9-7
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 9 Configuring Network Address Translation
NAT Overview
Bypassing NAT
When hosts on a higher security interface (inside) access hosts on a lower security interface (outside),
you must configure NAT on the inside hosts or specifically configure the inside interface to bypass NAT.
You might want to bypass NAT in the following circumstances:
• You do not want the complication of NAT.
• You are using an application that does not support NAT (see the “Inspection Engine Overview”
section on page 13-1 for information about inspection engines that do not support NAT).
• You are using a transparent firewall and want to set connection limits.
• You are using same security interfaces and want to set connection limits.
You can configure an interface to bypass NAT using three methods. All methods achieve compatibility
with inspection engines and simplification of your addressing. However, each method offers slightly
different capabilities, as follows:
• Identity NAT—When you configure identity NAT (which is similar to dynamic NAT), you do not
specify global addresses, and therefore you do not specify a single global interface; you must use
identity NAT for connections through all interfaces. Therefore, you cannot choose to perform
normal translation on local addresses when you access interface A, but use identity NAT when
accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular global
interface on which to translate the addresses. Make sure that the local addresses for which you use
identity NAT are routable on all networks that are available according to your ACLs.
For identity NAT, even though the translated address is the same as the local address, you cannot
initiate a connection from the outside to the inside (even if the interface ACL allows it). Use static
identity NAT or NAT exemption for this functionality. For same security interfaces, however, you
can initiate connections both ways.
• Static identity NAT—Static identity NAT lets you specify the global interface on which you want to
allow the local addresses to appear, so you can use identity NAT when you access interface A, and
use regular translation when you access interface B. Static identity NAT also lets you use policy
NAT, which identifies the local and destination addresses when determining the local traffic to
translate (see the “Policy NAT” section on page 9-8 for more information about policy NAT). For
example, you can use static identity NAT for an inside address when it accesses the outside interface
and the destination is server A, but use a normal translation when accessing the outside server B.
• NAT exemption— NAT exemption allows both local and global hosts to initiate connections. Like
identity NAT, you do not specify global addresses, and therefore you do not specify a single global
interface; you must use NAT exemption for connections through all interfaces. However,
NAT exemption does allow you to specify the local and destination addresses when determining the
local traffic to translate (similar to policy NAT), so you have greater control using NAT exemption.
However unlike policy NAT, NAT exemption does not consider the ports in the ACL.
Note In multiple context mode, you cannot initiate connections from an interface shared between
contexts when you use NAT exemption for the destination address. The classifier can only assign
packets from a shared interface to a context when you configure a static statement for the
destination address. For example, if you share the outside interface, you cannot use
NAT exemption on an inside interface if you want outside traffic to reach the inside addresses.
The classifier only looks at static statements where the global interface matches the source
interface of the packet. Because NAT exemption does not identify a global interface, the
classifier does not consider those NAT statements for classification purposes.
To Next Page
Loading...
Need help?
General