9-21
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic PAT
• range start_address end_address—A range of addresses. You can specify IPv4 or IPv6 ranges. Do
not include masks or prefixes.
Example
hostname(config-network-object)# range 10.1.1.1 10.1.1.90
Step 4 Configure dynamic PAT for the object IP addresses. You can only define a single NAT rule for a given
object.
nat [(real_ifc,mapped_ifc)] dynamic {mapped_inline_host_ip | mapped_obj |
pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]] | interface [ipv6]}
[interface [ipv6]] [dns]
Example
hostname(config-network-object)# nat (any,outside) dynamic interface
Where:
• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)
interfaces. Be sure to include the parentheses. In routed mode, if you do not specify the real and
mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of
the interfaces, for example (any,outside).
• Mapped IP address—You can specify the mapped IP address as:
–
mapped_inline_host_ip—An inline host address.
–
mapped_obj—An existing network object that is defined as a host address.
–
pat-pool—An existing network object or group that contains multiple addresses.
–
interface—(Routed mode only.) The IP address of the mapped interface is used as the mapped
address. If you specify ipv6, then the IPv6 address of the interface is used. For this option, you
must configure a specific interface for the mapped_ifc. You must use this keyword when you
want to use the interface IP address; you cannot enter it inline or as an object.
• For a PAT pool, you can specify one or more of the following options:
–
Round robin—The round-robin keyword enables round-robin address allocation for a PAT
pool. Without round robin, by default all ports for a PAT address will be allocated before the
next PAT address is used. The round-robin method assigns an address/port from each PAT
address in the pool before returning to use the first address again, and then the second address,
and so on.
–
Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports
per service, as opposed to per IP address, by including the destination address and port in the
translation information. Normally, the destination port and address are not considered when
creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with
extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as
well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
–
Flat range—The flat keyword enables use of the entire 1024 to 65535 port range when
allocating ports. When choosing the mapped port number for a translation, the ASA uses the
real source port number if it is available. However, without this option, if the real port is not
available, by default the mapped ports are chosen from the same range of ports as the real port
number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low
ranges, configure this setting. To use the entire range of 1 to 65535, also specify the
include-reserve keyword.
To Next Page
Loading...
Need help?
General
