9-31
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
OL-6392-01
Chapter 9 Configuring Network Address Translation
Bypassing NAT
Specify the same IP address for both local_ip variables.
See the “Configuring NAT or PAT” section on page 9-23 for information about the other options.
For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when
accessed by the outside:
FWSM/contexta(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255
The following command uses static identity NAT for an outside address (209.165.201.15) when accessed
by the inside:
FWSM/contexta(config)# static (outside,inside) 209.165.201.15 209.165.201.15 netmask
255.255.255.255
The following command statically maps an entire subnet:
FWSM/contexta(config)# static (inside,dmz) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
The following static identity policy NAT example shows a single local address that uses identity NAT
when accessing one destination address, and a translation when accessing another:
FWSM/contexta(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0
255.255.255.224
FWSM/contexta(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
FWSM/contexta(config)# static (inside,outside) 10.1.2.27 access-list NET1
FWSM/contexta(config)# static (inside,outside) 209.165.202.130 access-list NET2
Configuring NAT Exemption
NAT exemption translates the local IP address to the same IP address, and allows both local and global
traffic to originate connections. NAT exemption lets you specify the local and destination addresses
when determining the local traffic to translate (similar to policy NAT), so you have greater control using
NAT exemption than identity NAT. However unlike policy NAT, NAT exemption does not consider the
ports in the ACL.
Note In multiple context mode, you cannot initiate connections from an interface shared between contexts
when you use NAT exemption for the destination address. The classifier can only assign packets from a
shared interface to a context when you configure a static statement for the destination address. For
example, if you share the outside interface, you cannot use NAT exemption on an inside interface if you
want outside traffic to reach the inside addresses. The classifier only looks at static statements where the
global interface matches the source interface of the packet. Because NAT exemption does not identify a
global interface, the classifier does not consider those NAT statements for classification purposes.
To Next Page
Loading...
Need help?
General