Cisco IOS XR Virtual Firewall Configuration Guide, Release 3.8
Configuring Network Address Translation on the Virtual Firewall
Download this chapter
Configuring Network Address Translation on the Virtual FirewallConfiguring Network Address Translation on the Virtual Firewall
Download the complete book
Cisco IOS XR Virtual Firewall Configuration GuideCisco IOS XR Virtual Firewall Configuration Guide (PDF - 6 MB)
 Feedback

Table Of Contents

Configuring Network Address Translation on the Virtual Firewall

Contents

Information About Network Address Translation

Benefits of Using NAT

Dynamic NAT

Dynamic PAT

Static NAT

Static Port Redirection

Maximum Number of NAT Statements

Global Address Guidelines

How to Configure NAT and PAT

Configuring Dynamic NAT and PAT

Prerequisites

Configuring Static NAT

Prerequisites

Displaying IP Address and Port Translations

Dynamic NAT Example

Dynamic PAT Example

Static NAT Example

Static Port Redirection (Static PAT)

Clearing Xlates

Configuration Examples for NAT

Dynamic NAT and PAT: Example

Static Port Redirection: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance


Configuring Network Address Translation on the Virtual Firewall

This module describes network address translation (NAT) on the Virtual Firewall application.

Feature History for Configuring Network Address Translation on the VFW Application

Release
Modification

Release 3.5.0

This feature was introduced on the multiservice blade (MSB) for the Cisco XR 12000 Series Router.

Release 3.6.0

No modification.

Release 3.7.0

No modification.

Release 3.8.0

No modification.


Contents

Information About Network Address Translation

How to Configure NAT and PAT

Configuration Examples for NAT

Additional References

Information About Network Address Translation

When a client attempts to access a server in a data center, the client incorporates its IP address in the IP header when it connects to the server. A VFW placed between the client and the server can either preserve the client IP address or translate that IP address to a routable address in the server network, based on a pool of reserved dynamic NAT addresses or a static NAT address mapping, and pass the request on to the server.

This IP address translation process is called network address translation (NAT) or source NAT (SNAT). The VFW application keeps track of all SNAT mappings to ensure that response packets from the server are routed back to the client. If your application requires that the client IP address be preserved for statistical or accounting purposes, do not implement SNAT.

To provide security for a server, you can map the server private IP address to a global routable IP address that a client can use to connect to the server. In this case, the VFW application translates the global IP address to the server private IP address when sending data from the client to the server. Conversely, when a server responds to a client, the VFW application translates the local server IP address to a global IP address for security reasons. This process is called Destination NAT (DNAT).

DNAT translates the IP address and port of an inside host so that it appears with a publicly addressable destination IP address to the rest of the world. Typically, you configure DNAT using static NAT and port redirection. You can use port redirection to configure servers hosting a service on a custom port (for example, servers hosting HTTP on port 8080).

You can also configure the VFW application to translate TCP and User Datagram Protocol (UDP) port numbers greater than 1024, and Internet Control Message Protocol (ICMP) identifiers. This process is known as port address translation (PAT). The VFW application provides 64 K minus 1 K ports for each IP address for PAT. Ports 0 through 1024 are reserved and cannot be used for PAT.

This section contains the following subsections:

Benefits of Using NAT

Dynamic NAT

Dynamic PAT

Static NAT

Static Port Redirection

Maximum Number of NAT Statements

Global Address Guidelines

Benefits of Using NAT

You can use private addresses on your inside networks. Private addresses are not routable on the Internet.

NAT hides the local addresses from other networks, so attackers cannot learn the real address of a server in the data center.

You can resolve IP routing problems such as overlapping addresses when you have two interfaces connected to overlapping subnets.

The VFW application provides the following types of NAT and PAT:

Dynamic NAT

Dynamic PAT

Static NAT

Static port redirection

Dynamic NAT

Dynamic NAT, typically used for SNAT, translates a group of local source addresses to a pool of global source addresses that are routable on the destination network. The global pool can include fewer addresses than the local group. When a local host accesses the destination network, the VFW application assigns the host an IP address from the global pool. Because translation times out after being idle for a user-configurable period of time, a given user does not keep the same IP address. Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (even if the connection is allowed by an access control list [ACL]). Not only can you not predict the global IP address of the host, but the VFW application does not create a translation at all unless the local host is the initiator. See the "Configuring Static NAT" section for reliable access to hosts.

