Chapter 16
Configuring NAT
For example, the following policy static NAT example shows a single real address that is translated to
two mapped addresses depending on the destination address. (See
related figure.)
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
The following command maps an inside IP address (10.1.1.3) to an outside IP address (209.165.201.12):
hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255
The following command maps the outside address (209.165.201.15) to an inside address (10.1.1.6):
hostname(config)# static (outside,inside) 10.1.1.6 209.165.201.15 netmask 255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0
Using Static PAT
This section describes how to configure a static port translation. Static PAT lets you translate the real IP
address to a mapped IP address, as well as the real port to a mapped port. You can choose to translate
the real port to the same port, which lets you translate only specific types of traffic, or you can take it
further by translating to a different port.
Figure 16-23
and remote hosts can originate connections, and the mapped address and port is statically assigned by
the static command.
Figure 16-23
10.1.1.2:8080
For applications that require application inspection for secondary channels (FTP, VoIP, and so on), the
FWSM automatically translates the secondary ports.
Do not use a mapped address in the static command that is also defined in a global command for the
same mapped interface.
For more information about static PAT, see the
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
See the
"Configuring Dynamic NAT or PAT" section on page 16-26
options.
shows a typical static PAT scenario. The translation is always active so that both translated
Static PAT
FWSM
10.1.1.1:23
Inside Outside
209.165.201.1:23
209.165.201.2:80
"Static PAT" section on page
Using Static PAT
for information about the
Figure 16-9 on page 16-11
16-9.
for a
16-31