nat 0 Command
As mentioned earlier in the text, one can configure access to higher-security subnets by using
the nat 0 command. For instance, if you have a host with a public address on the inside
network and the outside network needs access to this host, you can use nat 0, which disables
address translation so that inside IP addresses are visible to the outside. The following short
example demonstrates the use of the nat 0 command:
nat (inside) 0 192.168.1.10 255.255.255.255
This can also be configured as follows:
access-list 121 permit 192.168.1.10 255.255.255.255 any
nat (inside) 0 access-list 121
184 Chapter 7: Configuring Access
Policy NAT
Policy NAT provides additional capabilities in configuring address translation. The Policy
NAT feature lets you identify local traffic for address translation by specifying the source and
destination addresses (or ports), whereas regular NAT uses only ports/source addresses. In
other words, the same local traffic for address translation can have multiple “global”
translations depending on the destination IP address or port. This is aptly demonstrated in
Figure 7-1.
Figure 7-1 Identifying Multiple External Addresses Using Policy NAT
The translation configuration for Figure 7-1 is as follows:
pixfw(config)#access-list 120 permit ip 10.10.100.0
255.255.255.0 172.16.1.10 255.255.255.255
pixfw(config)#access-list 130 permit ip 10.10.100.0
255.255.255.0 172.16.22.67 255.255.255.255
pixfw(config)#nat (inside) 1 access-list 120
pixfw(config)#global (outside) 1 192.168.100.62 255.255.255.255
pixfw(config)#nat (inside) 2 access-list 130
pixfw(config)#global (outside) 2 192.168.100.25 255.255.255.255
There are constraints of which you have to be aware when configuring Policy NAT:
■ A global address cannot be used concurrently for NAT and PAT.
■ Access lists for Policy NAT cannot contain deny statements. Access lists must contain
only permit statements.