9-21
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 9 Configuring Network Address Translation
Using Dynamic NAT and PAT
You can enter multiple global statements for one interface using the same NAT ID; the FWSM uses the
dynamic NAT global statements first, in the order they are in the configuration, and then uses the PAT
global statements in order. You might want to enter both a dynamic NAT global statement and a PAT
global statement if you need to use dynamic NAT for a particular application, but want to have a backup
PAT statement in case all the dynamic NAT addresses are used up. Similarly, you might enter two PAT
statements if you need more than the approximately 64000 connections that a single PAT global
statement supports (see Figure 9-12).
Figure 9-12 NAT and PAT Together
See the following commands for this example:
FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0
FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.4
FWSM/contexta(config)# global (outside) 1 209.165.201.5
For outside NAT (see the “Outside NAT” section on page 9-10 for more information), you need to
identify the NAT statement for outside NAT (the outside keyword). If you also want to translate the same
traffic when it accesses an inside interface (for example, traffic on a DMZ is translated when accessing
the Inside and the Outside interfaces), then you must configure a separate NAT statement without the
outside option. In this case, you can identify the same addresses in both statements and use the same
Web Server:
www.cisco.com
Outside
Inside
Global 1: 209.165.201.3-
209.165.201.4
Global 1: 209.165.201.5
NAT 1: 10.1.2.0/24
10.1.2.27
10.1.2.28
10.1.2.29
104672
Source Addr Translation
209.165.201.310.1.2.27
Source Addr Translation
209.165.201.410.1.2.28
Source Addr Translation
209.165.201.5:609610.1.2.29
To Next Page
Loading...
Need help?
General