Static NAT is used to create a permanent IP address mapping of a specific IP address (real IP address) or range to the translated address (global IP address) or range. The static mapping can be used only by the real address and not shared by other devices. When the real IP address originates traffic, it will use the static mapping only. The configuration command for a static map is as follows:
FWSM(config)# ssststattaaattitticiiccc (internal_if_name, external_if_name) | Global address overload from interface | Real IP address of the host or hosts | nnnneeteetmttmammaaasssskkkk netmask
For example: FWSM(config)# ssssttttaataatttiiciiccc (((I(IIINNSNNSISSIDIIDDDEE,EE,O,,OOOUUTUUTTTSSSSIIIIDDEDDE)EE))) 1191199922.22...116116686888....118118.88...55555555 1171172772.22...111166.66.1..1811888..2..2221111 nnenneteetttmmammaaasssskk kk 2 2 2 2555555.55.2..22255555555..2..22255555555..2..22255555555
This command maps the inside address of 172.16.18.21 to the outside address of 192.168.18.55. This means that if a device in the inside with IP address 172.16.18.21 establishes a connection through the FWSM, the address that it will be translated to would be 192.168.18.21. If the appropriate ACLs permit ingress traffic on the outside interface, a device on the outside would be able to establish a connection to 192.168.18.21, which would be translated to an inside address of 172.16.18.21.
NOTE Make sure no duplicate IP addresses exist on the outside that would correspond to an inside address (inside 172.16.18.21 and outside 192.168.16.21), or you may be spending some time troubleshooting.
In Figure 4-3, the client on the inside has the capability to access the host on the outside, and the host on the outside has the capability to access the client on the inside.
Access from the client to the host is as follows:
Step 1 The client with the IP address of 172.16.18.21 is attempting to connect to the host with the IP address of 192.168.18.254.
Step 2 The FWSM receives the packet and changes the client’s source address to 192.168.18.21, creates an entry in the connection table, and forwards that packet out the outside interface.
Step 3 The host receives the packet and responds to the translated IP address of 192.168.18.21.
Step 4 When the FWSM receives the packet, it changes the destination from 192.168.18.21 to the client’s IP address of 72.16.18.21 and forwards that packet out the inside interface.
Network Address Translation/Port Address Translation 59
Access from the host to the client is as follows:
Step 1 The host with the IP address of 192.168.18.254 is attempting to connect to the client. With static NAT configured on the FWSM, the host will need to access the client’s translated address, which is 192.168.18.21.
Step 2 The FWSM receives the packet and changes the destination address of 192.168.18.21 to the client’s address of 172.16.18.21, creates an entry in the connection table, and forwards that packet out the inside interface.
Step 3 The client receives the packet and responds to the host’s unchanged IP address of 192.168.18.254.
Step 4 When the FWSM receives the packet, it changes the client’s source address from 172.16.18.21 to 192.168.18.21 and forwards that packet out the outside interface.
Did you notice that the host in the previous example believes that it is communicating with the client on the local subnet? The host would not even need to have a default gateway to make this work properly.
Figure 4-3 Static NAT
Additionally, groups of address can be translated with a single command:
FWSM(config)# ssssttttaataatttiiciiccc (((I(IIINNSNNSISSIDIIDDDEE,EE,O,,OOOUUTUUTSTTSSSIIIIDDEDDE)EE))) 1191199922.22.1..161166688.88...111188.88...00 00 117117277222..1..1611666....111188.88...00 00 nnenneteetttmmammaaasssskkkk 2
2 2
2555555.55...2222555555.55.2..22255555555....0000
Another capability is outside static NAT. This allows the mapping of an inside address to an outside address, as follows:
FWSM(config)# ssststttaataatitticiiccc ((O((OOUOUTUUTTTSSISSIIIDDDDEE,EE,,I,INIINNNSSISSIIIDDDDEE)EE))) 1111772772.22...116116.66...111188.88.2..222554554 44 1191199922.22...1111666688.88.1..11188.88...2222554554 44 nnnneeeettttmmammasaassskk kk 2 2 2 2555555.55.2..22255555555..2..22255555555..2..22255555555 Dest: 172.16.18.21 Src: 192.168.18.254 Host 192.168.18.254 Client 172.16.18.21 Inside Outside Dest: 192.168.18.254 Src: 172.16.18.21 Dest: 192.168.18.21 Src: 192.168.18.254 Dest: 192.168.18.254 Src: 192.168.18.21 Dest: 192.168.18.254 Src: 172.16.18.21 Dest: 172.16.18.21 Src: 192.168.18.254 Dest: 192.168.18.254 Src: 192.168.18.21 Dest: 192.168.18.21 Src: 192.168.18.254
When a connection is attempted from the client to the host, as shown in Figure 4-4, the following outside NAT function occurs:
Step 1 The client with the IP address of 172.16.18.21 is attempting to connect to the host. With outside static NAT configured on the FWSM, the client will need to access the host’s translated address, which is 172.16.18.254.
Step 2 The FWSM receives the packet and changes the destination address of 172.16.18.254 to the host’s address of 192.168.18.254, creates an entry in the connection table, and forwards that packet out the outside interface.
Step 3 The host receives the packet and responds to the client’s original IP address of 172.16.18.21.
Step 4 When the FWSM receives the packet, it changes the source IP address from 192.168.18.254 to the translated IP address of 172.16.18.254 and forwards that packet out the inside interface.
Figure 4-4 Static Outside NAT
If you don’t use this command very often, it might be difficult to remember. Here’s a way that helps: for inside NAT, use staticinside-outside outside-insideand for outside NAT, use staticoutside-inside inside-outside.
TIP If you can remember that for inside NAT, use staticinside-outside outside-inside and for outside NAT, use staticoutside-inside inside-outside, it might keep you from having to look up the static command every time you need to use it.
Because there is a static mapping of the address, devices on the lower-level interface can access the device on the higher-level interface. The appropriate ingress ACL entry on the lower-level interface is also required.
Host 192.168.18.254 Client 172.16.18.21 Inside Outside Dest: 172.16.18.254 Src: 172.16.18.21 Dest: 172.16.18.21 Src: 172.16.18.254 Dest: 192.168.18.254 Src: 172.16.18.21 Dest: 172.16.18.21 Src: 192.168.18.254
Network Address Translation/Port Address Translation 61
Some additional command parameters deserve an explanation at this time. These include the number of simultaneous TCP connections, the number of embryonic connections, Domain Name Service (DNS), norandomseq, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) options.