Policy Nat – Different ports

Figure 2-13 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the local address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the local address is translated to 209.165.202.130.

Figure 2-13
Policy NAT with Different Destination Ports

The syntax for this configuration example follows:

access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 80

access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 255.255.255.255 eq 23

nat (inside) 1 access-list WEB

global (outside) 1 209.165.202.129 255.255.255.255

nat (inside) 2 access-list TELNET

global (outside) 2 209.165.202.130 255.255.255.255


Limitations

The following configuration limitations apply to policy NAT:

Access lists must contain permit statements only. Access lists for policy NAT cannot contain deny statements.

An access list must be used only once with the nat command. For example, the following configuration would produce an error:

nat (inside) 1 access-list mylist-A

nat (inside) 2 access-list mylist-A

Whereas, the following configuration would not produce an error:

nat (inside) 1 access-list mylist-A

nat (inside) 2 access-list mylist-B

Use an access list only once between the nat and static commands.

A global address cannot be used concurrently for NAT and PAT.

static commands are matched and executed before nat commands.

Policy NAT does not support SQL*Net, which is supported by regular NAT.

Notes

Leave a Reply

Your email address will not be published. Required fields are marked *