Cisco PIX 500 Series Configuration Manual page 344

Using Static PAT
Figure 17-23
remote hosts can originate connections, and the mapped address and port is statically assigned by the
static command.
Figure 17-23
10.1.1.2:8080
For applications that require application inspection for secondary channels (for example, FTP and VoIP),
the security appliance automatically translates the secondary ports.
Do not use a mapped address in the static command that is also defined in a global command for the
same mapped interface.
For more information about static PAT, see the
If you remove a static command, existing connections that use the translation are not affected. To remove
Note
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static PAT, enter one of the following commands.
For policy static PAT, enter the following command:
•
hostname(config)# static ( real_interface , mapped_interface ) {tcp | udp}
{ mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq]
[[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]
Identify the real addresses and destination/source addresses using an extended access list. Create the
extended access list using the access-list extended command (see the
List" section on page
command. For example, if you specify tcp in the static command, then you must specify tcp in the
access list. Specify the port using the eq operator.
The first address in the access list is the real address; the second address is either the source or
destiniation address, depending on where the traffic originates. For example, to translate the real
address 10.1.1.1/Telnet to the mapped address 192.168.1.1/Telnet when 10.1.1.1 sends traffic to the
209.165.200.224 network, the access-list and static commands are:
hostname(config)# access-list TEST extended tcp host 10.1.1.1 eq telnet
209.165.200.224 255.255.255.224
hostname(config)# static (inside,outside) tcp 192.168.1.1 telnet access-list TEST
Cisco Security Appliance Command Line Configuration Guide
17-28
shows a typical static PAT scenario. The translation is always active so both translated and
Static PAT
Security
Appliance
10.1.1.1:23
Inside Outside
16-5). The protocol in the access list must match the protocol you set in this
209.165.201.1:23
209.165.201.2:80
"Static PAT" section on page
Chapter 17 Configuring NAT
17-9.
"Adding an Extended Access
OL-12172-03