Chapter 16
Configuring NAT
Figure 16-11
NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27
network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot
connect to that network, nor can a host on that network connect to the translated host.
Figure 16-11
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.224 209.165.201.0
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
For policy static NAT, in undoing the translation, the ACL in the static command is not used. If the
Note
destination address in the packet matches the mapped address in the static rule, the static rule is used to
untranslate the address.
Policy NAT does not support SQL*Net, but it is supported by regular NAT. See the
Note
Overview" section on page 22-2
NAT Session (Xlate) Creation
By default, the FWSM creates NAT sessions for all connections even if you do not use NAT. For
example, a session is created for each untranslated connection even if you do not enable NAT control,
you use NAT exemption or identity NAT, or you use same security interfaces and do not configure NAT.
Because there is a maximum number of NAT sessions (see the
page
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
shows a remote host connecting to a translated host. The translated host has a policy static
Policy Static NAT with Destination Address Translation
209.165.201.11
209.165.201.0/27
Undo Translation
209.165.202.129
10.1.2.27
A-4), these types of NAT sessions might cause you to run into the limit.
209.165.200.225
209.165.200.224/27
DMZ
Inside
10.1.2.0/27
10.1.2.27
for information about NAT support for other protocols.
No Translation
"Inspection Engine
"Managed System Resources" section on
NAT Overview
16-13