Cisco FirePOWER ASA 5500 series Configuration Manual page 308

Using Dynamic NAT and PAT
You can also enter a global command for each interface using the same NAT ID. If you enter a global
command for the Outside and DMZ interfaces on ID 1, then the Inside nat command identifies traffic to
be translated when going to both the Outside and the DMZ interfaces. Similarly, if you also enter a nat
command for the DMZ interface on ID 1, then the global command on the Outside interface is also used
for DMZ traffic. (See
Figure 17-15
10.1.2.27
See the following commands for this example:
hostname(config)# nat (inside) 1 10.1.2.0 255.255.255.0
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.10
hostname(config)# global (dmz) 1 10.1.1.23
If you use different NAT IDs, you can identify different sets of real addresses to have different mapped
addresses. For example, on the Inside interface, you can have two nat commands on two different
NAT IDs. On the Outside interface, you configure two global commands for these two IDs. Then, when
traffic from Inside network A exits the Outside interface, the IP addresses are translated to pool A
addresses; while traffic from Inside network B are translated to pool B addresses (see
you use policy NAT, you can specify the same real addresses for multiple nat commands, as long as the
the destination addresses and ports are unique in each access list.
Cisco Security Appliance Command Line Configuration Guide
17-18
Figure 17-15).
global and nat Commands on Multiple Interfaces
Web Server:
www.cisco.com
Outside
Security
Appliance
Translation
209.165.201.3
Inside
10.1.2.27
Translation
10.1.1.15
Global 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.1.0/24
Global 1: 10.1.1.23
NAT 1: 10.1.2.0/24
Translation
10.1.2.27
Chapter 17
209.165.201.4
DMZ
10.1.1.15
10.1.1.23:2024
Figure
Applying NAT
17-16). If
OL-10088-01