NAT Example


Source Addr

Destination Addr | Source Port 49090 |

Outside I Source Addr I Destination Addr

49090 I Source Port

23_I Destination Port

Translation table

Inside local


IP address

IP pool

©2000, Cisco Systems,

CSPFA 1.01-2-15

When an outbound IP packet that is sent from a device on the inside network reaches the PIX Firewall, the source address is extracted and compared to an internal table of existing translations. If the device's address is not already in the table, it is translated and a new entry is created for that device and it is assigned a global IP address from a pool of global IP addresses. The table is then updated and the translated IP packet is forwarded. After the session terminates or there have been no translated packets for that particular IP address, the entry is removed from the table, and the global address is freed for use by another inside device.

global Command


global [ (if name)] nat id global ip[-global ip] [netmask global mask]

• The global command works together with the nat command to assign a registered or public IP address to an internal host when accessing the outside network through the firewall.

pixfirewall(config)# nat (inside) 1 pixfirewall(config)# global (outside) 1

©2000, Cisco Systems, Inc. WWW.CiSCO.COm CSPFA l.i


The global command defines a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same natid.

The syntax for the global command is as follows:

global [(if name)] nat idglobalip [-globalip] [netmask globalmask]




Describes the external network interface name where you will use the global addresses.


Identifies the global pool and matches it with its respective nat command.


Single IP addresses or the beginning IP address for a range of global IP addresses.


A range of global IP addresses.

netmask global_mask

The network mask for the global IP. If subnetting is in effect, use the subnet mask; for example, If you specify an address range that overlaps subnets with the netmask command, this command will not use the broadcast or network address in the pool of global addresses. For example, if you use and an address range of, the broadcast address and the network address will not be included in the pool of global addresses.

If the nat command is used, the companion command, global, must be configured to define the pool of translated IP addresses.

To delete a global entry, use the no global command. For example, no global

(outside) 1 netmask

Note The PIX Firewall assigns addresses from the global pool starting from the low end to the high end of the range specified in the global command.

Note The PIX Firewall uses the global addresses to assign a virtual IP address to an internal NAT address. After adding, changing, or removing a global statement, use the clear xlate command to make the IP addresses available in the translation table.

0 0

Post a comment