9-23
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic PAT
Step 2
(Optional.) Create service objects for the destination real ports and the destination mapped ports.
For dynamic NAT, you can only perform port translation on the destination. A service object can contain
both a source and destination port, but only the destination port is used in this case. If you specify the
source port, it will be ignored.
Step 3
Configure
dynamic PAT
.
nat
[
(
real_ifc
,
mapped_ifc
)
] [
line
| {
after-auto
[
line
]}]
source dynamic
{
real-obj
|
any
}
{
mapped_obj
[
interface
[
ipv6
]] |
[
pat-pool
mapped_obj
[
round-robin
] [
extended
] [
flat
[
include-reserve
]] [
interface
[
ipv6
]]
|
interface
[
ipv6
]}
[
destination static
{
mapped_obj
|
interface
[
ipv6
]}
real_obj
]
[
service
mapped_dest_svc_obj
real_dest_svc_obj
]
[
dns
] [
unidirectional
] [
inactive
] [
description
desc
]
Example
hostname(config)# nat (inside,outside) source dynamic MyInsNet interface
destination static Server1 Server1
description Interface PAT for inside addresses when going to server 1
Where:
•
Interfaces—(Required for transparent mode) Specify the real (
real_ifc
) and mapped (
mapped_ifc
)
interfaces. Be sure to include the parentheses. In routed mode, if you do not specify the real and
mapped interfaces, all interfaces are used. You can also specify the keyword
any
for one or both of
the interfaces, for example (any,outside).
•
Section and Line—(Optional.) By default, the NAT rule is added to the end of section 1 of the NAT
table (see
). If you want to add the rule into section 3 instead (after the
network object NAT rules), then use the
after-auto
keyword. You can insert a rule anywhere in the
applicable section using the
line
argument.
•
Source addresses:
–
Real—Specify a network object, group, or the
any
keyword. Use the
any
keyword
if you want
to translate all traffic from the real interface to the mapped interface.
–
Mapped—Configure one of the following:
- Network object—Specify a network object that contains a host address.
-
pat-pool
—Specify the
pat-pool
keyword and a network object or group that contains multiple
addresses.
-
interface
—(Routed mode only.) Specify the
interface
keyword alone to only use interface
PAT. If you specify
ipv6
, then the IPv6 address of the interface is used. When specified with a
PAT pool or network object, the
interface
keyword enables interface PAT fallback. After the
PAT IP addresses are used up, then the IP address of the mapped interface is used. For this
option, you must configure a specific interface for the
mapped_ifc
.
For a PAT pool, you can specify one or more of the following options:
-- Round robin—The
round-robin
keyword enables round-robin address allocation for a PAT
pool. Without round robin, by default all ports for a PAT address will be allocated before the
next PAT address is used. The round-robin method assigns an address/port from each PAT
address in the pool before returning to use the first address again, and then the second address,
and so on.
-- Extended PAT—The
extended
keyword enables extended PAT. Extended PAT uses 65535
ports per
service
, as opposed to per IP address, by including the destination address and port in
the translation information. Normally, the destination port and address are not considered when
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......