9-17
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic NAT
–
Mapped—Specify a different network object or group. You can optionally configure the
following fallback method:
Interface PAT fallback—(Routed mode only) The interface keyword enables interface PAT
fallback. If you specify ipv6, then the IPv6 address of the interface is used. After the mapped
IP addresses are used up, then the IP address of the mapped interface is used. For this option,
you must configure a specific interface for the mapped_ifc.
• Destination addresses (Optional):
–
Mapped—Specify a network object or group, or for static interface NAT with port translation
only, specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface
is used. If you specify interface, be sure to also configure the service keyword. For this option,
you must configure a specific interface for the real_ifc. See Static Interface NAT with Port
Translation, page 9-29 for more information.
–
Real—Specify a network object or group. For identity NAT, simply use the same object or group
for both the real and mapped addresses.
• Destination port—(Optional.) Specify the service keyword along with the mapped and real service
objects. For identity port translation, simply use the same service object for both the real and
mapped ports.
• DNS—(Optional; for a source-only rule.) The dns keyword translates DNS replies. Be sure DNS
inspection is enabled (it is enabled by default). You cannot configure the dns keyword if you
configure a destination address. See DNS and NAT, page 10-21 for more information.
• Unidirectional—(Optional.) Specify unidirectional so the destination addresses cannot initiate
traffic to the source addresses.
• Inactive—(Optional.) To make this rule inactive without having to remove the command, use the
inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.
• Description—Optional.) Provide a description up to 200 characters using the description keyword.
Examples
The following example configures dynamic NAT for inside network 10.1.1.0/24 when accessing servers
on the 209.165.201.1/27 network as well as servers on the 203.0.113.0/24 network:
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0
hostname(config)# object network MAPPED_1
hostname(config-network-object)# range 209.165.200.225 209.165.200.254
hostname(config)# object network MAPPED_2
hostname(config-network-object)# range 209.165.202.129 209.165.200.158
hostname(config)# object network SERVERS_1
hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224
hostname(config)# object network SERVERS_2
hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination
static SERVERS_1 SERVERS_1
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination
static SERVERS_2 SERVERS_2
To Next Page
Loading...
Need help?
General
