Chapter 17
Configuring NAT
Configuring NAT Control
Note
If a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from
the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though
the user is not on the Inside interface referenced by the static command.
Figure 17-13
shows a web server and DNS server on the outside. The security appliance has a static
translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com
from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want
inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply
modification for the static translation.
Figure 17-13
DNS Reply Modification Using Outside NAT
ftp.cisco.com
209.165.201.10
Static Translation on Inside to:
10.1.2.56
DNS Server
7
FTP Request
1
209.165.201.10
DNS Query
Outside
6
ftp.cisco.com?
2
Dest Addr. Translation
DNS Reply
10.1.2.56
209.165.201.10
Security
209.165.201.10
Appliance
3
5
DNS Reply Modification
FTP Request
209.165.201.10
10.1.2.56
10.1.2.56
Inside
4
DNS Reply
10.1.2.56
User
10.1.2.27
See the following command for this example:
hostname(config)# static (outside,inside) 10.1.2.56 209.165.201.10 netmask 255.255.255.255
dns
Configuring NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT
rule. See the
"NAT Control" section on page 17-4
for more information.
To enable NAT control, enter the following command:
Cisco Security Appliance Command Line Configuration Guide
17-16
OL-12172-03