as defined in the nat/global rules.
My first inclination was to use nat 0 list to bypass translation between specific source/destination IPs over specific ports. Unfortunately, the PIX did not feel the same way and yelled at me when I tried: ERROR: access-list has protocol or port I was forced to seek another solution.
To better explain my situation, let's assume I have two interfaces: Inside: 192.168.1.0/24 Outside: 192.168.2.0/24
The inside subnet is translated with the following rules when accessing the outside: nat (inside) 1 192.168.1.0 255.255.255.0 global (outside) 1 interface
A host on the inside, 192.168.1.1, needs to access a host on the outside, 192.168.2.2, and for whatever reason the traffic going over tcp/23 from the inside host to the outside host should be exempt from NAT. The outside host, 192.168.2.2, should see the real address of the inside host when 192.168.1.1 accesses the outside host over tcp/
- For all other allowed traffic from 192.168.1.1 to 192.168.2.2, the inside host should be NAT'd to the outside interface. 192.168.1.1 to 192.168.2.2 over tcp/23 (NAT-exempt) 192.168.1.1 to 192.168.2.2 over tcp/80,tcp/443,etc. (NAT)
Is it possible to accomplish the above situation on the PIX? Because the nat 0 list does not allow protocol or port specification, I have tried a variety of static translations to achieve the desired functionality, but have not come across a solution.
Adam