EasyManua.ls Logo

Cisco ASA 5555-X

Cisco ASA 5555-X
428 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Loading...
9-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
NAT Basics
NAT Types
You can implement NAT using the following methods:
Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP
addresses, on a first come, first served basis. Only the real host can initiate traffic. See Dynamic
NAT, page 9-12.
Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP
address using a unique source port of that IP address. See Dynamic PAT, page 9-18.
Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional
traffic initiation. See Static NAT, page 9-27.
Identity NAT—A real address is statically translated to itself, essentially bypassing NAT. You might
want to configure NAT this way when you want to translate a large group of addresses, but then want
to exempt a smaller subset of addresses. See Identity NAT, page 9-37.
Network Object NAT and Twice NAT
The ASA can implement address translation in two ways: network object NAT and twice NAT.
We recommend using network object NAT unless you need the extra features that twice NAT provides.
Network object NAT is easier to configure, and might be more reliable for applications such as Voice
over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a
failure in the translation of indirect addresses that do not belong to either of the objects.)
Network Object NAT, page 9-3
Twice NAT, page 9-3
Comparing Network Object NAT and Twice NAT, page 9-4
Network Object NAT
All NAT rules that are configured as a parameter of a network object are considered to be network object
NAT rules. Network object NAT is a quick and easy way to configure NAT for a network object, which
can be a single IP address, a range of addresses, or a subnet.
After you configure the network object, you can then identify the mapped address for that object, either
as an inline address or as another network object or network object group.
When a packet enters the ASA, both the source and destination IP addresses are checked against the
network object NAT rules. The source and destination address in the packet can be translated by separate
rules if separate matches are made. These rules are not tied to each other; different combinations of rules
can be used depending on the traffic.
Because the rules are never paired, you cannot specify that sourceA/destinationA should have a different
translation than sourceA/destinationB. Use twice NAT for that kind of functionality (twice NAT lets you
identify the source and destination address in a single rule).
Twice NAT
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the
source and destination addresses lets you specify that sourceA/destinationA can have a different
translation than sourceA/destinationB.

Table of Contents

Other manuals for Cisco ASA 5555-X

Related product manuals