Cisco Catalyst 6500 Series Configuration Manual page 150
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Chapter 9
Configuring Network Address Translation
NAT Overview
For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP,
but these are all actually different servers on the local network, you can specify static PAT statements
for each server that uses the same global IP address, but different ports (see
Figure
9-2).
Figure 9-2
Static PAT
Host
Outside
Dest Addr Translation
209.165.201.3:21
10.1.2.27
Dest Addr Translation
209.165.201.3:25
10.1.2.29
Dest Addr Translation
209.165.201.3:80
10.1.2.28
Inside
FTP server
SMTP server
10.1.2.27
10.1.2.29
HTTP server
10.1.2.28
See the following commands for this example:
FWSM/contexta(config)# static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask
255.255.255.255
FWSM/contexta(config)# static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http
netmask 255.255.255.255
FWSM/contexta(config)# static (inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp
netmask 255.255.255.255
If the application used by the server requires an inspection engine to allow data channels on other ports,
such as FTP, then the server needs translation for other ports. Other protocols that require inspection
engines for data channels include TFTP, RTSP, and Skinny. See
Chapter 13, "Configuring Application
Protocol Inspection,"
for a complete list of protocols that require inspection engines. For example, add
the following line to the above configuration to translate all other ports from the FTP server at 10.1.2.27:
FWSM/contexta(config)# nat (inside) 1 10.1.2.27 255.255.255.255
FWSM/contexta(config)# global (outside) 1 209.165.201.3
The above configuration also allows the FTP server to initiate connections, if desired.
You can also use static PAT to translate a well-known port to a non-standard port or vice versa. For
example, if your inside web servers use port 8080, you can allow outside users to connect to port 80, and
then translate them to the 8080 port. Similarly, if you want to provide extra security, you can tell your
web users to connect to non-standard port 6785, and then translate them to port 80 on the local network.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
9-6
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
Related Manuals for Cisco Catalyst 6500 Series
Related Products for Cisco Catalyst 6500 Series
- Cisco 6503 - Catalyst Firewall Security Sys
- Cisco 6503-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6504-E - Catalyst Chassis With Supervisor Engine 32 Switch
- Cisco 6506 - Catalyst Chassis Switch
- Cisco 6513 - Catalyst Switch
- Cisco Catalyst 6509
- Cisco Catalyst 6513-E
- Cisco Catalyst 6500-E Series