Cisco PIX 500 Series Configuration Manual page 327
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 17
Configuring NAT
Policy NAT does not support time-based ACLs.
Note
For applications that require application inspection for secondary channels (for example, FTP and VoIP),
the policy specified in the policy NAT statement should include the secondary ports. When the ports
cannot be predicted, the policy should specify only the IP addresses for the secondary channel. With this
configuration, the security appliance translates the secondary ports.
All types of NAT support policy NAT, except for NAT exemption. NAT exemption uses an access list to
Note
identify the real addresses, but differs from policy NAT in that the ports are not considered. See the
"Bypassing NAT" section on page 17-30
NAT exemption using static identity NAT, which does support policy NAT.
Figure 17-9
accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host
accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130. Consequently,
the host appears to be on the same network as the servers, which can help with routing.
Figure 17-9
10.1.2.27
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2
hostname(config)# global (outside) 2 209.165.202.130
OL-12172-03
shows a host on the 10.1.2.0/24 network accessing two different servers. When the host
Policy NAT with Different Destination Addresses
Server 1
209.165.201.11
209.165.201.0/27
Translation
209.165.202.129
Inside
Packet
Dest. Address:
209.165.201.11
10.1.2.27
for other differences. You can accomplish the same result as
Server 2
209.165.200.225
209.165.200.224/27
DMZ
Translation
10.1.2.27
209.165.202.130
10.1.2.0/24
Packet
Dest. Address:
209.165.200.225
Cisco Security Appliance Command Line Configuration Guide
NAT Overview
17-11
Advertisement
Table of Contents
Troubleshooting
