Cisco 7604 Configuration Guide - Page 336
static, clear local-host, clear xlate, access-list extended, access-list, permit, inactive, time-range
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 336 highlights
Using Static PAT Chapter 16 Configuring NAT Note If you remove a static command, existing connections that use the translation are not affected. To remove these connections, enter the clear local-host command. Static translations from the translation table can be removed using the clear xlate command; the translation table will be cleared and all current translations are deleted. To configure static PAT, enter one of the following commands. • For policy static PAT, enter the following command: hostname(config)# static (real_interface,mapped_interface) {tcp | udp} mapped_ip mapped_port access-list acl_name [dns] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq] Identify the real addresses and destination/source addresses using an extended access list. Create the extended access list using the access-list extended command. (See the "Adding an Extended Access List" section on page 13-6.) The protocol in the access list must match the protocol you set in this command. For example, if you specify tcp in the static command, then you must specify tcp in the access list. Specify the port using the eq operator. The first address in the access list is the real address; the second address is either the source or destination address, depending on where the traffic originates. For example, to translate the real address 10.1.1.1/Telnet to the mapped address 192.168.1.1/Telnet when 10.1.1.1 sends traffic to the 209.165.200.224 network, the access-list and static commands are: hostname(config)# access-list TEST extended tcp host 10.1.1.1 209.165.200.224 255.255.255.224 eq telnet hostname(config)# static (inside,outside) tcp 192.168.1.1 telnet access-list TEST In this case, the second address is the destination address. However, the same configuration is used for hosts to originate a connection to the mapped address. For example, when a host on the 209.165.200.224/27 network initiates a Telnet connection to 192.168.1.1, then the second address in the access list is the source address. This access list should include only permit ACEs. Policy NAT and static NAT consider the inactive or time-range keywords and stop working when an ACE is inactive. See the "Policy NAT" section on page 16-10 for more information. If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the FWSM translates the .0 and .255 addresses. If you want to prevent access to these addresses, be sure to configure an access list to deny access. See the "Configuring Dynamic NAT or PAT" section on page 16-26 for information about the other options. • To configure regular static PAT, enter the following command: hostname(config)# static (real_interface,mapped_interface) {tcp | udp} mapped_ip mapped_port real_ip real_port [netmask mask] [dns] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq] See the "Configuring Dynamic NAT or PAT" section on page 16-26 for information about the options. For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the FWSM outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the following commands: hostname(config)# access-list TELNET permit tcp host 10.1.1.15 10.1.3.0 255.255.255.0 eq telnet 16-32 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01