9-20
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Dynamic PAT
For extended PAT for a PAT pool
•
Many application inspections do not support extended PAT. See
for a complete list of unsupported inspections.
•
If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT
pool as the PAT address in a separate static NAT with port translation rule. For example, if the PAT
pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1
as the PAT address.
•
If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT.
•
For VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the
PAT binding to be the same for all destinations.
For round robin for a PAT pool
•
If a host has an existing connection, then subsequent connections from that host will use the same
PAT IP address if ports are available.
Note
: This “stickiness” does not survive a failover. If the ASA
fails over, then subsequent connections from a host may not use the initial IP address.
•
Round robin, especially when combined with extended PAT, can consume a large amount of
memory. Because NAT pools are created for every mapped protocol/IP address/port range, round
robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results
in an even larger number of concurrent NAT pools.
Configure Dynamic Network Object PAT
This section describes how to configure network object NAT for dynamic PAT.
Procedure
Step 1
(Optional.) Create a host or range network object (
object network
command), or a network object group
(
object-group network
command), for the mapped addresses.
•
Instead of using an object, you can optionally configure an inline host address or specify the
interface address.
•
If you use an object, the object or group cannot contain a subnet; the object must define a host, or
for a PAT pool, a range; the group (for a PAT pool) can include hosts and ranges.
Step 2
Create or edit the network object for which you want to configure NAT.
object network
obj_name
Example
hostname(config)# object network my-host-obj1
Step 3
(Skip when editing an object that has the right address.) Define the real IPv4 or IPv6 addresses that you
want to translate.
•
host
{
IPv4_address
|
IPv6_address
}—The IPv4 or IPv6 address of a single host. For example,
10.1.1.1 or 2001:DB8::0DB8:800:200C:417A.
•
subnet
{
IPv4_address
IPv4_mask
|
IPv6_address
/
IPv6_prefix
}—The address of a network. For
IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the
address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...