Regular NAT uses source addresses/ports only,
whereas policy NAT uses both source and a combination of destination addresses/ports to identify the real
address for translation.
Figure 6-18 shows how to configure Policy NAT Exemption by using the nat/global command. The source and
destination address pair is checked, and address translation is performed accordingly. In this example, when
internal hosts in network 10.1.1.0/24 initiate a connection to any host in network 172.16.1.0/24, the source
address will be translated to 209.165.202.1-10.
Figure 6-18. Policy NAT
[View full size image]
When the same internal hosts in the network 10.1.1.0/24 initiate a connection to any host in network
192.168.1.0/24, the source address will be translated to 209.165.202.130-140 instead. Traffic flow is
unidirectional when using the nat/global command, and bidirectional when using the static command.
Order of NAT Processing
When several address translation types are configured on the firewall, there is a potential of overlap. The
firewall matches real (private) addresses to corresponding NAT rules in the following order of NAT rules
processing, until the first match is found.
1.
NAT exemption (using nat 0 access-list command) 1.
Pages:
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307