Figure 2-13 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the local address is translated to 126.96.36.199. When the host accesses the same server for Telnet services, the local address is translated to 188.8.131.52.
Policy NAT with Different Destination Ports
The syntax for this configuration example follows:access-list WEB permit tcp 10.1.2.0 255.255.255.0 184.108.40.206 255.255.255.255 eq 80access-list TELNET permit tcp 10.1.2.0 255.255.255.0 220.127.116.11 255.255.255.255 eq 23nat (inside) 1 access-list WEBglobal (outside) 1 18.104.22.168 255.255.255.255nat (inside) 2 access-list TELNETglobal (outside) 2 22.214.171.124 255.255.255.255
The following configuration limitations apply to policy NAT:
•Access lists must contain permit statements only. Access lists for policy NAT cannot contain deny statements.
•An access list must be used only once with the nat command. For example, the following configuration would produce an error:nat (inside) 1 access-list mylist-Anat (inside) 2 access-list mylist-A
Whereas, the following configuration would not produce an error:nat (inside) 1 access-list mylist-Anat (inside) 2 access-list mylist-B
•Use an access list only once between the nat and static commands.
•A global address cannot be used concurrently for NAT and PAT.
•static commands are matched and executed before nat commands.
•Policy NAT does not support SQL*Net, which is supported by regular NAT.