Figure 2-13 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the local address is translated to 220.127.116.11. When the host accesses the same server for Telnet services, the local address is translated to 18.104.22.168.
Policy NAT with Different Destination Ports
The syntax for this configuration example follows:access-list WEB permit tcp 10.1.2.0 255.255.255.0 22.214.171.124 255.255.255.255 eq 80access-list TELNET permit tcp 10.1.2.0 255.255.255.0 126.96.36.199 255.255.255.255 eq 23nat (inside) 1 access-list WEBglobal (outside) 1 188.8.131.52 255.255.255.255nat (inside) 2 access-list TELNETglobal (outside) 2 184.108.40.206 255.255.255.255
The following configuration limitations apply to policy NAT:
•Access lists must contain permit statements only. Access lists for policy NAT cannot contain deny statements.
•An access list must be used only once with the nat command. For example, the following configuration would produce an error:nat (inside) 1 access-list mylist-Anat (inside) 2 access-list mylist-A
Whereas, the following configuration would not produce an error:nat (inside) 1 access-list mylist-Anat (inside) 2 access-list mylist-B
•Use an access list only once between the nat and static commands.
•A global address cannot be used concurrently for NAT and PAT.
•static commands are matched and executed before nat commands.
•Policy NAT does not support SQL*Net, which is supported by regular NAT.