Cisco PIX 500 Series Configuration Manual page 345

Chapter 17 Configuring NAT
In this case, the second address is the destination address. However, the same configuration is used
for hosts to originate a connection to the mapped address. For example, when a host on the
209.165.200.224 network initiates a Telnet connection to 192.168.1.1, then the second address in
the access list is the source address.
This access list should include only permit ACEs. Policy NAT does not consider the inactive or
time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the
"Policy NAT" section on page 17-10
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the
options.
To configure regular static PAT, enter the following command:
•
hostname(config)# static ( real_interface , mapped_interface ) {tcp | udp} { mapped_ip |
interface} mapped_port real_ip real_port [netmask mask ] [dns] [norandomseq] [[tcp]
tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]
See the
options.
Note When configuring static PAT with FTP, you need to add entries for both TCP ports 20 and 21. You must
specify port 20 so that the source port for the active transfer is not modified to another port, which may
interfere with other devices that perform NAT on FTP traffic.
For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the security appliance
outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the
following commands:
hostname(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0
255.255.255.0
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET
For HTTP traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface
(10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering:
hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0
255.255.255.0
hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP
To redirect Telnet traffic from the security appliance outside interface (10.1.2.14) to the inside host at
10.1.1.15, enter the following command:
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
If you want to allow the preceding real Telnet server to initiate connections, though, then you need to
provide additional translation. For example, to translate all other types of traffic, enter the following
commands. The original static command provides translation for Telnet to the server, while the nat and
global commands provide PAT for outbound connections from the server.
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask
255.255.255.255
hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255
hostname(config)# global (outside) 1 10.1.2.14
OL-12172-03
"Configuring Dynamic NAT or PAT" section on page 17-23
"Configuring Dynamic NAT or PAT" section on page 17-23
for more information.
Cisco Security Appliance Command Line Configuration Guide
Using Static PAT
for information about the other
for information about the
17-29