Chapter 9
Configuring Network Address Translation
If you configure dynamic NAT or PAT (nat and global commands) for any hosts on an outside interface
when they access hosts on a given inside interface, then for any traffic between those two interfaces, the
NAT requirements change for the outside interface. Namely, the outside interface takes on the NAT
requirements of an inside interface, as follows:
•
•
If you only configure static NAT for the outside interface, these restrictions do not apply. Traffic between
the outside interface and a different inside interface is not affected.
Connection limitations that are set using NAT commands are not applied for outside NAT. (See the
"Setting Connection Limits in the NAT Configuration" section on page
You might want to use outside NAT, for example, to accommodate overlapping addresses. (See the
"Overlapping Networks" section on page
NAT and Same Security Level Interfaces
NAT is not required between same security level interfaces (see the
Interfaces on the Same Security Level" section on page 6-8
However, you can optionally configure NAT if desired. Because there is no "inside" and "outside" when
configuring NAT between two interfaces at the same security, connection limits that you set in the NAT
configuration apply in both directions.
If you configure dynamic NAT or PAT (nat and global commands) for any hosts on a local interface
when they access hosts on a given same security interface, then for any traffic between those two
interfaces, the NAT requirements change for the local interface. Namely, the local interface takes on the
NAT requirements of an inside interface, as follows:
•
•
If you only configure static NAT, identity NAT, or NAT exemption for the local interface, these
restrictions do not apply. Traffic between the local interface and a different same security interface is not
affected.
You might want to configure NAT exemption or identity NAT on same security interfaces to set
connection limits. (See the
OL-6392-01
No traffic can originate on the outside interface without being translated (or being configured to
bypass NAT).
This requirement is true even if the dynamic NAT statement includes only a few addresses. Other
addresses not included in the dynamic NAT statement require a NAT configuration to originate
connections, even if the NAT configuration is to bypass NAT and use the original addresses.
No traffic from the specified inside interface can access hosts behind the outside interface unless
you configure a static NAT statement, static identity NAT statement, or a NAT exemption statement
for the outside hosts.
No traffic can originate on the local interface without being translated (or being configured to bypass
NAT).
This requirement is true even if the dynamic NAT statement includes only a few addresses. Other
addresses not included in the dynamic NAT statement require a NAT configuration to originate
connections, even if the NAT configuration is to bypass NAT and use the original addresses.
No traffic from the specified same security interface can access hosts behind the local interface
unless you configure a static NAT statement, a NAT exemption statement, or an identity NAT
statement for the local hosts.
"Setting Connection Limits in the NAT Configuration" section on page
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
9-33.)
"Allowing Communication Between
to enable same security communication).
NAT Overview
9-16.)
9-16.)
9-11