Cisco Catalyst 6500 Series Configuration Manual page 172

Using Static PAT
To configure static PAT, enter one of the following commands.
For policy static PAT, enter the following command:
•
FWSM/contexta(config)# static ( local_interface , global_interface ) {tcp | udp}
{ global_ip | interface} global_port access-list acl_name [dns] [norandomseq]
[[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]
Create the ACL using the access-list command (see the
section on page
For example, if you specify tcp in the static command, then you must specify tcp in the ACL.
Specify the port using the eq operator. This ACL should include only permit access control entries
(ACEs). The source subnet mask used in the ACL is also used for the global addresses.
See the
To configure regular static PAT, enter the following command:
•
FWSM/contexta(config)# static ( local_interface , global_interface ) {tcp | udp}
{ global_ip | interface} global_port local_ip local_port [netmask mask ]
[dns] [norandomseq] [[tcp] tcp_max_conns [ emb_limit ]] [udp udp_max_conns ]
See the
For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the FWSM outside
interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the following
commands:
FWSM/contexta(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0
255.255.255.0 eq telnet
FWSM/contexta(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET
For HTTP traffic initiated from hosts on the 10.1.3.0 network to the FWSM outside interface (10.1.2.14),
you can redirect the traffic to the inside host at 10.1.1.15 by entering:
FWSM/contexta(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0
255.255.255.0 eq http
FWSM/contexta(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP
To redirect Telnet traffic from the FWSM outside interface (10.1.2.14) to the inside host at 10.1.1.15,
enter the following command:
FWSM/contexta(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet
netmask 255.255.255.255
If you want to allow the local Telnet server above to initiate connections, though, then you need to
provide additional translation. For example, to translate all other types of traffic, enter the following
commands. The original static command provides translation for Telnet to the server, while the nat and
global commands provide PAT for outbound connections from the server.
FWSM/contexta(config)# static (inside,outside) tcp 10.1.2.14 telnet 10.1.1.15 telnet
netmask 255.255.255.255
FWSM/contexta(config)# nat (inside) 1 10.1.1.15 255.255.255.255
FWSM/contexta(config)# global (outside) 1 10.1.2.14
If you also have a separate translation for all inside traffic, and the inside hosts use a different global
address from the Telnet server, you can still configure traffic initiated from the Telnet server to use the
same global address as the static statement that allows Telnet traffic to the server. You need to create a
more exclusive nat statement just for the Telnet server. Because nat statements are read for the best
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
9-28
10-13). The protocol in the ACL must match the protocol you set in this command.
"Configuring NAT or PAT" section on page 9-23
"Configuring NAT or PAT" section on page 9-23
Chapter 9 Configuring Network Address Translation
"Adding an Extended Access Control List"
for information about the other options.
for information about the options.
OL-6392-01