Bypassing Nat; Configuring Identity Nat - Cisco PIX 500 Series Configuration Manual

Security appliance command line

Hide thumbs Also See for PIX 500 Series:

Administration manual (653 pages)

Quick start manual (72 pages)

User manual (60 pages)

Table of Contents

Bypassing NAT

If you also have a separate translation for all inside traffic, and the inside hosts use a different mapped

address from the Telnet server, you can still configure traffic initiated from the Telnet server to use the

same mapped address as the static statement that allows Telnet traffic to the server. You need to create

a more exclusive nat statement just for the Telnet server. Because nat statements are read for the best

match, more exclusive nat statements are matched before general statements. The following example

shows the Telnet static statement, the more exclusive nat statement for initiated traffic from the Telnet

server, and the statement for other inside hosts, which uses a different mapped address.

hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet netmask

255.255.255.255

hostname(config)# nat (inside) 1 10.1.1.15 255.255.255.255

hostname(config)# global (outside) 1 10.1.2.14

hostname(config)# nat (inside) 2 10.1.1.0 255.255.255.0

hostname(config)# global (outside) 2 10.1.2.78

To translate a well-known port (80) to another port (8080), enter the following command:

hostname(config)# static (inside,outside) tcp 10.1.2.45 80 10.1.1.16 8080 netmask

255.255.255.255

Bypassing NAT

This section describes how to bypass NAT. You might want to bypass NAT when you enable NAT control.

You can bypass NAT using identity NAT, static identity NAT, or NAT exemption. See the

NAT When NAT Control is Enabled" section on page 17-10

This section includes the following topics:

Identity NAT translates the real IP address to the same IP address. Only "translated" hosts can create

NAT translations, and responding traffic is allowed back.

Figure 17-24

209.165.201.1

209.165.201.2

Cisco Security Appliance Command Line Configuration Guide

Configuring Identity NAT, page 17-30

Configuring Static Identity NAT, page 17-31

Configuring NAT Exemption, page 17-33

shows a typical identity NAT scenario.

Identity NAT

209.165.201.1

209.165.201.2

Inside Outside

for more information about these methods.

Configuring NAT

Troubleshooting

Asa 5500 series

Bypassing Nat; Configuring Identity Nat - Cisco PIX 500 Series Configuration Manual

Bypassing NAT

Configuring Identity NAT

Troubleshooting

Related Manuals for Cisco PIX 500 Series

Related Products for Cisco PIX 500 Series

This manual is also suitable for:

Table of Contents