9-24
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic PAT
creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with
extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as
well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
-- Flat range—The flat keyword enables use of the entire 1024 to 65535 port range when
allocating ports. When choosing the mapped port number for a translation, the ASA uses the
real source port number if it is available. However, without this option, if the real port is not
available, by default the mapped ports are chosen from the same range of ports as the real port
number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low
ranges, configure this setting. To use the entire range of 1 to 65535, also specify the
include-reserve keyword.
• Destination addresses (Optional):
–
Mapped—Specify a network object or group, or for static interface NAT with port translation
only (routed mode), specify the interface keyword. If you specify ipv6, then the IPv6 address
of the interface is used. If you specify interface, be sure to also configure the service keyword.
For this option, you must configure a specific interface for the real_ifc. See Static Interface NAT
with Port Translation, page 9-29 for more information.
–
Real—Specify a network object or group. For identity NAT, simply use the same object or group
for both the real and mapped addresses.
• Destination port—(Optional.) Specify the service keyword along with the mapped and real service
objects. For identity port translation, simply use the same service object for both the real and
mapped ports.
• DNS—(Optional; for a source-only rule.) The dns keyword translates DNS replies. Be sure DNS
inspection is enabled (it is enabled by default). You cannot configure the dns keyword if you
configure a destination address. See DNS and NAT, page 10-21 for more information.
• Unidirectional—(Optional.) Specify unidirectional so the destination addresses cannot initiate
traffic to the source addresses.
• Inactive—(Optional.) To make this rule inactive without having to remove the command, use the
inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.
• Description—Optional.) Provide a description up to 200 characters using the description keyword.
Examples
The following example configures interface PAT for inside network 192.168.1.0/24 when accessing
outside Telnet server 209.165.201.23, and Dynamic PAT using a PAT pool when accessing any server on
the 203.0.113.0/24 network.
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config)# object network PAT_POOL
hostname(config-network-object)# range 209.165.200.225 209.165.200.254
hostname(config)# object network TELNET_SVR
hostname(config-network-object)# host 209.165.201.23
hostname(config)# object service TELNET
hostname(config-service-object)# service tcp destination eq 23
hostname(config)# object network SERVERS
hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0
To Next Page
Loading...
Need help?
General
