Configuring Multiple Translation Types on the Cisco Security Appliance
It is a good practice to use a combination of NAT and PAT. If you have more internal hosts
than external IP addresses, you can configure both NAT and PAT. Your first group of hosts
translates to the global addresses that are listed and the remaining hosts use PAT and
translate to the single global address. PAT is configured separately from NAT. If NAT is
! !!
Address Translation 125
configured without PAT, once the available global IP address range is depleted, additional
translation attempts will be refused. If the location has any servers that need to be accessed
from the Internet (web servers, mail servers, and so on), they must be configured for static
translation.
In the following examples, the internal network consisting of 254 hosts translates to 52
external addresses (192.168.0.10 to 192.168.0.62). This means that the remaining 202 hosts
translate to 192.168.0.63:
LabPIX(config)# nat [(local_interface)] id local_ip network_mask
LabPIX(config)# nat (inside) 1 10.10.10.0 255.255.255.0
LabPIX(config)# [global] [(global_interface)] id global_ip [netmask] network_mask
LabPIX(config)# global (outside) 1 192.168.0.10-192.168.0.62 netmask
255.255.255.192
LabPIX(config)# [global] [(global_interface)] id global_ip [netmask] network_mask
LabPIX(config)# global (outside) 1 192.168.0.63 netmask 255.255.255.255