Note For the duration of the translation, a global host can initiate a connection to the local host if an ACL allows it. Because the address is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the ACL.

Dynamic NAT has these disadvantages:

If the global address pool has fewer addresses than the local group, you could run out of addresses if the amount of traffic is greater than expected.

Use dynamic PAT if this event occurs often, because dynamic PAT provides over 64,000 translations using multiple ports of a single IP address.

If you have to use a large number of routable addresses in the global pool and the destination network requires registered addresses (for example, the Internet), you may encounter a shortage of usable addresses.

The VFW application supports a maximum of 4 M SNAT sessions.

The advantage of dynamic NAT is that some protocols cannot use dynamic PAT. Dynamic PAT does not work with some applications that have a data stream on one port and the control path on another, such as some multimedia applications.

Dynamic PAT

Dynamic PAT, also used for SNAT, translates multiple local source addresses and ports to a single global IP address and port that are routable on the destination network from a pool of IP addresses and ports reserved for this purpose. Specifically, the VFW application translates the local address and local port for multiple connections or hosts to a single global address and a unique port starting with port numbers greater than 1024.

When a local host connects to the destination network on a given source port, the VFW application assigns the global IP address to it and a unique port number. Each host receives the same IP address, but because the source port numbers are unique, the VFW application sends the return traffic, which includes the IP address and port number as the destination, to the correct host.

The VFW application supports over 64,000 ports for each unique local IP address. Because the translation is specific to the local address and local port, each connection, which generates a new source port, requires a separate translation. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

The translation remains in place only for the duration of the connection, so a given user does not keep the same global IP address and port number. Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic PAT (even if the connection is allowed by an ACL). Not only can you not predict the local or global port number of the host, but the VFW application does not create a translation at all unless the local host is the initiator. See the "Configuring Static NAT" section for reliable access to hosts.

With dynamic PAT you can use a single global address, thus conserving routable addresses. Dynamic PAT does not work with some multimedia applications that have a data stream on a port that is different from the control path port.

Static NAT

Static NAT, typically used for DNAT, translates each local address to a fixed global address. With dynamic NAT and PAT, each host uses a different address or port after the translation times out. Because the global address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the global network to initiate traffic to a local host (if there is an ACL that allows it).

The main differences between dynamic NAT and static NAT are:

Static NAT uses a one-to-one correspondence between local IP addresses and fixed global IP addresses, while dynamic NAT uses a pool of global addresses whose use is unpredictable.

With static NAT, you need an equal number of global IP addresses and local IP addresses. With dynamic NAT, you can have a pool of fewer global addresses than local addresses.

Static Port Redirection

Static port redirection, also used for DNAT, performs the same function as static NAT and additionally translates TCP or UDP ports or ICMP identifiers for the local and global addresses. With static port redirection, you can use the same global address in multiple static NAT statements, provided that, along with the address, you use different port numbers.

For example, if you want to provide a single address for global users to access FTP, HTTP, and SMTP, but there are different servers for each protocol on the local network, you can specify static port redirection statements for each server that uses the same global IP address, but different ports.

Maximum Number of NAT Statements

The VFW application supports the following maximum numbers of nat, global, and static commands divided among all contexts:

nat command—8 K

nat-pool command—8 K

static command—8 K

Global Address Guidelines

When you translate the local address to a global address, you can use the following global addresses:

Addresses on the same network as the global interface.

If you use addresses on the same network as the global interface (through which traffic exits the VFW application), the VFW application uses proxy Address Resolution Protocol (ARP) to answer any requests for translated addresses, and thus intercepts traffic destined for a local address. This solution simplifies routing, because the VFW application does not have to be the gateway for any additional networks. However, this approach does put a limit on the number of available addresses used for translations.

You cannot use the IP address of the global interface for NAT or PAT.

Addresses on a unique network.

If you need more addresses than are available on the global interface network, you can identify addresses on a different subnet. The VFW application uses proxy ARP to answer any requests for translated addresses, so it intercepts traffic destined for a local address. You need to add a static route on the upstream router that sends traffic destined for the translated addresses on the VFW application.

You cannot configure global IP address ranges across subnets. For example, the following command is not allowed. If used it generates an Invalid IP address! error: nat-pool 2 10.0.6.1 10.0.7.20 netmask 255.255.255.0

You must configure a netmask when configuring a NAT pool. A netmask of 255.255.255.255 instructs the VFW application to use all the IP addresses in the range.

