Chapter 16
Configuring NAT
You can identify overlapping addresses in other nat commands. For example, you can identify
10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command
in order, until the first match, or for regular NAT, using the best match.
See the following description about options for this command:
–
–
–
–
–
–
–
–
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
access-list acl_name—Identify the real addresses and destination addresses using an extended
access list. Create the extended access list using the access-list extended command. (See the
"Adding an Extended Access List" section on page
permit ACEs. You can optionally specify the real and destination ports in the access list using
the eq operator. Policy NAT and static NAT consider the inactive or time-range keywords and
stop working when an ACE is inactive.
nat_id—An integer between 1 and 65535. The NAT ID should match a global command NAT
ID. See the
"Dynamic NAT and PAT Implementation" section on page 16-20
information about how NAT IDs are used. 0 is reserved for NAT exemption. (See the
"Configuring NAT Exemption" section on page 16-36
exemption.)
dns—If your nat command includes the address of a host that has an entry in a DNS server, and
the DNS server is on a different interface from a client, then the client and the DNS server need
different addresses for the host; one needs the mapped address and one needs the real address.
This option rewrites the address in the DNS reply to the client. The translated host needs to be
on the same interface as either the client or the DNS server. Typically, hosts that need to allow
access from other interfaces use a static translation, so this option is more likely to be used with
the static command. (See the
outside—If this interface is on a lower security level than the interface you identify by the
matching global statement, then you must enter outside to identify the NAT instance as
outside NAT.
tcp tcp_max_conns—Sets the maximum number of simultaneous TCP connections for the
entire subnet up to 65,536. The default is 0, which means the maximum connections.
emb_limit—Sets the maximum number of embryonic connections per host up to 65,536. The
default is 0, which means the maximum connections. You must enter the tcp tcp_max_conns
before you enter the emb_limit. If you want to use the default value for tcp_max_conns, but
change the emb_limit, then enter 0 for tcp_max_conns.
An embryonic connection is a connection request that has not finished the necessary handshake
between source and destination. Limiting the number of embryonic connections protects you
from a DoS attack. The FWSM uses the embryonic limit to trigger TCP Intercept. An embryonic
connection is a connection request that has not finished the necessary handshake between
source and destination. TCP Intercept uses the SYN cookies algorithm to prevent TCP
SYN-flooding attacks. A SYN-flooding attack consists of a series of SYN packets usually
originating from spoofed IP addresses. The constant flood of SYN packets keeps the server
SYN queue full, which prevents it from servicing connection requests. When the embryonic
connection threshold of a connection is crossed, the FWSM acts as a proxy for the server and
generates a SYN-ACK response to the client's SYN request. When the FWSM receives an ACK
back from the client, it can then authenticate the client and allow the connection to the server.
udp udp_max_conns—Sets the maximum number of simultaneous UDP connections for the
entire subnet up to 65,536. The default is 0, which means the maximum connections.
norandomseq—Disables TCP Initial Sequence Number (ISN) randomization.TCP initial
sequence number randomization can be disabled if another in-line firewall is also randomizing
the initial sequence numbers, because there is no need for both firewalls to be performing this
action. However, leaving ISN randomization enabled on both firewalls does not affect the
13-6.) This access list should include only
for more information about NAT
"DNS and NAT" section on page 16-16
Using Dynamic NAT and PAT
for more
for more information.)
16-27