Hi,
Reading the initial problem more closely, the problem is actually asking to
NAT to a different source IP address for specific hosts on the Internet, and
has nothing to do with destination NAT.
On the PIX, you can't do this - on IOS, you can using route maps.
With regards to the alias command:
Inside Host (10.1.1.1) ---------- PIX ----------- Outside Host (10.1.1.1)
If you want the hosts to communicate you can do so as follows:
alias (inside) 100.1.1.1 10.1.1.1
static (inside,outside) 200.1.1.1 10.1.1.1
The outside host appears to the inside host as 100.1.1.1, whilst the inside
host appears to the outside host as 200.1.1.1.
Regards,
Justin
-----Original Message-----
From: Jim [mailto:systemboard@xxxxxxxxxx]
Sent: Wednesday, December 04, 2002 4:51 PM
To: security@xxxxxxxxxxxxxx
Subject: RE: NAT\Alias
Since Justin brings up the alias command can someone explain the alias
command with a real example? I have read about alias on CCO and the
explanation does not register. I was under the impression the alias command
had to do with not running DNS on an internal network and having illegal
addressing on the inside.
Confused.
JT
--- On Tue 12/03, Justin Menga wrote:From: Justin Menga [mailto:
Justin.Menga@xxxxxxxxxxxxxx]To: Brian.Ritchie@xxxxxxxxxxx,
security@xxxxxxxxxxxxxxxxxx: Wed, 4 Dec 2002 15:00:37 +1300 Subject: RE:
NAT'ing based on source AND destinationHi,
You can use the alias command for this.
Regards,
Justin
-----Original Message-----
From: Ritchie, Brian [mailto:Brian.Ritchie@xxxxxxxxxxx]
Sent: Wednesday, December 04, 2002 5:23 AM
To: 'security@xxxxxxxxxxxxxx'
Subject: NAT'ing based on source AND destination
Hello all,
Is there any way on a pix to perform NAT based on source AND destination ?
For example, my internal network is 10.1.1.0/24 and I PAT all clients
leaving the internal network using the external interface IP address.
However, when an internal client wants to connect to a specific internet
host x.x.x.x I want to NAT to a different IP in my public address space.
I am aware of associating a nat rule with an access-list, but this is only
possible if you dont want to nat for VPN's etc (ie nat (inside) 0).
I've looked around and cant find any examples of how to do this, although I
have seen it done on other firewall implementations, using Checkpoint for
example.
Any help or work arounds are greatly appriciated.
FYI ...... I am using software version 6.1(4) and dont have any other
devices to perform further NATing above or below the firewall.
Thanks in advance, Brian
This e-mail and any files transmitted with it are intended solely for the
addressee and are confidential. They may also be legally privileged.
Copyright in them is reserved by Delphis Consulting PLC ["Delphis"] and they
must not be disclosed to, or used by, anyone other than the addressee.
If you have received this e-mail and any accompanying files in error, you
may not copy, publish or use them in any way and you should delete them from
your system and notify us immediately.
E-mails are not secure. Delphis does not accept responsibility for changes
to e-mails that occur after they have been sent.
Any opinions expressed in this e-mail may be personal to the author and may
not necessarily reflect the opinions of Delphis.
_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!
