1. Home
  2. Networking Firewalls
  3. Pix506e NAT question

Pix506e NAT question

I no Pix wizard, and I'm in a bit of rush... no other firewall has managed to confuse me as well as the Pix.

I have the following config, with two available external IPs (.147 and ..148):

ip address outside 72.x.x.147 255.255.255.248 ip address inside 192.168.10.254 255.255.255.0

global (outside) 1 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 1 0.0.0.0 0.0.0.0 0 0 static (inside,outside) tcp 72.x.x.148 https SERVER https netmask

255.255.255.255 0 0 static (inside,outside) tcp 72.x.x.148 smtp SERVER smtp netmask 255.255.255.255 0 0 static (inside,outside) tcp 72.x.x.148 pop3 SERVER pop3 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside

Everything works fine, except for when my SERVER goes out, it uses the Global PAT address of the outside interface (.147) instead of .148. Our MX record is for .148, and I need to add a reverse DNS entry at ..148 (stupid AOL!). So I need my server to be NAT'd to this IP, not the PAT IP of the external interface.

Is there a way to ensure that all traffic generated from my server outbound gets statically NAT'd to the "spare" external IP rather than my global PAT IP?

Reply to
markcedwards
Loading thread data ...

In article , wrote: [PIX]

:ip address outside 72.x.x.147 255.255.255.248 :ip address inside 192.168.10.254 255.255.255.0

:global (outside) 1 interface :nat (inside) 0 access-list inside_outbound_nat0_acl :nat (inside) 1 0.0.0.0 0.0.0.0 0 0 :static (inside,outside) tcp 72.x.x.148 https SERVER https netmask

255.255.255.255 0 0 :static (inside,outside) tcp 72.x.x.148 smtp SERVER smtp netmask 255.255.255.255 0 0 :static (inside,outside) tcp 72.x.x.148 pop3 SERVER pop3 netmask 255.255.255.255 0 0 :access-group outside_access_in in interface outside

:Everything works fine, except for when my SERVER goes out, it uses the :Global PAT address of the outside interface (.147) instead of .148.

Remove the three statics you have now and add instead

static (inside,outside) 72.x.x.148 SERVER netmask 255.255.255.255 0 0

That will cause translation at the IP level, leaving the port numbers alone, not just passing through https smtp and pop3 to SERVER.

If, though, you do want to use PAT for SERVER for all ports other than the three you list, then leave in those three statics and add

nat (inside) 2 SERVER 255.255.255.255 global (outside) 2 72.x.x.148

The 2 has no significance other than to be an arbitrary identifier to match up the statements -- using 2 does NOT indicate that the nat is higher or lower priority than the nat 1 that you have already. Regular nat statements are processed according to "longest match" -- so because the SERVER 255.255.255.255 is more specific than 0.0.0.0 0.0.0.0 then the corresponding global will be chosen for SERVER's traffic but all other traffic would use the other NAT... except the traffic for those static statements. static has a higher priority than regular nat... but be careful because regular static has a higher priority than port static.

formatting link

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.