Cisco 7604 Configuration Manual page 329

Chapter 16 Configuring NAT
Figure 16-19
Global 1: 10.1.2.30-
See the following commands for this example:
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0 outside
hostname(config)# nat (dmz) 1 10.1.1.0 255.255.255.0
hostname(config)# static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
hostname(config)# global (outside) 1 209.165.201.3-209.165.201.4
hostname(config)# global (inside) 1 10.1.2.30-1-10.1.2.40
When you specify a group of IP address(es) in a nat command, then you must perform NAT on that group
of addresses when they access any lower or same security level interface; you must apply a global
command with the same NAT ID on each interface, or use a static command. NAT is not required for
that group when it accesses a higher security interface, because to perform NAT from outside to inside,
you must create a separate nat command using the outside keyword. If you do apply outside NAT, then
the NAT requirements preceding come into effect for that group of addresses when they access all higher
security interfaces. Traffic identified by a static command is not affected.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Outside NAT and Inside NAT Combined
Outside
10.1.1.15
Global 1: 209.165.201.3-
209.165.201.10
Outside NAT 1: 10.1.1.0/24
NAT 1: 10.1.1.0/24
10.1.2.40
Static to DMZ: 10.1.2.27
Inside
10.1.2.27
Translation
209.165.201.4
DMZ
10.1.1.15
10.1.1.5
Translation
10.1.1.15 10.1.2.30
Undo Translation
10.1.1.5 10.1.2.27
Using Dynamic NAT and PAT
16-25