9-9
Cisco ASA Series Firewall CLI Configuration Guide
 
Chapter 9      Network Address Translation (NAT)
  Guidelines for NAT
mapped from an IPv4 address, then any means “any IPv6 traffic.” If you configure a rule from “any” 
to “any,” and you map the source to the interface IPv4 address, then any means “any IPv4 traffic” 
because the mapped interface address implies that the destination is also IPv4.
• You can use the same mapped object or group in multiple NAT rules.
• The mapped IP address pool cannot include:
–
The mapped interface IP address. If you specify “any” interface for the rule, then all interface 
IP addresses are disallowed. For interface PAT (routed mode only), use the interface keyword 
instead of the IP address.
–
(Transparent mode) The management IP address.
–
(Dynamic NAT) The standby interface IP address when VPN is enabled.
–
Existing VPN pool addresses.
• Avoid using overlapping addresses in static and dynamic NAT policies. For example, with 
overlapping addresses, a PPTP connection can fail to get established if the secondary connection for 
PPTP hits the static instead of dynamic xlate.
• For application inspection limitations with NAT or PAT, see Default Inspections and NAT 
Limitations, page 12-6.
• The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You 
can disable proxy ARP if desired. See Routing NAT Packets, page 10-11 for more information.
• If you specify an optional interface, then the ASA uses the NAT configuration to determine the 
egress interface, but you have the option to always use a route lookup instead. See Routing NAT 
Packets, page 10-11 for more information.
• You can improve system performance and reliability by using the transactional commit model for 
NAT. See the basic settings chapter in the general operations configuration guide for more 
information. Use the asp rule-engine transactional-commit nat command.
Network Object NAT Guidelines for Mapped Address Objects
For dynamic NAT, you must use an object or group for the mapped addresses. For the other NAT types, 
you can use an object or group, or you have the option of using inline addresses. Network object groups 
are particularly useful for creating a mapped address pool with discontinuous IP address ranges or 
multiple hosts or subnets. Use the object network and object-group network commands to create the 
objects. 
Consider the following guidelines when creating objects for mapped addresses.
• A network object group can contain objects or inline addresses of either IPv4 or IPv6 addresses. The 
group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.
• See Additional Guidelines for NAT, page 9-8 for information about disallowed mapped IP 
addresses.
• Dynamic NAT:
–
You cannot use an inline address; you must configure a network object or group.
–
The object or group cannot contain a subnet; the object must define a range; the group can 
include hosts and ranges.
–
If a mapped network object contains both ranges and host IP addresses, then the ranges are used 
for dynamic NAT, and then the host IP addresses are used as a PAT fallback.
• Dynamic PAT (Hide):