Cisco 7604 Configuration Manual page 308

NAT Overview
For ICMP support, you must enable ICMP inspection.
•
Figure 16-2
outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the
upstream router does not have to perform NAT. When the inside host at 10.1.1.27 sends a packet to a web
server, the real source address of the packet, 10.1.1.27, is changed to a mapped address, 209.165.201.10.
When the server responds, it sends the response to the mapped address, 209.165.201.10, and the FWSM
receives the packet because the upstream router includes this mapped network in a static route that is
directed through the FWSM. The FWSM then undoes the translation of the mapped address,
209.165.201.10 back to the real address, 10.1.1.1.27. Because the real address is directly-connected, the
FWSM sends it directly to the host. For host 192.168.1.2, the same process occurs, except that the
FWSM looks up the route in its route table, and sends the packet to the downstream router at 10.1.1.3
based on the static route.
Figure 16-2
Source Addr Translation
10.1.1.75
See the following commands for this example:
hostname(config)# route inside 192.168.1.0 255.255.255.0 10.1.1.3 1
hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.15
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-4
shows a typical NAT scenario in transparent mode, with the same network on the inside and
NAT Example: Transparent Mode
www.example.com
Internet
209.165.201.15
10.1.1.2
10.1.1.75
Network 2
Static route on router to
209.165.201.0/27 to downstream router
Static route on security appliance for
192.168.1.1/24 to downstream router
Management IP
10.1.1.1
FWSM
10.1.1.3
192.168.1.2
192.168.1.1
192.168.1.2
Chapter 16 Configuring NAT
Source Addr Translation
209.165.201.10
OL-20748-01