How to Configure NAT and PAT

Configuring Dynamic NAT and PAT

Configuring Static NAT

Displaying IP Address and Port Translations

Clearing Xlates

Configuring Dynamic NAT and PAT

This task describes how to configure dynamic NAT and PAT on a VFW for source NAT.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. changeto context_name

2. configure

3. access-list name [line number] extended {deny | permit} protocol {src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]]{dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]

4. interface interface_name

5. exit

6. interface interface_name

7. nat-pool nat_id ip_address1 [ip_address2] netmask mask [pat]

8. exit

9. class-map match-any map_name

10. [line_number] match access-list ACL_name

11. exit

12. policy-map multi-match map_name

13. class map_name

14. nat dynamic nat_id interface interface_name

15. exit

16. exit

17. interface interface_name

18. service-policy input policy_name

19. end

20. copy running-config startup-config

21. show running-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

changeto context_name

Example:

firewall/Admin# changeto C1

firewall/C1#

Logs in to the correct context. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context.

Note For details on creating contexts, see Configuring Virtualization on the Virtual Firewall.

Step 2 

configure

Example:

firewall/C1# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/C1(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 3 

access-list name [line number] extended {deny | permit} protocol {src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]] {dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]

Example: 
firewall/C1(config)# access-list NAT_ACCESS 
extended permit tcp 192.168.12.0 255.255.255.0 
172.27.16.0 255.255.255.0 eq 80

Configures an extended ACL to allow traffic that requires NAT. For details about configuring an ACL, see Configuring Security Access Control Lists on the Virtual Firewall.

Step 4 

interface interface_name

Example: 
firewall/C1(config)# interface int_local

Configures a local interface to receive traffic that requires NAT.

Step 5 

exit

Example:

firewall/C1(config-if)# exit

firewall/C1#

Exits interface configuration mode.

Step 6 

interface interface_name

Example: 
firewall/C1(config)# interface int_global

Configures a second interface that is the global interface and will include the global IP address pool.

Step 7 

nat-pool nat_id ip_address1 [ip_address2] netmask mask [pat]

Example: 
firewall/C1(config-if)# nat-pool 1 
172.27.16.10 172.27.16.41 netmask 
255.255.255.0 pat

Configures a global IP address pool on the interface. To configure dynamic PAT, include the pat keyword in the nat-pool command. The keywords, arguments, and options are:

nat_id—Identifier of the NAT pool of global IP addresses. Enter an integer from 1 to 2147483647.

Note If you configure more than one NAT pool with the same ID, the VFW application uses the last-configured NAT pool first, then the other NAT pools.

ip_address1—Single IP address, or if also using the ip_address2 argument, the first IP address in a range of global addresses used for NAT.

ip_address2—(Optional) Highest IP address in a range of global IP addresses used for NAT. You can configure a maximum of 64 K addresses in a NAT pool.

If you specify PAT, you can configure a maximum of 32 IP addresses in a NAT pool range. You cannot configure an IP address range across subnets. For example, the following command is not allowed and will generate an Invalid IP address error: nat-pool 2 10.0.6.1 10.0.7.20 netmask 255.255.255.0

netmask mask— Subnet mask for the IP address pool.

pat—(Optional) Specifies that the VFW application perform port address translation (PAT) in addition to NAT.

Step 8 

exit

Example:

firewall/C1(config-if)# exit

firewall/C1(config)#

Exits interface configuration mode.

Step 9 

class-map match-any map_name

Example: 
firewall/C1(config)# class-map match-any 
NAT_CLASS

Configures a class map for NAT.

Step 10 

[line_number] match access-list ACL_name

Example: 
firewall/C1(config-cmap)# match access-list 
NAT_ACCESS

Defines a match statement for the ACL you configured in Step 3 for the client source address. Refer to the Class Map Commands on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Command Reference for more information on match command syntax.

Step 11 

exit

Example:

firewall/C1(config-cmap)# exit

firewall/C1(config)#

Exits class map configuration mode.

Step 12 

policy-map multi-match map_name

Example: 
firewall/C1(config)# policy-map multi-match 
NAT_POLICY

Configures a policy map.

Step 13 

class map_name

Example: 
firewall/C1(config-pmap)# class NAT_CLASS

Associate the defined class map with the policy map.

