9-35
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Static NAT
A service object can contain both a source and destination port; however, you should specify either the
source or the destination port for both service objects. You should only specify both the source and
destination ports if your application uses a fixed source port (such as some DNS servers); but fixed
source ports are rare. For example, if you want to translate the port for the source host, then configure
the source service.
Step 3 Configure static NAT.
nat [(real_ifc,mapped_ifc)] [line |{after-object [line]}]
source static real_ob [mapped_obj | interface [ipv6]]
[destination static {mapped_obj | interface [ipv6]} real_obj]
[service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj]
[net-to-net] [dns] [unidirectional | no-proxy-arp] [inactive] [description desc]
Example
hostname(config)# nat (inside,dmz) source static MyInsNet MyInsNet_mapped
destination static Server1 Server1 service REAL_SRC_SVC MAPPED_SRC_SVC
Where:
• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)
interfaces. Be sure to include the parentheses. In routed mode, if you do not specify the real and
mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of
the interfaces, for example (any,outside).
• Section and Line—(Optional.) By default, the NAT rule is added to the end of section 1 of the NAT
table (see NAT Rule Order, page 9-5). If you want to add the rule into section 3 instead (after the
network object NAT rules), then use the after-auto keyword. You can insert a rule anywhere in the
applicable section using the line argument.
• Source addresses:
–
Real—Specify a network object or group. Do not use the any keyword, which would be used
for identity NAT.
–
Mapped—Specify a different network object or group. For static interface NAT with port
translation only, you can specify the interface keyword (routed mode only). If you specify ipv6,
then the IPv6 address of the interface is used. If you specify interface, be sure to also configure
the service keyword (in this case, the service objects should include only the source port). For
this option, you must configure a specific interface for the mapped_ifc. See Static Interface NAT
with Port Translation, page 9-29 for more information.
• Destination addresses (Optional):
–
Mapped—Specify a network object or group, or for static interface NAT with port translation
only, specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface
is used. If you specify interface, be sure to also configure the service keyword (in this case, the
service objects should include only the destination port). For this option, you must configure a
specific interface for the real_ifc.
–
Real—Specify a network object or group. For identity NAT, simply use the same object or group
for both the real and mapped addresses.
• Ports—(Optional.) Specify the service keyword along with the real and mapped service objects. For
source port translation, the objects must specify the source service. The order of the service objects
in the command for source port translation is service real_obj mapped_obj. For destination port
translation, the objects must specify the destination service. The order of the service objects for
destination port translation is service mapped_obj real_obj. In the rare case where you specify both
the source and destination ports in the object, the first service object contains the real source
To Next Page
Loading...
