Using Static Pat - Cisco PIX 500 Series Configuration Manual

Chapter 17 Configuring NAT
•
For example, the following policy static NAT example shows a single real address that is translated to
two mapped addresses depending on the destination address (see
figure):
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
The following command maps an inside IP address (10.1.1.3) to an outside IP address (209.165.201.12):
hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255
The following command maps the outside address (209.165.201.15) to an inside address (10.1.1.6):
hostname(config)# static (outside,inside) 10.1.1.6 209.165.201.15 netmask 255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.1.0 10.1.2.0 netmask 255.255.255.0

Using Static PAT

This section describes how to configure a static port translation. Static PAT lets you translate the real IP
address to a mapped IP address, as well as the real port to a mapped port. You can choose to translate
the real port to the same port, which lets you translate only specific types of traffic, or you can take it
further by translating to a different port.
OL-12172-03
In this case, the second address is the destination address. However, the same configuration is used
for hosts to originate a connection to the mapped address. For example, when a host on the
209.165.200.224/27 network initiates a connection to 192.168.1.1, then the second address in the
access list is the source address.
This access list should include only permit ACEs. You can optionally specify the real and
destination ports in the access list using the eq operator. Policy NAT does not consider the inactive
or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See the
"Policy NAT" section on page 17-10
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the "Configuring Dynamic NAT or PAT" section on page 17-23
options.
To configure regular static NAT, enter the following command:
hostname(config)# static ( real_interface , mapped_interface ) { mapped_ip | interface}
real_ip [netmask mask ] [dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]]
[udp udp_max_conns ]
See the "Configuring Dynamic NAT or PAT" section on page 17-23
options.
for more information.
Figure 17-9 on page 17-11
Cisco Security Appliance Command Line Configuration Guide
Using Static PAT
for information about the other
for information about the
for a related
17-27