Using Static NAT
You cannot use the same real or mapped address in multiple static commands between the same two
interfaces unless you use static PAT. (See the
mapped address in the static command that is also defined in a global command for the same mapped
interface.
For more information about static NAT, see the
Note
If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host or the clear xlate command. Static translations from the
translation table can be removed using the clear xlate command; the translation table will be cleared and
all current translations are deleted. The clear xlate command clears all connections, even when
xlate-bypass is enabled and when a connection does not have an xlate.
For more information about these commands, see the Catalyst 6500 Series Switch and Cisco 7600 Series
Router Firewall Services Module Command Reference.
To configure static NAT, enter one of the following commands.
•
For policy static NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) mapped_ip
access-list acl_name [dns] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
[norandomseq]
Identify the real addresses and destination/source addresses using an extended access list. Create the
extended access list using the access-list extended command. (See the
List" section on page
is either the source or destination address, depending on where the traffic originates. For example,
to translate the real address 10.1.1.1 to the mapped address 192.168.1.1 when 10.1.1.1 sends traffic
to the 209.165.200.224 network, the access-list and static commands are:
hostname(config)# access-list TEST extended ip host 10.1.1.1 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 192.168.1.1 access-list TEST
In this case, the second address is the destination address. However, the same configuration is used
for hosts to originate a connection to the mapped address. For example, when a host on the
209.165.200.224/27 network initiates a connection to 192.168.1.1, then the second address in the
access list is the source address.
This access list should include only permit ACEs. You can optionally specify the real and
destination ports in the access list using the eq operator. Policy NAT and static NAT consider the
inactive or time-range keywords and stop working when an ACE is inactive. See the
section on page 16-10
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the FWSM
translates the .0 and .255 addresses. If you want to prevent access to these addresses, be sure to
configure an access list to deny access.
See the
options.
To configure regular static NAT, enter the following command:
•
hostname(config)# static (real_interface,mapped_interface) mapped_ip real_ip
[netmask mask] [dns] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
[norandomseq]
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-30
13-6.) The first address in the access list is the real address; the second address
for more information.
"Configuring Dynamic NAT or PAT" section on page 16-26
"Using Static PAT" section on page
"Static NAT" section on page
Chapter 16
Configuring NAT
16-31.) Do not use a
16-8.
"Adding an Extended Access
"Policy NAT"
for information about the other
OL-20748-01