9-25
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 9 Configuring Network Address Translation
Using Dynamic NAT and PAT
Step 2 To identify the global address(es) to which you want to translate the local addresses when they exit a
particular interface, enter the following command:
FWSM/contexta(config)# global (
global_interface
)
nat_id
{
global_ip
[-
global_ip
] |
interface}
This NAT ID must match a nat statement NAT ID. The matching nat statement identifies the addresses
that you want to translate when they exit this interface.
You can specify a single address (for PAT) or a range of addresses (for NAT). The range can go across
subnet boundaries if desired. For example, you can specify the following “supernet”:
192.168.1.1-192.168.2.254
For example, to translate the 10.1.1.0/24 network on the inside interface, and to change the embryonic
limit, enter the following command. You must specify the tcp tcp_max_conns before specifying
emb_limit, so the command enters the default setting of 0 for tcp_max_conns.
FWSM/contexta(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 0 200
FWSM/contexta(config)# global (outside) 1 209.165.201.1-209.165.201.30
To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is
exhausted, enter the following commands:
FWSM/contexta(config)# nat (inside) 1 10.1.1.0 255.255.255.0 tcp 5000 1000 udp 5000
FWSM/contexta(config)# global (outside) 1 209.165.201.5
FWSM/contexta(config)# global (outside) 1 209.165.201.10-209.165.201.20
To translate the lower security dmz network addresses so they appear to be on the same network as the
inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
FWSM/contexta(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
FWSM/contexta(config)# global (inside) 1 10.1.1.45
To identify a single local address with two different destination addresses using policy NAT, enter the
following commands (see Figure 9-3 on page 9-8 for a related graphic):
FWSM/contexta(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
FWSM/contexta(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
FWSM/contexta(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000
FWSM/contexta(config)# global (outside) 1 209.165.202.129
FWSM/contexta(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000
FWSM/contexta(config)# global (outside) 2 209.165.202.130
To identify a single local address/destination address pair that use different ports using policy NAT, enter
the following commands (see Figure 9-4 on page 9-9 for a related graphic):
FWSM/contexta(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
FWSM/contexta(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
FWSM/contexta(config)# nat (inside) 1 access-list WEB
FWSM/contexta(config)# global (outside) 1 209.165.202.129
FWSM/contexta(config)# nat (inside) 2 access-list TELNET
FWSM/contexta(config)# global (outside) 2 209.165.202.130
To Next Page
Loading...
Need help?
General