global
Overview
Create or delete entries from a pool of global addresses.
[no] global [(if_name)] nat_id {global_ip [-global_ip] [netmask global_mask]} | interface
[global_ip [-global_ip] [netmask global_mask]] | [interface]
show global
clear global
Syntax Description
if_name The external network where you use these global addresses. Generally "outside". nat_id A positive number shared with the nat command that groups the nat and global command statements together. The valid ID numbers can be any positive number up to 2,147,483,647. global_ip One or more global IP addresses that the firewall shares among its connections. If the external network is connected to the Internet, each global IP address must be registered with the Network Information Center (NIC). You can specify a range of IP addresses by separating the addresses with a dash (-).
You can create a Port Address Translation (PAT) global command statement by specifying a single IP address. You can have one PAT global command statement per interface. A PAT can support up to 65,535 xlate objects.
netmask Reserved word that prefaces the network global_mask variable. global_mask The network mask for global_ip. If subnetting is in effect, use the subnet mask; for example, 255.255.255.128. If you specify an address range that overlaps subnets, global will not use the broadcast or network addresses in the pool of global addresses. For example, if you use 255.255.255.224 and an address range of 209.165.201.1-209.165.201.30, the 209.165.201.31 broadcast address and the 209.165.201.0 network address will not be included in the pool of global addresses. interface Specifies PAT using the IP address at the interface. clear Removes global command statements from the configuration.
Usage
Define a pool of global addresses. The global addresses in the pool provide an IP address for each outbound connection, and for those inbound connections resulting from outbound connections. Ensure that associated nat and global command statements have the same nat_id.
After changing or removing a global command statement, use the clear xlate command.
Use the no global command to remove access to a nat_id, or to a Port Address Translation (PAT) address, or address range within a nat_id.
Use the show global command to view the global command statements in the configuration.
Configuration mode.
Notes
- You can enable the Port Address Translation feature by entering a single IP address with the global command. PAT lets multiple outbound sessions appear to originate from a single IP address. With PAT enabled, the firewall chooses a unique port number from the PAT IP address for each outbound xlate (translation slot). This feature is valuable when an Internet service provider cannot allocate enough unique IP addresses for the outbound connections. An IP address you specify for a PAT cannot be used in another global address pool.
- When a PAT augments a pool of global addresses, first the addresses from the global pool are used, then the next connection is taken from the PAT address. If a global pool address frees, the next connection takes that address. The global pool addresses always come first, before a PAT address is used. Augment a pool of global addresses with a PAT by using the same nat_id in the global command statements that create the global pools and the PAT.
For example:
global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224
global (outside) 1 209.165.201.22 netmask 255.255.255.224
- PAT does not work with H.323 applications and caching nameservers. Do not use a PAT when multimedia applications need to be run through the firewall. Multimedia applications can conflict with port mappings provided by PAT.
- PAT does not work with the established command.
- PAT works with DNS, FTP and passive FTP, HTTP, email, RPC, rshell, Telnet, URL Filtering, and outbound traceroute.
However for use with passive FTP, use the fixup protocol ftp strict command statement with an access-list command statement to permit outbound FTP traffic, as shown in the following example:
fixup protocol ftp strict ftp
access-list acl_in permit tcp any any eq ftp
access-group acl_in in interface inside
nat (inside) 1 0 0
global (outside) 1 209.165.201.5 netmask 255.255.255.224
- IP addresses in the pool of global addresses specified with the global command require reverse DNS entries to ensure that all external network addresses are accessible through the firewall. To create reverse DNS mappings, use a DNS Ptr record in the address-to-name mapping file for each global address. For more information on DNS refer to DNS and BIND, by Paul Albitz and Cricket Liu, O'Reilly & Associates, Inc., ISBN 1-56592-010-4. Without the Ptr entries, sites can experience slow or intermittent Internet connectivity and FTP requests that consistently fail. For example, if a global IP address is 209.165.201.1 and the domain for the firewall is pix.example.com, the Ptr record would be as follows.
1.201.165.209.in-addr.arpa. IN Ptr pix.example.com
- A DNS server on a higher level security interface needing to get updates from a root name server on the outside interface cannot use PAT (Port Address Translation). Instead, a static command statement must be added to map the DNS server to a global address on the outside interface.
For example, PAT is enabled with these commands:
nat (inside) 1 192.168.1.0 255.255.255.0
global (inside) 1 209.165.202.128 netmask 255.255.255.224However, a DNS server on the inside at IP address 192.168.1.5 cannot correctly reach the root name server on the outside at IP address 209.165.202.130.
To ensure that the inside DNS server can access the root name server, insert the following static command statement:
static (inside,outside) 209.165.202.129 192.168.1.5The global address 209.165.202.129 provides a translated address for the inside server at IP address 192.168.1.5.
- The following example enables PAT using the IP address at the outside interface in global configuration mode:
ip address outside 192.150.49.1
nat (inside) 1 0 0
global (outside) 1 interfaceThe interface IP address used for PAT is the address associated with the interface when the xlate is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.
When PAT is enabled on an interface, there should be no termination of TCP, UDP and ICMP services. These services allow for termination at the firewall's outside interface.
- To specify PAT using the IP address of an interface, specify the interface keyword.
global [(int_name)] nat_id address | interfaceThe following example enables PAT using the IP address at the outside interface in global configuration mode:
ip address outside 192.150.49.1
nat (inside) 1 0 0
global (outside) 1 interfaceThe interface IP address used for PAT is the address associated with the interface when the xlate (translation slot) is created. This is important for configuring DHCP, allowing for the DHCP retrieved address to be used for PAT.
When PAT is enabled on an interface, there should be no loss of TCP, UDP, and ICMP services. These services allow for termination at the firewall unit's outside interface.
- To track usage among different subnets, you can specify multiple PATs using the following supported configurations:
Map hosts on the internal network 10.1.0.0/24 to global address 192.168.1.1 and hosts on the internal network 10.1.1.1/24 to global address 209.165.200.225 in global configuration mode.
nat (inside) 1 10.1.0.0 255.255.255.0
nat (inside) 2 10.1.1.0 255.255.255.0
global (outside) 1 192.168.1.1 netmask 255.255.255.0
global (outside) 2 209.165.200.225 netmask 255.255.255.224To configure two port addresses for setting up PAT on hosts from the internal network 10.1.0.0/16 in global configuration mode.
nat (inside) 1 10.1.0.0 255.255.0.0
global (outside) 1 209.165.200.225 netmask 255.255.255.224
global (outside) 1 192.168.1.1 netmask 255.255.255.0With this configuration, address 192.168.1.1 will only be used when the port pool from address 209.165.200.225 is at maximum capacity.
Examples
The following example declares two global pool ranges and a PAT address. Then the nat command permits all inside users to start connections to the outside network:
global (outside) 1 209.165.201.1-209.165.201.10 netmask 255.255.255.224
global (outside) 1 209.165.201.12 netmask 255.255.255.224
Global 209.165.201.12 will be Port Address Translated
nat (inside) 1 0 0
clear xlateThe next example creates a global pool from two contiguous pieces of a Class C address and gives the perimeter hosts access to this pool of addresses to start connections on the outside interface:
global (outside) 1000 209.165.201.1-209.165.201.14 netmask 255.255.255.240
global (outside) 1000 209.165.201.17-209.165.201.30 netmask 255.255.255.240
nat (perimeter) 1000 0 0