[c-nsp] Transparent NAT

Christian Zeng christian at zengl.net
Fri Sep 23 12:27:45 EDT 2005


* Mikisa Richard <rmikisa at bushnet.net> wrote:
>I need to do a 'transparent nat' on a cisco PIX-515E version 6.3(3). My 
>network is mainly natted but in this case, I need to route global IPs 
>down to a client. What i need is a straight global IP mapping, ie:     
>static (inside,outside) x.x.x.x x.x.x.x netmask 255.255.255.255 0 0.

static (inside,outside) <inside-IP> <inside-IP> netmask 255.255.255.255
let <inside-IP> appear untranslated on the outside when initiating
traffic from the inside. In addition, it enables any host on the outside
to connect to <INSIDE-IP>s untranslated address (ACL restrictions you
have defined apply).

If you want to have outside hosts appear untranslated, you must switch
the command to

static (outside,inside) <outside-IP> <outside-IP> netmask
255.255.255.255

Both commands configure static identity NAT, which is a form of NAT
(translation to itself). You'll see entries in the translation table.
The opposite is nat 0 access-list, bypassing NAT completely. 

The PIX configuration guide is very short about different NAT types, try
to look in the command reference (static and nat commands)i. 

Best regards,

Christian


More information about the cisco-nsp mailing list