Step 14 

nat dynamic nat_id interface interface_name

Example: 
firewall/C1(config-pmap-c)# nat dynamic 1 
interface int_global

Configures dynamic NAT as a policy-map action. The VFW application applies the dynamic NAT from the local interface attached to the traffic policy (through the service-policy interface configuration command) to the interface specified in the nat command. The interface_name argument specifies the global interface for which you are configuring NAT.

Step 15 

exit

Example:

firewall/C1(config-pmap-c)# exit

firewall/C1(config-pmap)#

Exits class map configuration mode.

Step 16 

exit

Example:

firewall/C1(config-pmap)# exit

firewall/C1(config)#

Exits policy map configuration mode.

Step 17 

interface interface_name

Example: 
firewall/C1(config)# interface int_local

Enters interface configuration mode for the local interface.

Step 18 

service-policy input policy_name

Example: 
firewall/C1(config-if)# service-policy input 
NAT_POLICY

Activates the policy on an interface using a service policy.

Step 19 

end

Example:

firewall/C1(config-if)# end

firewall/C1#

Exits interface configuration mode.

Step 20 

copy running-config startup-config

Example:

firewall/C1# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Step 21 

show running-config

Example:

firewall/C1# show running-config class-map

firewall/C1# show running-config policy-map

(Recommended) Displays and verifies your dynamic NAT and PAT configuration.

Configuring Static NAT

This task describes how to configure static port redirection.

Prerequisites

You must attach from the route processor to the VFW application before you can perform this task. See the "Attaching to the VFW Application" section.

SUMMARY STEPS

1. changeto context_name

2. configure

3. access-list name [line number] extended {deny | permit} protocol {src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]]{dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]

4. interface interface_name

5. no shutdown

6. exit

7. interface interface_name

8. no shutdown

9. exit

10. class-map match-any map_name

11. [line_number] match access-list ACL_name

12. exit

13. policy-map multi-match map_name

14. class map_name

15. nat dynamic nat_id interface interface_name

16. nat static ip_address netmask mask [{tcp | udp} eq port] interface interface_name

17. exit

18. exit

19. interface interface_name

20. service-policy input policy_name

21. end

22. copy running-config startup-config

23. show running-config

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

changeto context_name

Example:

firewall/Admin# changeto C1

firewall/C1#

Logs in to the correct context. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context.

Note For details on creating contexts, see Configuring Virtualization on the Virtual Firewall.

Step 2 

configure

Example:

firewall/C1# configure

Enter configuration commands, one per line. End with CNTL/Z.

firewall/C1(config)#

Enters global configuration mode. You are now within configuration mode of the VFW application.

Step 3 

access-list name [line number] extended {deny | permit} protocol {src_ip_address netmask | any | host src_ip_address} [operator port1 [port2]]{dest_ip_address netmask | any | host dest_ip_address} [operator port3 [port4]]

Example: 
firewall/C1(config)# access-list ACL1 line 10 
extended permit tcp 10.0.0.0 255.0.0.0 eq 8080 
any

Configures an ACL to allow traffic that requires NAT. For details about configuring an ACL, see the "Configuring Security Access Control Lists on the Virtual Firewall" module.

Step 4 

interface interface_name

Example: 
firewall/C1(config)# interface int_local

Configures a local interface to filter and receive traffic that requires NAT.

Step 5 

no shutdown

Example:

firewall/C1(config-if)# no shutdown

firewall/C1#

Enables the interface.

Step 6 

exit

Example:

firewall/C1(config-if)# exit

firewall/C1#

Exits interface configuration mode.

Step 7 

interface interface_name

Example: 
firewall/C1(config)# interface int_global

Configures a second interface (global interface) for performing NAT.

Step 8 

no shutdown

Example:

firewall/C1(config-if)# no shutdown

firewall/C1#

Enables the interface.

Step 9 

exit

Example:

firewall/C1(config-if)# exit

firewall/C1(config)#

Exits interface configuration mode.

Step 10 

class-map match-any map_name

Example: 
firewall/C1(config)# class-map match-any 
NAT_CLASS

Configures a class map.

Step 11 

[line_number] match access-list ACL_name

Example: 
firewall/C1(config-cmap)# match access-list 
ACL1

Defines a match statement for the ACL you configured in Step 3 for the client source address. Refer to the Class Map Commands on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Command Reference for more information on match command syntax.

