Cisco 7604 Configuration Guide - Page 319
Order of NAT Commands Used to Match Real Addresses, Maximum Number of NAT Statements, Mapped Address
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 319 highlights
Chapter 16 Configuring NAT NAT Overview Order of NAT Commands Used to Match Real Addresses The FWSM matches real addresses to NAT commands in the following order: 1. NAT exemption (nat 0 access-list)-In order, until the first match. Identity NAT is not included in this category; it is included in the regular static NAT or regular NAT category. We do not recommend overlapping addresses in NAT exemption statements because unexpected results can occur. 2. Static NAT and Static PAT (regular and policy) (static)-Best match. Static identity NAT is included in this category. In the case of overlapping addresses in static statements, a warning will be displayed, but they are supported. The order of the static commands does not matter; the static statement that best matches the real address is used. 3. Policy dynamic NAT (nat access-list)-In order, until the first match. Overlapping addresses are allowed. 4. Regular dynamic NAT (nat)-Best match. Regular identity NAT is included in this category. The order of the NAT commands does not matter; the NAT statement that best matches the real address is used. For example, you can create a general statement to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a statement to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific statement for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping statements; they use more memory and can slow the performance of the FWSM. Maximum Number of NAT Statements The FWSM supports the following numbers of nat, global, and static commands divided between all contexts or in single mode: • nat command-2 K • global command-4 K • static command-2 K The FWSM also supports up to 3942 ACEs in access lists used for policy NAT for single mode, and 7272 ACEs for multiple mode. Mapped Address Guidelines When you translate the real address to a mapped address, you can use the following mapped addresses: • Addresses on the same network as the mapped interface. If you use addresses on the same network as the mapped interface (through which traffic exits the FWSM), the FWSM uses proxy ARP to answer any requests for mapped addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing, because the FWSM does not have to be the gateway for any additional networks. However, this approach does put a limit on the number of available addresses used for translations. For PAT, you can even use the IP address of the mapped interface. • Addresses on a unique network. If you need more addresses than are available on the mapped interface network, you can identify addresses on a different subnet. The FWSM uses proxy ARP to answer any requests for mapped addresses, and thus intercepts traffic destined for a real address. If you use OSPF to advertise mapped IP addresses that belong to a different subnet from the mapped interface, you need to create OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 16-15