Cisco 7604 Configuration Manual page 336
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Using Static PAT
If you remove a static command, existing connections that use the translation are not affected. To remove
Note
these connections, enter the clear local-host command.
Static translations from the translation table can be removed using the clear xlate command; the
translation table will be cleared and all current translations are deleted.
To configure static PAT, enter one of the following commands.
For policy static PAT, enter the following command:
•
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} mapped_ip
mapped_port access-list acl_name [dns] [[tcp] tcp_max_conns [emb_limit]]
[udp udp_max_conns] [norandomseq]
Identify the real addresses and destination/source addresses using an extended access list. Create the
extended access list using the access-list extended command. (See the
List" section on page
command. For example, if you specify tcp in the static command, then you must specify tcp in the
access list. Specify the port using the eq operator.
The first address in the access list is the real address; the second address is either the source or
destination address, depending on where the traffic originates. For example, to translate the real
address 10.1.1.1/Telnet to the mapped address 192.168.1.1/Telnet when 10.1.1.1 sends traffic to the
209.165.200.224 network, the access-list and static commands are:
hostname(config)# access-list TEST extended tcp host 10.1.1.1 209.165.200.224
255.255.255.224 eq telnet
hostname(config)# static (inside,outside) tcp 192.168.1.1 telnet access-list TEST
In this case, the second address is the destination address. However, the same configuration is used
for hosts to originate a connection to the mapped address. For example, when a host on the
209.165.200.224/27 network initiates a Telnet connection to 192.168.1.1, then the second address
in the access list is the source address.
This access list should include only permit ACEs. Policy NAT and static NAT consider the inactive
or time-range keywords and stop working when an ACE is inactive. See the
on page 16-10
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the FWSM
translates the .0 and .255 addresses. If you want to prevent access to these addresses, be sure to
configure an access list to deny access.
See the
options.
To configure regular static PAT, enter the following command:
•
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} mapped_ip
mapped_port real_ip real_port [netmask mask] [dns] [[tcp] tcp_max_conns [emb_limit]]
[udp udp_max_conns] [norandomseq]
See the
options.
For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the FWSM outside
interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the following
commands:
hostname(config)# access-list TELNET permit tcp host 10.1.1.15 10.1.3.0 255.255.255.0 eq
telnet
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
16-32
13-6.) The protocol in the access list must match the protocol you set in this
for more information.
"Configuring Dynamic NAT or PAT" section on page 16-26
"Configuring Dynamic NAT or PAT" section on page 16-26
Chapter 16
Configuring NAT
"Adding an Extended Access
"Policy NAT" section
for information about the other
for information about the
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
