Chapter 16
Configuring NAT
The FWSM already has a connected route for the inside network. These static routes allow the FWSM
to send traffic for the 192.168.100.0/24 network out the DMZ interface to the gateway router at 10.1.1.2.
(You need to split the network into two because you cannot create a static route with the exact same
network as a connected route.) Alternatively, you could use a more broad route for the DMZ traffic, such
as a default route.
If host 192.168.100.2 on the DMZ network wants to initiate a connection to host 192.168.100.2 on the
inside network, the following events occur:
1.
2.
3.
Redirecting Ports
Figure 16-28
Figure 16-28
Telnet Server
10.1.1.6
FTP Server
10.1.1.3
Web Server
10.1.1.5
Web Server
10.1.1.7
In the configuration described in this section, port redirection occurs for hosts on external networks as
follows:
•
•
•
•
To implement this scenario, perform the following steps:
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
The DMZ host 192.168.100.2 sends the packet to IP address 10.1.2.2.
When the FWSM receives this packet, the FWSM translates the source address from 192.168.100.2
to 10.1.3.2.
Then the FWSM translates the destination address from 10.1.2.2 to 192.168.100.2, and the packet
is forwarded.
illustrates a typical network scenario in which the port redirection feature might be useful.
Port Redirection Using Static PAT
10.1.1.1
Inside
FWSM
Telnet requests to IP address 209.165.201.5 are redirected to 10.1.1.6.
FTP requests to IP address 209.165.201.5 are redirected to 10.1.1.3.
HTTP request to FWSM outside IP address 209.165.201.25 are redirected to 10.1.1.5.
HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80.
209.165.201.25
Outside
NAT Examples
16-39