9-9
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 9 Configuring Network Address Translation
NAT Overview
Figure 9-4 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses
a single host for both web services and Telnet services. When the host accesses the server for web
services, the local address is translated to 209.165.202.129. When the host accesses the same server for
Telnet services, the local address is translated to 209.165.202.130.
Figure 9-4 Policy NAT with Different Destination Ports
See the following commands for this example:
FWSM/contexta(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
FWSM/contexta(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
FWSM/contexta(config)# nat (inside) 1 access-list WEB
FWSM/contexta(config)# global (outside) 1 209.165.202.129
FWSM/contexta(config)# nat (inside) 2 access-list TELNET
FWSM/contexta(config)# global (outside) 2 209.165.202.130
For policy static NAT (and for NAT exemption, which also uses an ACL to identify traffic), both local
and global hosts can originate traffic. For locally originated traffic, the NAT ACL specifies the local
addresses and the destination addresses, but for globally originated traffic, the ACL identifies the local
addresses and the source addresses of global hosts who are allowed to connect to the local host using
this translation. Figure 9-5 shows a global host connecting to a local host. The local host has a policy
Web and Telnet server:
209.165.201.11
FWSM
Internet
Inside
Source Addr Translation
209.165.202.12910.1.2.27:80
10.1.2.27
10.1.2.0/24
Source Addr Translation
209.165.202.13010.1.2.27:23
Web Packet
Dest. Address:
209.165.201.11:80
Telnet Packet
Dest. Address:
209.165.201.11:23
96846
To Next Page
Loading...
Need help?
General