Chapter 9
Configuring Network Address Translation
DNS and NAT
You might need to configure the FWSM to modify DNS replies by replacing the address in the reply with
an address that matches the NAT configuration. You can configure DNS modification when you
configure each NAT translation.
For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the
inside interface. You configure the FWSM to statically translate the ftp.cisco.com local address
(10.1.3.14) to a global address (209.165.201.10) that is visible on the outside network (See
In this case, you want to enable DNS reply modification on this static statement so that inside users who
have access to ftp.cisco.com using the local address receive the local address from the DNS server, and
not the global address.
OL-6392-01
If you need more addresses than are available on the global interface network, you can identify
addresses on a different subnet. The FWSM uses proxy ARP to answer any requests for translated
addresses, and thus intercepts traffic destined for a local address. If you use OSPF, and you advertise
routes on the global interface, then the FWSM advertises the translated addresses. If the global
interface is passive (not advertising routes) or you are using static routing, then you need to add a
static route on the upstream router that sends traffic destined for the translated addresses to the
FWSM.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
NAT Overview
Figure
9-6).
9-13