Configuring static nat, Configuring dynamic nat – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 112

Advertising
background image

98

ServerIron ADX Security Guide

53-1002440-03

Configuring NAT

4

Dynamic NAT — Maps private addresses to Internet addresses. The Internet addresses come
from a pool of addresses that you configure. For example, you can dynamically translate the
global pool 150.1.1.10 - 19 to private pool 10.1.1.1 - 254. In

Figure 6

, the pool is the range of

addresses from 209.157.1.2/24 – 209.157.1.254/24. With dynamic NAT, the software uses a
round robin technique to select a global IP address to map to a private address from a pool you
configure.
Dynamic NAT uses Port Address Translation (PAT). Otherwise, the return traffic cannot be
reliably de-multiplexed to the correct internal client.

NOTE

You can configure both dynamic and static NAT on the same device. When you configure both types
of NAT, static NAT takes precedence over dynamic NAT. Thus, if you configure a static NAT translation
for a private address, the ServerIron ADX always uses that translation instead of creating a dynamic
one.

Configuring static NAT

Use the ip nat inside source static command to explicitly map a private address to an Internet
address. Static NAT ensures a specific host in the private network is always mapped to the Internet
address you specify.

To map a private address 10.10.10.69 to an Internet address 209.157.1.69, enter the command
such as the following.

ServerIronADX(config)# ip nat inside source static 10.10.10.69 209.157.1.69

Syntax: [no] ip nat inside source static <private-ip> <global-ip> [<priority>] list [<acl-id>]

The <private-ip> variable specifies the private IP address.

The <global-ip> variable specifies the IP address. The ServerIron ADX supports up to 255 global IP
addresses.

The <priority> variable specifies a value of 1 or 2 and enables static NAT redundancy. A value of 2
means higher priority, and will be the owner of the NAT IP as long as the system is up.

The list parameter specifies the access list identified by the <acl-id> variable that will permit only
the configured tcp or udp port numbers.

Configuring dynamic NAT

To configure dynamic NAT, perform the following tasks:

Configure a standard or extended ACL for each private address range for which you want to
provide NAT.

NOTE

Named ACLS are not supported with NAT. You must use a numbered ACL.

Configure a pool for each consecutive range of Internet addresses to which you want NAT to be
able to map the private addresses specified in the ACLs. Each pool must contain a range with
no gaps. If your Internet address space has gaps, configure separate pools for each
consecutive range within the address space.

Associate a range of private addresses (specified in a standard or extended ACL) with a pool.

Advertising
Popular Brands
Popular manuals