Chapter 9
Configuring Network Address Translation
You can enter multiple global statements for one interface using the same NAT ID; the FWSM uses the
dynamic NAT global statements first, in the order they are in the configuration, and then uses the PAT
global statements in order. You might want to enter both a dynamic NAT global statement and a PAT
global statement if you need to use dynamic NAT for a particular application, but want to have a backup
PAT statement in case all the dynamic NAT addresses are used up. Similarly, you might enter two PAT
statements if you need more than the approximately 64000 connections that a single PAT global
statement supports (see
Figure 9-12 NAT and PAT Together
Source Addr Translation
10.1.2.28
See the following commands for this example:
FWSM/contexta(config)# nat (inside) 1 10.1.2.0 255.255.255.0
FWSM/contexta(config)# global (outside) 1 209.165.201.3-209.165.201.4
FWSM/contexta(config)# global (outside) 1 209.165.201.5
For outside NAT (see the
identify the NAT statement for outside NAT (the outside keyword). If you also want to translate the same
traffic when it accesses an inside interface (for example, traffic on a DMZ is translated when accessing
the Inside and the Outside interfaces), then you must configure a separate NAT statement without the
outside option. In this case, you can identify the same addresses in both statements and use the same
OL-6392-01
Figure
9-12).
Source Addr Translation
10.1.2.27
209.165.201.3
209.165.201.4
"Outside NAT" section on page 9-10
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Web Server:
www.cisco.com
Outside
Global 1: 209.165.201.3-
209.165.201.4
Global 1: 209.165.201.5
Source Addr Translation
10.1.2.29
NAT 1: 10.1.2.0/24
Inside
10.1.2.27
10.1.2.29
10.1.2.28
for more information), you need to
Using Dynamic NAT and PAT
209.165.201.5:6096
9-21