Network Address Translation
Two commands are required to complete this configuration:
■ nat—Defines the addresses to be translated:
LabPIX(config)# nat [(internal_if_name)] id local_ip [network_mask]
Here is an example:
LabPIX(config)# nat (inside) 1 0.0.0.0 0.0.0.0
■ global—Defines the pool of addresses to translate to:
LabPIX(config)# global [(external_if_name)] id {global_ip[-global_ip] [netmask
network_mask] | interface}
Here is an example:
LabPIX(config)# global (outside) 1 192.168.0.10-192.168.0.62 netmask 255.255.255.192
Notice the id in both the nat and global commands. It enables you to assign specific addresses
to translate. The addresses in the nat command translate to the addresses in the global
command that contains the same ID. The only ID that cannot be used here is 0. The
command nat 0 is used on the Security Appliance to identify addresses that are not to be
translated. The nat 0 command is commonly called the “no nat” command.
! ""
" #
"
$ "" #$
%
" & &
122 Chapter 5: Understanding Cisco Security Appliance Translation and Connection
PIX Firewall OS Version 6.3(2) incorporated the ability to configure a policy NAT. This
provides the functionality to enable translations to occur on a specific source and destination
basis. The policy NAT is configured with the access control lists and will be discussed in
greater detail in Chapter 7, “Configuring Access.”
PAT
PAT enables you to translate your local addresses behind a single global address. The
commands required to perform PAT are exactly the same as the commands to perform NAT.
The only difference in defining PAT is that you define a single global address rather than a
range. Figure 5-5 shows all local nodes behind a single global address being translated.
Figure 5-5 PAT
The correct syntax for configuring PAT uses the nat and global commands and is depicted
here:
LabPIX(config)# nat [(internal_if_name)] id local_ip network_mask
The following is an example of the correct syntax for configuring the nat portion of PAT for
an internal network consisting of 10.0.0.0 addresses:
LabPIX(config)# nat (inside) 4 10.0.0.0 0.0.0.0