EasyManuals Logo

Cisco ASA 5512-X Configuration Guide

Cisco ASA 5512-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #184 background imageLoading...
Page #184 background image
9-26
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic PAT
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
You cannot remove these rules, and they always exist after any manually-created rules. Because rules
are evaluated in order, you can override the default rules. For example, to completely negate these rules,
you could add the following:
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
Procedure
Step 1 Create a permit or deny per-session PAT rule. This rule is placed above the default rules, but below any
other manually-created rules. Be sure to create your rules in the order you want them applied.
xlate per-session {permit | deny} {tcp | udp} source_ip [operator src_port]
destination_ip [operator dest_port]
Example
hostname(config)# xlate per-session deny tcp any4 209.165.201.3 eq 1720
For the source and destination IP addresses, you can configure the following:
• host ip_address—Specifies an IPv4 or IPv6 host address.
• ip_address mask—Specifies an IPv4 network address and subnet mask.
• ipv6-address/prefix-length—Specifies an IPv6 network address and prefix.
• any4 and any6—any4 specifies only IPv4 traffic; and any6 specifies any6 traffic.
The operator matches the port numbers used by the source or destination. The default is all ports. The
permitted operators are:
• lt—less than
• gt—greater than
• eq—equal to
• neq—not equal to
• range—an inclusive range of values. When you use this operator, specify two port numbers, for
example, range 100 200.
Examples
The following example creates a deny rule for H.323 traffic, so that it uses multi-session PAT:
hostname(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720
hostname(config)# xlate per-session deny udp any4 209.165.201.7 range 1718 1719

Table of Contents

Other manuals for Cisco ASA 5512-X

Preview: Quick Start Guide
Quick Start Guide14 pages
Preview: Cli Configuration Guide
Cli Configuration Guide2164 pages
Preview: Hardware Installation Guide
Hardware Installation Guide74 pages
Preview: Software Guide
Software Guide37 pages

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the Cisco ASA 5512-X and is the answer not in the manual?

Cisco ASA 5512-X Specifications

General IconGeneral
Firewall Throughput1.2 Gbps
VPN Throughput200 Mbps
Maximum VPN Peers250
Integrated IPSYes
IPS Throughput250 Mbps
RAM4 GB
Power SupplyAC, 100-240V
Security Contexts2 (Standard), 50 (with Security Contexts license)
Interfaces6 x Gigabit Ethernet
Dimensions (H x W x D)1.75 x 17.5 x 14.5 inches
Weight16 lbs

Related product manuals