Order Of Nat Commands Used To Match Real Addresses; Maximum Number Of Nat Statements; Mapped Address Guidelines - Cisco 7604 Configuration Manual

Chapter 16 Configuring NAT

Order of NAT Commands Used to Match Real Addresses

The FWSM matches real addresses to NAT commands in the following order:
1.
2.
3.
4.

Maximum Number of NAT Statements

The FWSM supports the following numbers of nat, global, and static commands divided between all
contexts or in single mode:
•
•
•
The FWSM also supports up to 3942 ACEs in access lists used for policy NAT for single mode, and 7272
ACEs for multiple mode.

Mapped Address Guidelines

When you translate the real address to a mapped address, you can use the following mapped addresses:
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in
this category; it is included in the regular static NAT or regular NAT category. We do not recommend
overlapping addresses in NAT exemption statements because unexpected results can occur.
Static NAT and Static PAT (regular and policy) (static)—Best match. Static identity NAT is included
in this category. In the case of overlapping addresses in static statements, a warning will be
displayed, but they are supported. The order of the static commands does not matter; the static
statement that best matches the real address is used.
Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are
allowed.
Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The
order of the NAT commands does not matter; the NAT statement that best matches the real address
is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an
interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you
can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific
statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using
overlapping statements; they use more memory and can slow the performance of the FWSM.
nat command—2 K
global command—4 K
static command—2 K
Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface (through which traffic exits the
FWSM), the FWSM uses proxy ARP to answer any requests for mapped addresses, and thus
intercepts traffic destined for a real address. This solution simplifies routing, because the FWSM
does not have to be the gateway for any additional networks. However, this approach does put a limit
on the number of available addresses used for translations.
For PAT, you can even use the IP address of the mapped interface.
Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The FWSM uses proxy ARP to answer any requests for mapped
addresses, and thus intercepts traffic destined for a real address. If you use OSPF to advertise
mapped IP addresses that belong to a different subnet from the mapped interface, you need to create
NAT Overview
16-15