Chapter 16
Configuring NAT
NAT Overview
Figure 16-10
shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses
a single host for both web services and Telnet services. When the host accesses the server for web
services, the real address is translated to 209.165.202.129. When the host accesses the same server for
Telnet services, the real address is translated to 209.165.202.130.
Figure 16-10
Policy NAT with Different Destination Ports
Web and Telnet server:
209.165.201.11
Internet
Translation
Translation
10.1.2.27:80
209.165.202.129
10.1.2.27:23
209.165.202.130
Inside
10.1.2.0/24
Web Packet
Telnet Packet
Dest. Address:
Dest. Address:
209.165.201.11:80
209.165.201.11:23
10.1.2.27
See the following commands for this example:
hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.130
For policy static NAT (and for NAT exemption, which also uses an access list to identify traffic), both
translated and remote hosts can originate traffic. For traffic originated on the translated network, the
NAT access list specifies the real addresses and the destination addresses, but for traffic originated on
the remote network, the access list identifies the real addresses and the source addresses of remote hosts
who are allowed to connect to the host using this translation.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-12
OL-20748-01