Cisco PIX 500 Series Configuration Manual page 348
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Bypassing NAT
hostname(config)# static ( real_interface , mapped_interface ) real_ip access-list acl_id
[dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]
Create the extended access list using the access-list extended command (see the
Extended Access List" section on page
Make sure the source address in the access list matches the real_ip in this command. Policy NAT
does not consider the inactive or time-range keywords; all ACEs are considered to be active for
policy NAT configuration. See the
See the
options.
To configure regular static identity NAT, enter the following command:
•
hostname(config)# static ( real_interface , mapped_interface ) real_ip real_ip [netmask
mask ] [dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]
Specify the same IP address for both real_ip arguments.
See the
options.
For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when
accessed by the outside:
hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255
The following command uses static identity NAT for an outside address (209.165.201.15) when accessed
by the inside:
hostname(config)# static (outside,inside) 209.165.201.15 209.165.201.15 netmask
255.255.255.255
The following command statically maps an entire subnet:
hostname(config)# static (inside,dmz) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
The following static identity policy NAT example shows a single real address that uses identity NAT
when accessing one destination address, and a translation when accessing another:
hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224
255.255.255.224
hostname(config)# static (inside,outside) 10.1.2.27 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2
Cisco Security Appliance Command Line Configuration Guide
17-32
"Configuring Dynamic NAT or PAT" section on page 17-23
"Configuring Dynamic NAT or PAT" section on page 17-23
16-5). This access list should include only permit ACEs.
"Policy NAT" section on page 17-10
Chapter 17
Configuring NAT
"Adding an
for more information.
for information about the other
for information about the other
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
