9-18
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic PAT
The following example configures dynamic NAT for an IPv6 inside network 2001:DB8:AAAA::/96
when accessing servers on the IPv4 209.165.201.1/27 network as well as servers on the 203.0.113.0/24
network:
hostname(config)#
object network INSIDE_NW
hostname(config-network-object)#
subnet 2001:DB8:AAAA::/96
hostname(config)#
object network MAPPED_1
hostname(config-network-object)#
range 209.165.200.225 209.165.200.254
hostname(config)#
object network MAPPED_2
hostname(config-network-object)#
range 209.165.202.129 209.165.200.158
hostname(config)#
object network SERVERS_1
hostname(config-network-object)#
subnet 209.165.201.0 255.255.255.224
hostname(config)#
object network SERVERS_2
hostname(config-network-object)#
subnet 203.0.113.0 255.255.255.0
hostname(config)#
nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination
static SERVERS_1 SERVERS_1
hostname(config)#
nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination
static SERVERS_2 SERVERS_2
Dynamic PAT
The following topics describe dynamic PAT.
•
•
Configure Dynamic Network Object PAT, page 9-20
•
Configure Dynamic Twice PAT, page 9-22
•
Configure Per-Session PAT or Multi-Session PAT, page 9-25
About Dynamic PAT
Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real
address and source port to the mapped address and a unique port. If available, the real source port number
is used for the mapped port. However, if the real port is
not
available, by default the mapped ports are
chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535.
Therefore, ports below 1024 have only a small PAT pool that can be used. If you have a lot of traffic that
uses the lower port ranges, you can specify a flat range of ports to be used instead of the three
unequal-sized tiers.
Each connection requires a separate translation session because the source port differs for each
connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...