9-15
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic NAT
•
Interface PAT fallback—(Optional) The
interface
keyword enables interface PAT fallback. After the
mapped IP addresses are used up, then the IP address of the mapped interface is used. If you specify
ipv6
, then the IPv6 address of the interface is used. For this option, you must configure a specific
interface for the
mapped_ifc
. (You cannot specify
interface
in transparent mode).
•
DNS—(Optional) The
dns
keyword translates DNS replies. Be sure DNS inspection is enabled (it
is enabled by default). See
for more information.
Examples
The following example configures dynamic NAT that hides the 192.168.2.0 network behind a range of
outside addresses 10.2.2.1 through 10.2.2.10:
hostname(config)#
object network my-range-obj
hostname(config-network-object)#
range 10.2.2.1 10.2.2.10
hostname(config)#
object network my-inside-net
hostname(config-network-object)#
subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)#
nat (inside,outside) dynamic my-range-obj
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network
10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the
nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the
unlikely event that the PAT translations are also used up, dynamic PAT is performed using the outside
interface address.
hostname(config)#
object network nat-range1
hostname(config-network-object)#
range 10.10.10.10 10.10.10.20
hostname(config-network-object)#
object network pat-ip1
hostname(config-network-object)#
host 10.10.10.21
hostname(config-network-object)#
object-group network nat-pat-grp
hostname(config-network-object)#
network-object object nat-range1
hostname(config-network-object)#
network-object object pat-ip1
hostname(config-network-object)#
object network my_net_obj5
hostname(config-network-object)#
subnet 10.76.11.0 255.255.255.0
hostname(config-network-object)#
nat (inside,outside) dynamic nat-pat-grp interface
The following example configures dynamic NAT with dynamic PAT backup to translate IPv6 hosts to
IPv4. Hosts on inside network 2001:DB8::/96 are mapped first to the IPv4_NAT_RANGE pool
(209.165.201.1 to 209.165.201.30). After all addresses in the IPv4_NAT_RANGE pool are allocated,
dynamic PAT is performed using the IPv4_PAT address (209.165.201.31). In the event that the PAT
translations are also used up, dynamic PAT is performed using the outside interface address.
hostname(config)#
object network IPv4_NAT_RANGE
hostname(config-network-object)#
range 209.165.201.1 209.165.201.30
hostname(config-network-object)#
object network IPv4_PAT
hostname(config-network-object)#
host 209.165.201.31
hostname(config-network-object)#
object-group network IPv4_GROUP
hostname(config-network-object)#
network-object object IPv4_NAT_RANGE
hostname(config-network-object)#
network-object object IPv4_PAT
hostname(config-network-object)#
object network my_net_obj5
hostname(config-network-object)#
subnet 2001:DB8::/96
hostname(config-network-object)#
nat (inside,outside) dynamic IPv4_GROUP interface
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......