4-9
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Network Address Translation (NAT
Guidelines for NAT
mapped from an IPv4 address, then
any
means “any IPv6 traffic.” If you configure a rule from “any”
to “any,” and you map the source to the interface IPv4 address, then
any
means “any IPv4 traffic”
because the mapped interface address implies that the destination is also IPv4.
•
You can use the same mapped object or group in multiple NAT rules.
•
The mapped IP address pool cannot include:
–
The mapped interface IP address. If you specify “any” interface for the rule, then all interface
IP addresses are disallowed. For interface PAT (routed mode only), use the
interface
keyword
instead of the IP address.
–
(Transparent mode) The management IP address.
–
(Dynamic NAT) The standby interface IP address when VPN is enabled.
–
Existing VPN pool addresses.
•
Avoid using overlapping addresses in static and dynamic NAT policies. For example, with
overlapping addresses, a PPTP connection can fail to get established if the secondary connection for
PPTP hits the static instead of dynamic xlate.
•
For application inspection limitations with NAT or PAT, see
•
The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You
can disable proxy ARP if desired. See
Routing NAT Packets, page 5-11
for more information.
•
If you specify an optional interface, then the ASA uses the NAT configuration to determine the
egress interface, but you have the option to always use a route lookup instead. See
for more information.
•
You can improve system performance and reliability by using the transactional commit model for
NAT. See the basic settings chapter in the general operations configuration guide for more
information. Use the
asp rule-engine transactional-commit nat
command.
Network Object NAT Guidelines for Mapped Address Objects
For dynamic NAT, you must use an object or group for the mapped addresses. For the other NAT types,
you can use an object or group, or you have the option of using inline addresses. Network object groups
are particularly useful for creating a mapped address pool with discontinuous IP address ranges or
multiple hosts or subnets. Use the
object network
and
object-group network
commands to create the
objects.
Consider the following guidelines when creating objects for mapped addresses.
•
A network object group can contain objects or inline addresses of either IPv4 or IPv6 addresses. The
group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.
•
See
Additional Guidelines for NAT, page 4-8
for information about disallowed mapped IP
addresses.
•
Dynamic NAT:
–
You cannot use an inline address; you must configure a network object or group.
–
The object or group cannot contain a subnet; the object must define a range; the group can
include hosts and ranges.
–
If a mapped network object contains both ranges and host IP addresses, then the ranges are used
for dynamic NAT, and then the host IP addresses are used as a PAT fallback.
•
Dynamic PAT (Hide):
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...