NAT Example

Inside

Source Addr 10.0.1.3

Destination Addr 200.200.200.10 | Source Port 49090 |

Outside

192.168.1.10 I Source Addr

200.200.200.10 I Destination Addr

49090 I Source Port

23_I Destination Port

192.168.1.10

Translation table

Inside local

Global

IP address

IP pool

10.0.1.3

192.168.1.10

10.0.1.4

192.168.1.254

©2000, Cisco Systems,

CSPFA 1.01-2-15

When an outbound IP packet that is sent from a device on the inside network reaches the PIX Firewall, the source address is extracted and compared to an internal table of existing translations. If the device's address is not already in the table, it is translated and a new entry is created for that device and it is assigned a global IP address from a pool of global IP addresses. The table is then updated and the translated IP packet is forwarded. After the session terminates or there have been no translated packets for that particular IP address, the entry is removed from the table, and the global address is freed for use by another inside device.

global Command

pixfirewall(config)#

global [ (if name)] nat id global ip[-global ip] [netmask global mask]

• The global command works together with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall.

pixfirewall(config)# nat (inside) 1 0.0.0.0 0.0.0.0 pixfirewall(config)# global (outside) 1 192.168.1.10192.168.1.254

©2000, Cisco Systems, Inc. WWW.CiSCO.COm CSPFA l.i

01-2-16

The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same natid.

The syntax for the global command is as follows:

global [(if name)] nat idglobalip [-globalip] [netmask globalmask]

Argument

Description

if_name

Describes the external network interface name where you will use the global addresses.

nat_id

Identifies the global pool and matches it with its respective nat command.

globalip

Single IP addresses or the beginning IP address for a range of global IP addresses.

global_ip

A range of global IP addresses.

netmask global_mask

The network mask for the global IP. If subnetting is in effect, use the subnet mask; for example, 255.255.255.128. If you specify an address range that overlaps subnets with the netmask command, this command will not use the broadcast or network address in the pool of global addresses. For example, if you use 255.255.255.128 and an address range of 192.150.50.20-192.150.50.140, the

192.150.50.127 broadcast address and the

192.150.50.128 network address will not be included in the pool of global addresses.

If the nat command is used, the companion command, global, must be configured to define the pool of translated IP addresses.

To delete a global entry, use the no global command. For example, no global

(outside) 1 192.168.1.10-192.168.1.254 netmask 255.255.0.0.

Note The PIX Firewall assigns addresses from the global pool starting from the low end to the high end of the range specified in the global command.

Note The PIX Firewall uses the global addresses to assign a virtual IP address to an internal NAT address. After adding, changing, or removing a global statement, use the clear xlate command to make the IP addresses available in the translation table.

0 0

Post a comment