Name: Cisco ASA 5506-X
Brand: Cisco
Rating: 4 (1 reviews)

To Next Page

To Previous Page

9-26

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 9 Network Address Translation (NAT)

Dynamic PAT

xlate per-session permit udp any4 any6 eq domain

xlate per-session permit udp any6 any4 eq domain

xlate per-session permit udp any6 any6 eq domain

You cannot remove these rules, and they always exist after any manually-created rules. Because rules

are evaluated in order, you can override the default rules. For example, to completely negate these rules,

you could add the following:

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

Procedure

Step 1 Create a permit or deny per-session PAT rule. This rule is placed above the default rules, but below any

other manually-created rules. Be sure to create your rules in the order you want them applied.

xlate per-session {permit | deny} {tcp | udp} source_ip [operator src_port]

destination_ip [operator dest_port]

Example

hostname(config)# xlate per-session deny tcp any4 209.165.201.3 eq 1720

For the source and destination IP addresses, you can configure the following:

• host ip_address—Specifies an IPv4 or IPv6 host address.

• ip_address mask—Specifies an IPv4 network address and subnet mask.

• ipv6-address/prefix-length—Specifies an IPv6 network address and prefix.

• any4 and any6—any4 specifies only IPv4 traffic; and any6 specifies any6 traffic.

The operator matches the port numbers used by the source or destination. The default is all ports. The

permitted operators are:

• lt—less than

• gt—greater than

• eq—equal to

• neq—not equal to

• range—an inclusive range of values. When you use this operator, specify two port numbers, for

example, range 100 200.

Examples

The following example creates a deny rule for H.323 traffic, so that it uses multi-session PAT:

hostname(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720

hostname(config)# xlate per-session deny udp any4 209.165.201.7 range 1718 1719

Other manuals for Cisco ASA 5506-X

Quick Start Guide14 pages

Easy Setup Guide11 pages

Installation Guide46 pages

Software Guide37 pages

Hardware Installation Guide52 pages

Mount And Connect12 pages

Mount The Chassis10 pages

Questions and Answers:

Need help?

Do you have a question about the Cisco ASA 5506-X and is the answer not in the manual?

Cisco ASA 5506-X Specifications

General

Model	ASA 5506-X
Firewall Throughput	750 Mbps
Maximum Firewall Connections	50, 000
Maximum VPN Peers	50
Integrated Ports	8 x 1 GE
Stateful Inspection Throughput	750 Mbps
Weight	4.4 lb (2 kg)
Firewall Throughput (Multiprotocol)	750 Mbps
Firewall Throughput (Application Visibility and Control AVC)	250 Mbps
Concurrent Sessions	50, 000
New Connections per Second	10, 000
IPsec VPN Throughput	100 Mbps
Interfaces	8 x 1 GE
Memory	4 GB
Flash Memory	8 GB
Form Factor	Desktop
VPN Throughput	100 Mbps
Maximum Concurrent Sessions	50, 000
New Sessions per Second	10, 000
Operating Temperature	32 to 104°F (0 to 40°C)
Storage Temperature	-13 to 158°F (-25 to 70°C)
Power Supply	External
Humidity	10% to 90% non-condensing