Using Static Nat - Cisco PIX 500 Series Configuration Manual

Using Static NAT

Using Static NAT
This section describes how to configure a static translation.
Figure 17-22
remote hosts can originate connections, and the mapped address is statically assigned by the static
command.
Figure 17-22
10.1.1.1
10.1.1.2
You cannot use the same real or mapped address in multiple static commands between the same two
interfaces unless you use static PAT (see the
mapped address in the static command that is also defined in a global command for the same mapped
interface.
For more information about static NAT, see the
If you remove a static command, existing connections that use the translation are not affected. To remove
Note
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static NAT, enter one of the following commands.
•
Cisco Security Appliance Command Line Configuration Guide
17-26
shows a typical static NAT scenario. The translation is always active so both translated and
Static NAT
Security
Appliance
209.165.201.1
209.165.201.2
Inside Outside
For policy static NAT, enter the following command:
hostname(config)# static ( real_interface , mapped_interface ) { mapped_ip | interface}
access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]]
[udp udp_max_conns ]
Identify the real addresses and destination/source addresses using an extended access list. Create the
extended access list using the access-list extended command (see the
List" section on page 16-5). The first address in the access list is the real address; the second address
is either the source or destiniation address, depending on where the traffic originates. For example,
to translate the real address 10.1.1.1 to the mapped address 192.168.1.1 when 10.1.1.1 sends traffic
to the 209.165.200.224 network, the access-list and static commands are:
hostname(config)# access-list TEST extended ip host 10.1.1.1 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 192.168.1.1 access-list TEST
"Using Static PAT" section on page
"Static NAT" section on page
Chapter 17 Configuring NAT
17-27). Do not use a
17-8.
"Adding an Extended Access
OL-12172-03