17-34
Cisco Security Appliance Command Line Configuration Guide
OL-12172-03
Chapter 17 Configuring NAT
NAT Examples
To exempt an inside address when accessing two different destination addresses, enter the following
commands:
hostname(config)#
access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0
255.255.255.224
hostname(config)#
access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.200.224
255.255.255.224
hostname(config)#
nat (inside) 0 access-list NET1
NAT Examples
This section describes typical scenarios that use NAT solutions, and includes the following topics:
•
Overlapping Networks, page 17-34
•
Redirecting Ports, page 17-36
Overlapping Networks
In
Figure 17-27
, the security appliance connects two private networks with overlapping address ranges.
Figure 17-27
Using Outside NAT with Overlapping Networks
Two networks use an overlapping address space (192.168.100.0/24), but hosts on each network must
communicate (as allowed by access lists). Without NAT, when a host on the inside network tries to access
a host on the overlapping DMZ network, the packet never makes it past the security appliance, which
sees the packet as having a destination address on the inside network. Moreover, if the destination
address is being used by another host on the inside network, that host receives the packet.
To solve this problem, use NAT to provide non-overlapping addresses. If you want to allow access in
both directions, use static NAT for both networks. If you only want to allow the inside interface to access
hosts on the DMZ, then you can use dynamic NAT for the inside addresses, and static NAT for the DMZ
addresses you want to access. This example shows static NAT.
To configure static NAT for these two interfaces, perform the following steps. The 10.1.1.0/24 network
on the DMZ is not translated.
192.168.100.2
inside
192.168.100.0/24
outside
10.1.1.2
192.168.100.1
192.168.100.2
dmz
192.168.100.0/24
192.168.100.3
10.1.1.1
130029
192.168.100.3
Summary of Contents for 500 Series
Page 38: ...Contents xxxviii Cisco Security Appliance Command Line Configuration Guide OL 12172 03 ...
Page 45: ...P A R T 1 Getting Started and General Information ...
Page 46: ......
Page 277: ...P A R T 2 Configuring the Firewall ...
Page 278: ......
Page 561: ...P A R T 3 Configuring VPN ...
Page 562: ......
Page 891: ...P A R T 4 System Administration ...
Page 892: ......
Page 975: ...P A R T 5 Reference ...
Page 976: ......