17-34
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 17 Applying NAT
NAT Examples
The security appliance already has a connected route for the inside network. These static routes allow
the security appliance to send traffic for the 192.168.100.0/24 network out the DMZ interface to the
gateway router at 10.1.1.2. (You need to split the network into two because you cannot create a static
route with the exact same network as a connected route.) Alternatively, you could use a more broad route
for the DMZ traffic, such as a default route.
If host 192.168.100.2 on the DMZ network wants to initiate a connection to host 192.168.100.2 on the
inside network, the following events occur:
1. The DMZ host 192.168.100.2 sends the packet to IP address 10.1.2.2.
2. When the security appliance receives this packet, the security appliance translates the source address
from 192.168.100.2 to 10.1.3.2.
3. Then the security appliance translates the destination address from 10.1.2.2 to 192.168.100.2, and
the packet is forwarded.
Redirecting Ports
Figure 17-27 illustrates a typical network scenario in which the port redirection feature might be useful.
Figure 17-27 Port Redirection Using Static PAT
In the configuration described in this section, port redirection occurs for hosts on external networks as
follows:
• Telnet requests to IP address 209.165.201.5 are redirected to 10.1.1.6.
• FTP requests to IP address 209.165.201.5 are redirected to 10.1.1.3.
• HTTP request to security appliance outside IP address 209.165.201.25 are redirected to 10.1.1.5.
• HTTP port 8080 requests to PAT address 209.165.201.15 are redirected to 10.1.1.7 port 80.
To implement this scenario, perform the following steps:
Telnet Server
10.1.1.6
209.165.201.2510.1.1.1
Inside
FTP Server
10.1.1.3
Web Server
10.1.1.5
Web Server
10.1.1.7
Outside
130030
To Next Page
Loading...
Need help?
General