Cisco 7604 Configuration Manual page 332

Using Dynamic NAT and PAT
Note
Regular NAT:
•
hostname(config)# nat (real_interface) nat_id real_ip [mask [dns] [outside]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
The nat_id is an integer between 1 and 2147483647. The NAT ID must match a global command
NAT ID. See the
information about how NAT IDs are used. 0 is reserved for identity NAT. See the
Identity NAT" section on page 16-34
See the preceding policy NAT command for information about other options.
To identify the mapped address(es) to which you want to translate the real addresses when they exit a
Step 2
particular interface, enter the following command:
hostname(config)# global (mapped_interface) nat_id {mapped_ip[-mapped_ip]}
This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses
that you want to translate when they exit this interface.
You can specify a single address (for PAT) or a range of addresses (for NAT). The range can go across
subnet boundaries if desired. For example, you can specify the following "supernet":
192.168.1.1-192.168.2.254
For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30
To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is
exhausted, enter the following commands:
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20
To translate the lower security DMZ network addresses so they appear to be on the same network as the
inside network (10.1.1.0), for example, to simplify routing, enter the following commands:
hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-28
traffic. Each TCP connection has two ISNs: one generated by the client and one generated by
the server. The security appliance randomizes the ISN of the TCP SYN passing in the outbound
direction. If the connection is between two interfaces with the same security level, then the ISN
will be randomized in the SYN in both directions. Randomizing the ISN of the protected host
prevents an attacker from predicting the next ISN for a new connection and potentially hijacking
the new session.
You can alternatively set connection limits (but not embryonic connection limits) using the
Modular Policy Framework. See the
page 21-1 for more information. You can only set embryonic connection limits using NAT. If you
configure these settings for the same traffic using both methods, then the FWSM uses the lower
limit. For TCP sequence randomization, if it is disabled using either method, then the FWSM
disables TCP sequence randomization.
"Dynamic NAT and PAT Implementation" section on page 16-20
"Configuring Connection Limits and Timeouts" section on
for more information about identity NAT.
Chapter 16 Configuring NAT
for more
"Configuring
OL-20748-01