Nat In Transparent Mode - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 17
Configuring NAT
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15
NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform
NAT for their networks. For example, a transparent firewall security appliance is useful between two
VRFs so you can establish BGP neighbor relations between the VRFs and the global table. However,
NAT per VRF might not be supported. In this case, using NAT in transparent mode is essential.
NAT in transparent mode has the following requirements and limitations:
•
•
•
•
•
Figure 17-2
outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the
upstream router does not have to perform NAT. When the inside host at 10.1.1.27 sends a packet to a web
server, the real source address of the packet, 10.1.1.27, is changed to a mapped address, 209.165.201.10.
When the server responds, it sends the response to the mapped address, 209.165.201.10, and the security
appliance receives the packet because the upstream router includes this mapped network in a static route
directed through the security appliance. The security appliance then undoes the translation of the
mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27. Because the real address is
directly-connected, the security appliance sends it directly to the host.
OL-12172-03
When the mapped addresses are not on the same network as the transparent firewall, then on the
upstream router, you need to add a static route for the mapped addresses that points to the
downstream router (through the security appliance).
If the real destination address is not directly-connected to the security appliance, then you also need
to add a static route on the security appliance for the real destination address that points to the
downstream router. Without NAT, traffic from the upstream router to the downstream router does not
need any routes on the security appliance because it uses the MAC address table. NAT, however,
causes the security appliance to use a route lookup instead of a MAC address lookup, so it needs a
static route to the downstream router.
The alias command is not supported.
Because the transparent firewall does not have any interface IP addresses, you cannot use interface
PAT.
ARP inspection is not supported. Moreover, if for some reason a host on one side of the firewall
sends an ARP request to a host on the other side of the firewall, and the initiating host real address
is mapped to a different address on the same subnet, then the real address remains visible in the ARP
request.
shows a typical NAT scenario in transparent mode, with the same network on the inside and
Cisco Security Appliance Command Line Configuration Guide
NAT Overview
17-3
Advertisement
Table of Contents
Troubleshooting