Step 12 

exit

Example:

firewall/C1(config-cmap)# exit

firewall/C1(config)#

Exits class map configuration mode.

Step 13 

policy-map multi-match map_name

Example: 
firewall/C1(config)# policy-map multi-match 
NAT_POLICY

Configures a policy map.

Step 14 

class map_name

Example: 
firewall/C1(config-pmap)# class NAT_CLASS

Associate the defined class map with the policy map.

Step 15 

nat static ip_address netmask mask [{tcp | udp} eq port] interface interface_name

Example: 
firewall/C1(config-pmap-c)# nat static 
192.0.0.0 netmask 255.0.0.0 80 int_global

Configures static NAT as a policy-map action. The interface_name argument specifies the global interface for which you are configuring static NAT.

Step 16 

exit

Example:

firewall/C1(config-pmap-c)# exit

firewall/C1(config-pmap)#

Exits class map configuration mode.

Step 17 

exit

Example:

firewall/C1(config-pmap)# exit

firewall/C1(config)#

Exits policy map configuration mode.

Step 18 

interface interface_name

Example: 
firewall/C1(config)# interface int_local

Enters interface configuration mode for the local interface.

Step 19 

service-policy input policy_name

Example: 
firewall/C1(config-if)# service-policy input 
NAT_POLICY

Activates the policy on an interface using a service policy.

Step 20 

end

Example:

firewall/C1(config-if)# end

firewall/C1#

Exits interface configuration mode.

Step 21 

copy running-config startup-config

Example:

firewall/C1# copy running-config startup-config

(Optional) Saves your configuration changes to flash memory.

Step 22 

show running-config

Example:

firewall/C1# show running-config class-map

firewall/C1# show running-config policy-map

(Recommended) Displays and verifies your dynamic NAT and PAT configuration.

Displaying IP Address and Port Translations

To display IP address and port translation (Xlate) information, use the show xlate command in EXEC mode. For example, enter: 

firewall/Admin# show xlate global 172.27.16.3 172.27.16.10 netmask 255.255.255.0 gport 100 
200

You can also use the show conn command to display NAT information. See the examples in the following sections.

Dynamic NAT Example

The following sample output of the show xlate command illustrates dynamic NAT (SNAT in this example). When a user Telnets from 172.27.16.5 in interface x, the VFW application translates it to 192.168.100.1 in interface x+1. 

firewall/Admin# show xlate global 192.168.100.1 192.168.100.10

NAT from interface0:172.27.16.5 to interface1:192.168.100.1 count:1

Dynamic PAT Example

The following example illustrates dynamic PAT. When a user Telnets from 172.27.16.5 in interface x, the VFW application translates it to 192.168.201.1 in interface x+1. 

firewall/Admin# show xlate

TCP PAT from interface0:172.27.16.5/38097 to interface1:192.168.201.1/1025

Static NAT Example

The following example illustrates static NAT. The VFW application maps a real IP address (172.27.16.5) to 192.168.210.1. 

firewall/Admin# show xlate

NAT from interface0:172.27.16.5 to iterface1:192.168.210.1 count:1

firewall/Admin# show conn

total current connections : 4

conn-id    dir prot interface           source           destination           state

-------+---+---+----+-------------------+----------------+---------------------+----+

13         in  TCP  inside_20_20_09_xx  20.20.9.2:33739  20.20.10.2:21         ESTAB

14         out TCP  outside             20.20.10.2:21    20.20.9.2:33739       ESTAB

16         in  UDP  inside_20_20_09_xx  20.20.9.2:33217  20.20.10.2:53         --  

15         out UDP  outside             20.20.10.2:53    20.20.9.2:33217       --

Static Port Redirection (Static PAT)

The following example illustrates static port redirection (DNAT in this example). A host at 192.168.0.10:37766 telnets to 192.168.211.1:3030 on interface1 on the VFW application. The VFW application maps 172.27.0.5:23 on interface0 to 192.168.211.1:3030 on interface1. 

firewall/Admin# show xlate

TCP PAT from interface0:172.27.0.5/23 to interface1:192.168.211.1/3030

Mar 24 2006 20:05:41 : %ACE-7-111009: User 'admin' executed cmd: sh xlate

firewall/Admin# show conn

total current connections : 4

conn-id    dir prot interface           source           destination           state

-------+---+---+----+-------------------+----------------+---------------------+----+

13         in  TCP  inside_20_20_09_xx  20.20.9.2:33739  20.20.10.2:21         ESTAB

14         out TCP  outside             20.20.10.2:21    20.20.9.2:33739       ESTAB

16         in  UDP  inside_20_20_09_xx  20.20.9.2:33217  20.20.10.2:53         --  

15         out UDP  outside             20.20.10.2:53    20.20.9.2:33217       --

Clearing Xlates

To clear global address to local address mapping information based on global address, global port, local address, local port, interface address as global address, and NAT type, use the clear xlate command in EXEC mode. When you use this command, the VFW application releases sessions that are using the translations (Xlates).

