9-2
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 9 Configuring Network Address Translation
NAT Overview
• Setting Connection Limits in the NAT Configuration, page 9-16
Introduction to NAT
Address translation substitutes the local address in a packet with a global address that is routable on the
destination network. In this document, all types of translation are generally referred to as “NAT.”
On the FWSM, you must specifically configure some interfaces to either use or to bypass NAT. For
example, when hosts on a higher security interface (inside) access hosts on a lower security interface
(outside), you must configure NAT on the inside hosts or specifically configure the inside hosts to bypass
NAT (See the “Configuring Interfaces” section on page 6-6 for more information about security levels).
Note When discussing NAT, the terms inside and outside are relative, and represent the security relationship
between any two interfaces. The higher security level is inside and the lower security level is outside;
for example, interface 1 is at 60 and interface 2 is at 50, so interface 1 is “inside” and interface 2 is
“outside.”
An inside host can communicate with the untranslated local address of the outside host without any
special configuration on the outside interface. However, you can also optionally configure NAT on the
outside network.
Interfaces that are on the same security level that you have allowed to communicate do not have to
perform NAT. You can, however, optionally configure NAT for these interfaces. (See the “Allowing
Communication Between Interfaces on the Same Security Level” section on page 6-8 for more
information.) In this case, there is no inside or outside when performing NAT between two interfaces.
Some of benefits of NAT are as follows:
• You can use private addresses on your inside networks. Private addresses are not routable on the
Internet. (See the “Private Networks” section on page D-2 for more information.)
• NAT hides the local addresses from other networks, so attackers cannot learn the real address of
ahost.
• You can resolve IP routing problems such as overlapping addresses.
Note See Table 13-1 on page 13-2 for information about protocols that are not supported by NAT.
To Next Page
Loading...
Need help?
General