Cisco 7604 Configuration Manual page 315

Chapter 16 Configuring NAT
NAT Overview
All types of NAT support policy NAT except for NAT exemption. NAT exemption uses an access list to
Note
identify the real addresses, but differs from policy NAT in that the ports are not considered. See the
"Bypassing NAT" section on page 16-33 for other differences. You can accomplish the same result as
NAT exemption using static identity NAT, which does support policy NAT.
Figure 16-9 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host
accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host
accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130 so that the host
appears to be on the same network as the servers, which can help with routing.
Figure 16-9 Policy NAT with Different Destination Addresses
Server 1 Server 2
209.165.201.11 209.165.200.225
209.165.201.0/27 209.165.200.224/27
DMZ
Translation Translation
10.1.2.27 209.165.202.129 10.1.2.27 209.165.202.130
Inside
10.1.2.0/24
Packet Packet
Dest. Address: Dest. Address:
209.165.201.11 209.165.200.225
10.1.2.27
See the following commands for this example:
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2
hostname(config)# global (outside) 2 209.165.202.130
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-11
OL-20748-01