Cisco PIX 500 Series Configuration Manual page 340

Using Dynamic NAT and PAT
Policy NAT:
•
hostname(config)# nat ( real_interface ) nat_id access-list acl_name [dns] [outside]
[norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]
You can identify overlapping addresses in other nat commands. For example, you can identify
10.1.1.0 in one command, but 10.1.1.1 in another. The traffic is matched to a policy NAT command
in order, until the first match, or for regular NAT, using the best match.
The options for this command are as follows:
Regular NAT:
•
hostname(config)# nat ( real_interface ) nat_id real_ip [ mask [dns] [outside]
[norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]]
The nat_id argument is an integer between 1 and 2147483647. The NAT ID must match a global
command NAT ID. See the
more information about how NAT IDs are used. 0 is reserved for identity NAT. See the
Identity NAT" section on page 17-30
See the preceding policy NAT command for information about other options.
To identify the mapped address(es) to which you want to translate the real addresses when they exit a
Step 2
particular interface, enter the following command:
hostname(config)# global ( mapped_interface ) nat_id { mapped_ip [- mapped_ip ] | interface}
This NAT ID should match a nat command NAT ID. The matching nat command identifies the addresses
that you want to translate when they exit this interface.
Cisco Security Appliance Command Line Configuration Guide
17-24
– access-list acl_name—Identify the real addresses and destination addresses using an extended
access list. Create the extended access list using the access-list extended command (see the
"Adding an Extended Access List" section on page
permit ACEs. You can optionally specify the real and destination ports in the access list using
the eq operator. Policy NAT does not consider the inactive or time-range keywords; all ACEs
are considered to be active for policy NAT configuration.
nat_id—An integer between 1 and 65535. The NAT ID should match a global command NAT
–
ID. See the "Dynamic NAT and PAT Implementation" section on page 17-17
information about how NAT IDs are used. 0 is reserved for NAT exemption. (See the
"Configuring NAT Exemption" section on page 17-33
exemption.)
– dns—If your nat command includes the address of a host that has an entry in a DNS server, and
the DNS server is on a different interface from a client, then the client and the DNS server need
different addresses for the host; one needs the mapped address and one needs the real address.
This option rewrites the address in the DNS reply to the client. The translated host needs to be
on the same interface as either the client or the DNS server. Typically, hosts that need to allow
access from other interfaces use a static translation, so this option is more likely to be used with
the static command. (See the
outside—If this interface is on a lower security level than the interface you identify by the
–
matching global statement, then you must enter outside to identify the NAT instance as
outside NAT.
– norandomseq, tcp tcp_max_conns, udp udp_max_conns, and emb_limit—These keywords set
connection limits. However, we recommend using a more versatile method for setting
connection limits; see the
page 23-14.
"DNS and NAT" section on page 17-15
"Configuring Connection Limits and Timeouts" section on
"Dynamic NAT and PAT Implementation" section on page 17-17
for more information about identity NAT.
Chapter 17
16-5). This access list should include only
for more
for more information about NAT
for more information.)
Configuring NAT
for
"Configuring
OL-12172-03