Cisco PIX 500 Series Configuration Manual page 335

Chapter 17 Configuring NAT
You can also enter a global command for each interface using the same NAT ID. If you enter a global
command for the Outside and DMZ interfaces on ID 1, then the Inside nat command identifies traffic to
be translated when going to both the Outside and the DMZ interfaces. Similarly, if you also enter a nat
command for the DMZ interface on ID 1, then the global command on the Outside interface is also used
for DMZ traffic. (See
Figure 17-16
10.1.2.27
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)# global (dmz) 1 10.1.1.23
If you use different NAT IDs, you can identify different sets of real addresses to have different mapped
addresses. For example, on the Inside interface, you can have two nat commands on two different
NAT IDs. On the Outside interface, you configure two global commands for these two IDs. Then, when
traffic from Inside network A exits the Outside interface, the IP addresses are translated to pool A
addresses; while traffic from Inside network B are translated to pool B addresses (see
you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the
the destination addresses and ports are unique in each access list.
OL-12172-03
Figure 17-16).
global and nat Commands on Multiple Interfaces
Web Server:
www.cisco.com
Outside
Security
Appliance
Translation
209.165.201.3
Inside
10.1.2.27
Translation
10.1.1.15
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.1.0/24
Global 1: 10.1.1.23
NAT 1: 10.1.2.0/24
Translation
10.1.2.27
Cisco Security Appliance Command Line Configuration Guide
Using Dynamic NAT and PAT
209.165.201.4
DMZ
10.1.1.15
10.1.1.23:2024
Figure 17-17). If
17-19