Note If you configured redundancy, then you need to explicitly clear Xlates on both the active and the standby VFWs. Clearing Xlates on the active module alone leaves the standby module's Xlates at the old mappings.

For example, to clear all static translations, enter: 

firewall/Admin# clear xlate state static

Configuration Examples for NAT

The following sections show typical scenarios that use dynamic and static NAT solutions:

Dynamic NAT and PAT: Example

Static Port Redirection: Example

Dynamic NAT and PAT: Example

The following dynamic NAT and PAT (SNAT) example provides the commands necessary to configure dynamic NAT and PAT on your VFW application. In this SNAT example, packets ingressing the VFW application from the 19.168.12.0 network are translated to one of the IP addresses in the NAT pool defined on interface x by the nat-pool command. The pat keyword in this command line indicates that ports higher than 1024 are also translated. 

firewall/C1# configure 

firewall/C1(config)# access-list NAT_ACCESS line 10 extended permit tcp 192.168.12.0 
255.255.255.0 1 72.27.16.0 255.255.255.0 eq http 

firewall/C1(config)# class-map match-any NAT_CLASS 

firewall/C1(config-cmap)# match access-list NAT_ACCESS 

firewall/C1(config-cmap)# exit 

firewall/C1(config)# policy-map multi-match NAT_POLICY 

firewall/C1(config-pmap)# class NAT_CLASS 

firewall/C1(config-pmap-c)# nat dynamic 1 interface int2 

firewall/C1(config-pmap-c)# end 

firewall/C1(config)# interface int1 

firewall/C1(config-if)# service-policy input NAT_POLICY 

firewall/C1(config-if)# no shutdown 

firewall/C1(config-if)# exit 

firewall/C1(config)# interface int2 

firewall/C1(config-if)# nat-pool 1 172.27.16.15 172.27.16.24 netmask 255.255.255.0 pat 

firewall/C1(config-if)# no shutdown 

firewall/C1(config-if)# exit

Static Port Redirection: Example

The following static port redirection (DNAT) example shows those sections of the running configuration related to the commands necessary to configure static port redirection on your VFW application. Typically, this configuration is used for DNAT, where HTTP packets that are destined to 192.0.0.0/8 and ingressing the VFW application on interface x are translated to 10.0.0.0/8 and port 8080. In this example, the servers are hosting HTTP on custom port 8080. 

firewall/C1# configure 

firewall/C1(config)# access-list acl1 line 10 extended permit tcp 10.0.0.0 255.0.0.0 eq 
8080 any

firewall/C1(config)# class-map match-any NAT_CLASS 

firewall/C1(config-cmap)# match access-list acl1 

firewall/C1(config-cmap)# exit 

firewall/C1(config)# policy-map multi-match NAT_POLICY 

firewall/C1(config-pmap)# class NAT_CLASS 

firewall/C1(config-pmap-c)# nat static 192.0.0.0 255.0.0.0 80 interface interface_name_x 

firewall/C1(config-pmap-c)# end 

firewall/C1(config)# interface interface_name 

firewall/C1(config-if)# service-policy input NAT_POLICY 

firewall/C1(config-if)# no shutdown 

firewall/C1(config-if)# exit 

firewall/C1(config)# interface interface_name_x 

firewall/C1(config-if)# no shutdown 

firewall/C1(config-if)# exit

Additional References

The following sections provide references related to firewall management interfaces.

Related Documents

Related Topic
Document Title

Virtual firewall NAT command syntax

Network Address Translation Commands on the Virtual Firewall module in Cisco IOS XR Virtual Firewall Command Reference


Standards

Standards
Title

No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.


MIBs

MIBs
MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu: http://cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml


RFCs

RFCs
Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.


Technical Assistance

Description
Link

The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport