NAT and STATIC of PIX & ASA

The sum of the following NAT and STATIC commands for PIXASA compiled by the old arm: dynamic translation --- NAT: # nat (inside) 110.0.0.0255.255.255.0 # global (outside) 11900000.20-192.168.0.254netmask0000255.255.0 will 10. x network segment to 192.168.0.20-254 this ip address pool does not convert the address :( config)

The following NAT and STATIC commands for PIXASA are compiled by the old arm: dynamic translation --- NAT: # nat (inside) 1 10.0.0.0 255.255.255.0 # global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0 will 10. x network segment to 192.168.0.20-254 this ip address pool does not convert address: (config)

The following information about the old armNAT and STATIC of PIX & ASACommand sum:

Dynamic conversion --- NAT:
# Nat (inside) 1 10.0.0.0 255.255.255.0
# Global (outside) 1 192.168.0.20-192.168.0.254 netmask 255.255.255.0
Convert the 10. x network segment to the ip address pool 192.168.0.20-254.

Do not convert the address:
(Config) # access-list nonat permit ip host 10.1.1.1 any
(Config) # nat (inside) 0 access-list nonat

Port conversion --- PAT:
One ip address can be 65535-1024 PAT (theoretical value)

Port multiplexing:
# Nat (inside) 1 10.0.0.0 255.255.0.0
# Global (outside) 1 192.168.0.3 netmask 255.255.255.255
Convert the 10. x CIDR block to 192.168.0.3. an ip address corresponds to a different port.

Use outside interface address:
# Nat (inside) 1 10.0.0.0 255.255.0.0
# Global (outside) 1 interface

Port ing:
# Static (I, o) tcp protocol 1.1.100 23 10.1.1.100 23
Map port 23 of inside 10.1.1.100 to port 23 of internal 1.1.100
Static can be used for DOS defense. Both TCP and UPD have the maximum number of connections and UDP has no half-open connections, for example:
Static (inside, outside) 202.100.1.101 10.1.1.1 tcp 100 1000
Max. All-open link Max. Half-Open Link

Static nat
Convert to different addresses for different purposes (generate permanent xlate table items)
Access-list nat-to-202 per ip host 10.1.1.1 202.100.1.0
Access-list nat-to-2 per ip host 10.1.1.1 2.2.2.0
Static (I, o) 202.100.1.202 access-list nat-to-202
Static (I, o) 202.100.1.2 nat-to-2 access-list

Static pat
Based on specific traffic, the specific internal port of a specific host is converted to a specific external port of a specific host (a permanent xlate table item is generated)
Access-list nat-to-202 per tcp host 10.1.1.1 eq telnet 202.100.1.0 255.255.255.0
Access-list nat-to-2 per tcp host 10.1.1.1 eq telnet 2.2.2.0 255.255.255.0
Static (I, o) tcp 202.100.1.101 2323 access-list nat-to-202
Static (I, o) tcp interface 23 access-list nat-to-2

Policy nat
Nat-to-202 per ip host 10.1.1.1 host 202.100.1.1
Access-lsit nat-to-2 per ip host 10.1.1.1 host 2.2.2.2
Nat (inside) 1 access-list nat-to-202
Glob (outside) 1 202.100.1.202
Nat (inside) 2 access-list nat-to-2
Glob (outside) 2 202.100.1.2

Access-list nat-to-3032 per tcp host 10.1.1.1 host 202.100.1.1 eq 3032
Access-list nat-to-23 per tcp host 10.1.1.1 host 202.100.1.1 eq 23
Nat (inside) 1 access-list nat-to-3032
Glob (outside) 1 202.100.1.32
Nat (inside) 2 access-list nat-to-23
Glob (outside) 2 202.100.1.23

Bypass nat

Nat (inside) 0 10.1.1.0 255.255.255.0
0 indicates no conversion

NAT Check order
1. nat + acl
2. static
3. policy nat
4. nat + address
5. When the address pool is used up, use pat (glob + address)

ARP proxy must be enabled on the outside Port of the pix for the same network segment.
Sysopt noproxyarp outside // disable the ARP proxy on the outside Port, which must not be used...

Clear local-host // clear xlate and connection table items

Sh xlate: Check the IP ing. The life cycle is three hours. To change the table, clear xlate.
To change any NAT option, run clear xlate (clear dynamic xlate table items)

Sh connect check connection items. All active connections are displayed.
Show local-host

Old arm BLOG