9-10
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Guidelines for NAT
–
Instead of using an object, you can optionally configure an inline host address or specify the
interface address.
–
If you use an object, the object or group cannot contain a subnet. The object must define a host,
or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges.
• Static NAT or Static NAT with port translation:
–
Instead of using an object, you can configure an inline address or specify the interface address
(for static NAT-with-port-translation).
–
If you use an object, the object or group can contain a host, range, or subnet.
• Identity NAT
–
Instead of using an object, you can configure an inline address.
–
If you use an object, the object must match the real addresses you want to translate.
Twice NAT Guidelines for Real and Mapped Address Objects
For each NAT rule, configure up to four network objects or groups for:
• Source real address
• Source mapped address
• Destination real address
• Destination mapped address
Objects are required unless you specify the any keyword inline to represent all traffic, or for some types
of NAT, the interface keyword to represent the interface address. Network object groups are particularly
useful for creating a mapped address pool with discontinuous IP address ranges or multiple hosts or
subnets. Use the object network and object-group network commands to create the objects.
Consider the following guidelines when creating objects for twice NAT.
• A network object group can contain objects or inline addresses of either IPv4 or IPv6 addresses. The
group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.
• See Additional Guidelines for NAT, page 9-8 for information about disallowed mapped IP
addresses.
• Source Dynamic NAT:
–
You typically configure a larger group of real addresses to be mapped to a smaller group.
–
The mapped object or group cannot contain a subnet; the object must define a range; the group
can include hosts and ranges.
–
If a mapped network object contains both ranges and host IP addresses, then the ranges are used
for dynamic NAT, and the host IP addresses are used as a PAT fallback.
• Source Dynamic PAT (Hide):
–
If you use an object, the object or group cannot contain a subnet. The object must define a host,
or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges.
• Source Static NAT or Static NAT with port translation:
–
The mapped object or group can contain a host, range, or subnet.
–
The static mapping is typically one-to-one, so the real addresses have the same quantity as the
mapped addresses. You can, however, have different quantities if desired.
To Next Page
Loading...
Need help?
General
