9-12
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 9 Configuring Network Address Translation
NAT Overview
Note The FWSM does not support VoIP inspection engines when you configure NAT on same security
interfaces. These inspection engines include Skinny, SIP, and H.323. See the “Inspection Support”
section on page 13-2 for supported inspection engines.
Order of NAT Commands Used to Match Local Addresses
The FWSM matches local traffic to NAT commands in the following order:
1. NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in
this category; it is included in the regular static NAT or regular NAT category. We do not recommend
overlapping addresses in NAT exemption statements because unexpected results can occur.
2. Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static
identity NAT is included in this category. We do not recommend overlapping addresses in static
statements because unexpected results can occur.
3. Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are
allowed.
4. Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The
order of the NAT commands does not matter; the NAT statement that best matches the local traffic
is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an
interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you
can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific
statement for 10.1.1.1 is used because it matches the local traffic best. We do not recommend using
overlapping statements; they use more memory and can slow the performance of the FWSM.
Maximum Number of NAT Statements
The FWSM supports the following numbers of nat, global, and static commands divided between all
contexts or in single mode:
• nat command—2 K
• global command—1,051
• static command—2 K
The FWSM also supports up to 3942 access control entries (ACEs) in ACLs used for policy NAT for
single mode, and 7,272 ACEs for multiple mode.
Global Address Guidelines
When you translate the local address to a global address, you can use the following global addresses:
• Addresses on the same network as the global interface.
If you use addresses on the same network as the global interface (through which traffic exits the
FWSM), the FWSM uses proxy ARP to answer any requests for translated addresses, and thus
intercepts traffic destined for a local address. This solution simplifies routing, because the FWSM
does not have to be the gateway for any additional networks. However, this approach does put a limit
on the number of available addresses used for translations.
For PAT, you can even use the IP address of the global interface.
• Addresses on a unique network.
To Next Page
Loading...
Need help?
General