Cisco PIX 500 Series Configuration Manual page 351

Chapter 17 Configuring NAT
Translate 192.168.100.0/24 on the inside to 10.1.2.0/24 when it accesses the DMZ by entering the
Step 1
following command:
hostname(config)# static (inside,dmz) 10.1.2.0 192.168.100.0 netmask 255.255.255.0
Translate the 192.168.100.0/24 network on the DMZ to 10.1.3.0/24 when it accesses the inside by
Step 2
entering the following command:
hostname(config)# static (dmz,inside) 10.1.3.0 192.168.100.0 netmask 255.255.255.0
Configure the following static routes so that traffic to the dmz network can be routed correctly by the
Step 3
security appliance:
hostname(config)# route dmz 192.168.100.128 255.255.255.128 10.1.1.2 1
hostname(config)# route dmz 192.168.100.0 255.255.255.128 10.1.1.2 1
The security appliance already has a connected route for the inside network. These static routes allow
the security appliance to send traffic for the 192.168.100.0/24 network out the DMZ interface to the
gateway router at 10.1.1.2. (You need to split the network into two because you cannot create a static
route with the exact same network as a connected route.) Alternatively, you could use a more broad route
for the DMZ traffic, such as a default route.
If host 192.168.100.2 on the DMZ network wants to initiate a connection to host 192.168.100.2 on the
inside network, the following events occur:
1. The DMZ host 192.168.100.2 sends the packet to IP address 10.1.2.2.
When the security appliance receives this packet, the security appliance translates the source address
2.
from 192.168.100.2 to 10.1.3.2.
Then the security appliance translates the destination address from 10.1.2.2 to 192.168.100.2, and
3.
the packet is forwarded.
OL-12172-03
Cisco Security Appliance Command Line Configuration Guide
NAT Examples
17-35