Nat And Pat Global Pool Usage; Nat And Same Security Level Interfaces - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
NAT Overview
To avoid running into the limit, you can disable NAT sessions for untranslated traffic (called xlate
bypass). See the
NAT control and have untranslated traffic or use NAT exemption, or you enable NAT control and use
NAT exemption, then with xlate bypass, the FWSM does not create a session for these types of
untranslated traffic. NAT sessions are still created in the following instances:
•
•
NAT and PAT Global Pool Usage
You can display the current global pool utilization of any given NAT or PAT configuration to identify
when the global pool is close to exhaustion and to facilitate tracking. Each configured global node
maintains a counter to increment and decrement when an IP address or port is allocated or freed from
that global node. The counter also exists on standby devices to track global node utilization upon
failover.
You can specify a single address (for dynamic PAT) or a range of mapped addresses (for dynamic NAT).
See the show global usage command for this example of dynamic NAT global pool usage:
hostname(config)# show global usage
NAT Global Pool
---------------
209.165.201.10-209.165.201.20
See the show global usage command for this example of dynamic PAT port usage:
hostname(config)# show global usage
NAT Global Pool
---------------
209.165.201.10
NAT and Same Security Level Interfaces
NAT is not required between same security level interfaces even if you enable NAT control. You can
optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is
enabled, then NAT is required. See the
when you specify a group of IP address(es) for dynamic NAT or PAT on a same security interface, then
you must perform NAT on that group of addresses when they access any lower or same security level
interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected.
See the
page 6-10
The FWSM does not support VoIP inspection engines when you configure NAT on same security
Note
interfaces. These inspection engines include Skinny, SIP, and H.323. See the
Overview" section on page 22-2
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-14
"Configuring Xlate Bypass" section on page 16-19
You configure identity NAT (with or without NAT control). Identity NAT is considered to be a
translation.
You use same-security interfaces with NAT control. Traffic between same security interfaces create
NAT sessions even when you do not configure NAT for the traffic. To avoid NAT sessions in this
case, disable NAT control or use NAT exemption as well as xlate bypass.
ID
----
2
"Allowing Communication Between Interfaces on the Same Security Level" section on
to enable same security communication.
ID
interface
----
---------
1
outside
interface
In use
---------
------
outside
896
"NAT Control" section on page 16-5
for supported inspection engines.
Chapter 16
to enable xlate bypass. If you disable
In use
Most used
------
---------
1
1
Most used
Total
---------
-----
896
64512
for more information. Also,
"Inspection Engine
Configuring NAT
Total
-----
11
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
