9-38
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Identity NAT
hostname(config)# object network my-host-obj1
Step 3 (Skip when editing an object that has the right address.) Define the real IPv4 or IPv6 addresses that you
want to translate.
• host {IPv4_address | IPv6_address}—The IPv4 or IPv6 address of a single host. For example,
10.1.1.1 or 2001:DB8::0DB8:800:200C:417A.
• subnet {IPv4_address IPv4_mask | IPv6_address/IPv6_prefix}—The address of a network. For
IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the
address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60.
• range start_address end_address—A range of addresses. You can specify IPv4 or IPv6 ranges. Do
not include masks or prefixes.
Example
hostname(config-network-object)# subnet 10.2.1.0 255.255.255.0
Step 4 Configure identity NAT for the object IP addresses. You can only define a single NAT rule for a given
object.
nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj}
[no-proxy-arp] [route-lookup]
Example
hostname(config-network-object)# nat (inside,outside) static MAPPED_IPS
Where:
• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)
interfaces. Be sure to include the parentheses. In routed mode, if you do not specify the real and
mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of
the interfaces, for example (any,outside).
• Mapped IP addresses—Be sure to configure the same IP address for both the mapped and real
address. Use one of the following:
–
mapped_inline_host_ip—An inline IP address. The netmask, prefix, or range for the mapped
network is the same as that of the real network. For example, if the real network is a host, then
this address will be a host address. In the case of a range, then the mapped addresses include the
same number of addresses as the real range. For example, if the real address is defined as a range
from 10.1.1.1 through 10.1.1.6, and you specify 10.1.1.1 as the mapped address, then the
mapped range will include 10.1.1.1 through 10.1.1.6.
–
mapped_obj—A network object or group that includes the same addresses as the real object.
• No Proxy ARP—(Optional.) Specify no-proxy-arp to disable proxy ARP for incoming packets to
the mapped IP addresses. For information on the conditions which might require the disabling of
proxy ARP, see Mapped Addresses and Routing, page 10-12.
• Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the
egress interface using a route lookup instead of using the interface specified in the NAT command.
See Determining the Egress Interface, page 10-14 for more information.
To Next Page
Loading...
Need help?
General
