Policy NAT

Policy NAT
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Policy NAT Guyster 10-15-2007
---> Re: Policy NAT Andrey Tarasov10-15-2007
Posted by Guyster on October 15, 2007, 9:06 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi guys,

We have a nat 0 (nat exemption) network setup that uses PIX firewalls,
I am trying to implement policy NAT to ensure that certain traffic
types are NATed out to an external IP address and others stay internal
and pass over the PIX retaining their orginal IP address, it is
causing me a problem as it appears that NAT exemption does not support
policy nat, does anyone have any idea if this will be possible, if not
then any alternative suggestions would be appreciated

Cheers
Guy


Network Magic 20% Off NMEASY coupon code spring banner 468x60
Posted by Andrey Tarasov on October 15, 2007, 11:21 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Guyster wrote:
> Hi guys,
>
> We have a nat 0 (nat exemption) network setup that uses PIX firewalls,
> I am trying to implement policy NAT to ensure that certain traffic
> types are NATed out to an external IP address and others stay internal
> and pass over the PIX retaining their orginal IP address, it is
> causing me a problem as it appears that NAT exemption does not support
> policy nat, does anyone have any idea if this will be possible, if not
> then any alternative suggestions would be appreciated

Can you post relevant part of your configuration? In general, using NAT
exemption and policy NAT together shouldn't be a problem.

Regards,
Andrey.

Posted by Guyster on October 15, 2007, 11:39 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Guyster wrote:
> > Hi guys,
>
> > We have a nat 0 (nat exemption) network setup that uses PIX firewalls,
> > I am trying to implement policy NAT to ensure that certain traffic
> > types are NATed out to an external IP address and others stay internal
> > and pass over the PIX retaining their orginal IP address, it is
> > causing me a problem as it appears that NAT exemption does not support
> > policy nat, does anyone have any idea if this will be possible, if not
> > then any alternative suggestions would be appreciated
>
> Can you post relevant part of your configuration? In general, using NAT
> exemption and policy NAT together shouldn't be a problem.
>
> Regards,
> Andrey.

I don't have it to hand right now as I have left the site - I am due
back for a couple of days but I will try and get hold of it in the
meantime. I took a look on Cisco's site this afternoon and found the
following in the section on policy NAT:

Note: All types of NAT support policy NAT except for NAT exemption
(nat 0 access-list). NAT exemption uses an access control list in
order to identify the local addresses, but differs from policy NAT in
that the ports are not considered.

Have you had Policy NAT running with NAT exemption before, I am trying
to policy NAT POP3 traffic to an external address to be routed
straight out and leave all other traffic passed through the PIX using
its internal address - do you think this should work?

Cheers
Guy


Posted by Andrey Tarasov on October 15, 2007, 11:57 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Guyster wrote:

> I don't have it to hand right now as I have left the site - I am due
> back for a couple of days but I will try and get hold of it in the
> meantime. I took a look on Cisco's site this afternoon and found the
> following in the section on policy NAT:
>
> Note: All types of NAT support policy NAT except for NAT exemption
> (nat 0 access-list). NAT exemption uses an access control list in
> order to identify the local addresses, but differs from policy NAT in
> that the ports are not considered.
>
> Have you had Policy NAT running with NAT exemption before, I am trying
> to policy NAT POP3 traffic to an external address to be routed
> straight out and leave all other traffic passed through the PIX using
> its internal address - do you think this should work?

Yes I did. Hint - it doesn't have to be the same NAT ;-)

nat (nameif) 0 access-list
nat (nameif) 1 <your policy-NAT for POP3>
global (nameif) 1 <external IP for policy-NAT>

Make sure that destination in NAT exemption ACL does not overlap with
policy-NAT. In other words - "any" in both is bad idea.

Regards,
Andrey.

Posted by Guyster on October 15, 2007, 12:06 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> Guyster wrote:
> > I don't have it to hand right now as I have left the site - I am due
> > back for a couple of days but I will try and get hold of it in the
> > meantime. I took a look on Cisco's site this afternoon and found the
> > following in the section on policy NAT:
>
> > Note: All types of NAT support policy NAT except for NAT exemption
> > (nat 0 access-list). NAT exemption uses an access control list in
> > order to identify the local addresses, but differs from policy NAT in
> > that the ports are not considered.
>
> > Have you had Policy NAT running with NAT exemption before, I am trying
> > to policy NAT POP3 traffic to an external address to be routed
> > straight out and leave all other traffic passed through the PIX using
> > its internal address - do you think this should work?
>
> Yes I did. Hint - it doesn't have to be the same NAT ;-)
>
> nat (nameif) 0 access-list
> nat (nameif) 1 <your policy-NAT for POP3>
> global (nameif) 1 <external IP for policy-NAT>
>
> Make sure that destination in NAT exemption ACL does not overlap with
> policy-NAT. In other words - "any" in both is bad idea.
>
> Regards,
> Andrey.

Thanks very much for that - I will give it another go, I was begining
to think it was a non starter. If I cant get it working I will post
the config later.

Cheers
Guy


Similar ThreadsPosted
PIX Policy-NAT October 17, 2005, 2:50 pm
PIX policy routing? December 6, 2004, 8:30 am
policy-maps? January 5, 2005, 7:45 pm
GRE & Policy Routing July 28, 2005, 8:46 am
Service Policy October 13, 2005, 9:41 pm
ASA Policy NAT Question September 14, 2006, 9:12 am
ASA Policy NAT not working at all... September 14, 2006, 11:58 am
Traffic policy. October 2, 2006, 9:04 am
Cisco 877 - Policy Map December 11, 2006, 1:59 pm
IOS Upgrading "Policy" November 20, 2007, 9:33 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map