Chapter 17
Applying NAT
Figure 17-12
translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com
from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want
inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply
modification for the static translation.
Figure 17-12
3
DNS Reply Modification
209.165.201.10
See the following command for this example:
hostname(config)# static (outside,inside) 10.1.2.56 209.165.201.10 netmask 255.255.255.255
dns
Configuring NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT
rule. See the
To enable NAT control, enter the following command:
hostname(config)# nat-control
To disable NAT control, enter the no form of the command.
OL-10088-01
shows a web server and DNS server on the outside. The security appliance has a static
DNS Reply Modification Using Outside NAT
1
DNS Query
ftp.cisco.com?
2
DNS Reply
209.165.201.10
Appliance
10.1.2.56
4
DNS Reply
10.1.2.56
"NAT Control" section on page 17-3
ftp.cisco.com
209.165.201.10
Static Translation on Inside to:
10.1.2.56
DNS Server
Outside
10.1.2.56
Security
FTP Request
Inside
User
10.1.2.27
for more information.
Cisco Security Appliance Command Line Configuration Guide
Configuring NAT Control
7
FTP Request
209.165.201.10
6
Dest Addr. Translation
209.165.201.10
5
10.1.2.56
17-15