9-16
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic NAT
Configure Dynamic Twice NAT
This section describes how to configure twice NAT for dynamic NAT.
Procedure
Step 1
Create host or range network objects (
object network
command), or network object groups
(
object-group network
command), for the source real addresses, the source mapped addresses, the
destination real addresses, and the destination mapped addresses.
•
If you want to translate all source traffic, you can skip adding an object for the source real addresses,
and instead specify the
any
keyword in the
nat
command.
•
If you want to configure destination static interface NAT with port translation only, you can skip
adding an object for the destination mapped addresses, and instead specify the
interface
keyword
in the
nat
command.
If you do create objects, consider the following guidelines:
•
You typically configure a larger group of real addresses to be mapped to a smaller group.
•
The object or group cannot contain a subnet; the object must define a range; the group can include
hosts and ranges.
•
If a mapped network object contains both ranges and host IP addresses, then the ranges are used for
dynamic NAT, and then the host IP addresses are used as a PAT fallback.
Step 2
(Optional.) Create service objects for the destination real ports and the destination mapped ports.
For dynamic NAT, you can only perform port translation on the destination. A service object can contain
both a source and destination port, but only the destination port is used in this case. If you specify the
source port, it will be ignored.
Step 3
Configure
dynamic NAT
.
nat
[
(
real_ifc
,
mapped_ifc
)
] [
line
| {
after-auto
[
line
]}]
source dynamic
{
real_obj
|
any
}
{
mapped_obj
[
interface
[
ipv6
]]}
[
destination static
{
mapped_obj
|
interface
[
ipv6
]}
real_obj
]
[
service
mapped_dest_svc_obj
real_dest_svc_obj
]
[
dns
] [
unidirectional
] [
inactive
] [
description
desc
]
Example
hostname(config)# nat (inside,outside) source dynamic MyInsNet NAT_POOL
destination static Server1_mapped Server1 service MAPPED_SVC REAL_SVC
Where:
•
Interfaces—(Required for transparent mode) Specify the real (
real_ifc
) and mapped (
mapped_ifc
)
interfaces. Be sure to include the parentheses. In routed mode, if you do not specify the real and
mapped interfaces, all interfaces are used. You can also specify the keyword
any
for one or both of
the interfaces, for example (any,outside).
•
Section and Line—(Optional.) By default, the NAT rule is added to the end of section 1 of the NAT
table (see
). If you want to add the rule into section 3 instead (after the
network object NAT rules), then use the
after-auto
keyword. You can insert a rule anywhere in the
applicable section using the
line
argument.
•
Source addresses:
–
Real—Specify a network object, group, or the
any
keyword.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...