Order Of Nat Commands Used To Match Local Addresses; Maximum Number Of Nat Statements; Global Address Guidelines - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
NAT Overview
The FWSM does not support VoIP inspection engines when you configure NAT on same security
Note
interfaces. These inspection engines include Skinny, SIP, and H.323. See the
section on page 13-2
Order of NAT Commands Used to Match Local Addresses
The FWSM matches local traffic to NAT commands in the following order:
1.
2.
3.
4.
Maximum Number of NAT Statements
The FWSM supports the following numbers of nat, global, and static commands divided between all
contexts or in single mode:
•
•
•
The FWSM also supports up to 3942 access control entries (ACEs) in ACLs used for policy NAT for
single mode, and 7,272 ACEs for multiple mode.
Global Address Guidelines
When you translate the local address to a global address, you can use the following global addresses:
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
9-12
for supported inspection engines.
NAT exemption (nat 0 access-list)—In order, until the first match. Identity NAT is not included in
this category; it is included in the regular static NAT or regular NAT category. We do not recommend
overlapping addresses in NAT exemption statements because unexpected results can occur.
Static NAT and Static PAT (regular and policy) (static)—In order, until the first match. Static
identity NAT is included in this category. We do not recommend overlapping addresses in static
statements because unexpected results can occur.
Policy dynamic NAT (nat access-list)—In order, until the first match. Overlapping addresses are
allowed.
Regular dynamic NAT (nat)—Best match. Regular identity NAT is included in this category. The
order of the NAT commands does not matter; the NAT statement that best matches the local traffic
is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an
interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you
can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific
statement for 10.1.1.1 is used because it matches the local traffic best. We do not recommend using
overlapping statements; they use more memory and can slow the performance of the FWSM.
nat command—2 K
global command—1,051
static command—2 K
Addresses on the same network as the global interface.
If you use addresses on the same network as the global interface (through which traffic exits the
FWSM), the FWSM uses proxy ARP to answer any requests for translated addresses, and thus
intercepts traffic destined for a local address. This solution simplifies routing, because the FWSM
does not have to be the gateway for any additional networks. However, this approach does put a limit
on the number of available addresses used for translations.
For PAT, you can even use the IP address of the global interface.
Addresses on a unique network.
Chapter 9
Configuring Network Address Translation
"Inspection Support"
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
