Cisco PIX 500 Series Configuration Manual page 321
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 17
Configuring NAT
Interfaces at the same security level are not required to use NAT to communicate. However, if you
configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same
security interface or an outside interface must match a NAT rule, as shown in
Figure 17-4
10.1.1.1
Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must match a NAT rule
when it accesses an inside interface (see
Figure 17-5
NAT Control and Inbound Traffic
Security
Appliance
No NAT
209.165.202.129
Outside
Static NAT does not cause these restrictions.
By default, NAT control is disabled; therefore, you do not need to perform NAT on any networks unless
you want to do so. If you upgraded from an earlier version of software, however, NAT control might be
enabled on your system. Even with NAT control disabled, you need to perform NAT on any addresses
for which you configure dynamic NAT. See the
page 17-17
If you want the added security of NAT control but do not want to translate inside addresses in some cases,
you can apply a NAT exemption or identity NAT rule on those addresses. (See the
section on page 17-30
To configure NAT control, see the
In multiple context mode, the packet classifier might rely on the NAT configuration to assign packets to
Note
contexts if you do not enable unique MAC addresses for shared interfaces. See the
Appliance Classifies Packets" section on page 3-3
the classifier and NAT.
OL-12172-03
NAT Control and Same Security Traffic
Security
Appliance
10.1.1.1
No NAT
Level 50
Level 50
209.165.202.129
Inside
for more information about how dynamic NAT is applied.
for more information).
Security
Appliance
10.1.1.1
Dyn. NAT
No NAT
10.1.2.1
Level 50
Figure
17-5).
Security
Appliance
Dyn. NAT
209.165.202.129
No NAT
209.165.200.240
Outside
"Dynamic NAT and PAT Implementation" section on
"Configuring NAT Control" section on page
for more information about the relationship between
Cisco Security Appliance Command Line Configuration Guide
NAT Overview
Figure
17-4.
209.165.201.1
Level 50
or
Outside
10.1.1.50
Inside
"Bypassing NAT"
17-16.
"How the Security
17-5
Advertisement
Table of Contents
Troubleshooting
