Network Address Translation; Chapter 4 Configuring The Firewall Mode - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Firewall Mode Overview
IP Routing Support
The FWSM acts as a router between connected networks, and each interface requires an IP address on a
different subnet. In single context mode, the routed firewall supports OSPF and RIP (in passive mode).
Multiple context mode supports static routes only. We recommend using the advanced routing
capabilities of the upstream and downstream routers, such as the MSFC, instead of relying on the FWSM
for extensive routing needs.
Network Address Translation
NAT substitutes the local address on a packet with a global address that is routable on the destination
network. In routed mode, you typically configure NAT for inside hosts that access an outside network,
but you can optionally bypass NAT if you are using routable addresses.
Some of the benefits of NAT include the following:
•
•
•
Figure 4-1
sends a packet to a web server on the Internet, the local source address of the packet is changed to a
routable global address. When the web server responds, it sends the response to the global address, and
the firewall receives the packet. The firewall then translates the global address to the local address before
sending it on to the user.
See
Figure 4-1
Source Addr Translation
10.1.2.27
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
4-2
You can use private addresses on your inside networks. Private addresses are not able to be routed
on the Internet. See the
"Private Networks" section on page D-2
NAT hides the local addresses from other networks, so attackers cannot learn the real address of a
host.
NAT can resolve IP routing problems by supporting overlapping IP addresses.
shows a typical NAT scenario, with a private network on the inside. When the inside user
Chapter 9, "Configuring Network Address Translation,"
NAT Example
Originating
Packet
209.165.201.10
for more information.
Web Server
www.cisco.com
Outside
209.165.201.2
FWSM
209.165.201.10
10.1.2.1
Inside
10.1.2.27
Chapter 4
Configuring the Firewall Mode
for more information.
Responding
Packet
Dest Addr Translation
10.1.2.27
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
