4-17
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Network Address Translation (NAT
Dynamic NAT
–
Mapped—Specify a different network object or group. You can optionally configure the
following fallback method:
Interface PAT fallback—(Routed mode only) The
interface
keyword enables interface PAT
fallback. If you specify
ipv6
, then the IPv6 address of the interface is used. After the mapped
IP addresses are used up, then the IP address of the mapped interface is used. For this option,
you must configure a specific interface for the
mapped_ifc
.
•
Destination addresses (Optional):
–
Mapped—Specify a network object or group, or for static interface NAT with port translation
only, specify the
interface
keyword. If you specify
ipv6
, then the IPv6 address of the interface
is used. If you specify
interface
, be sure to also configure the
service
keyword. For this option,
you must configure a specific interface for the
real_ifc
Static Interface NAT with Port
for more information.
–
Real—Specify a network object or group. For identity NAT, simply use the same object or group
for both the real and mapped addresses.
•
Destination port—(Optional.) Specify the
service
keyword along with the mapped and real service
objects. For identity port translation, simply use the same service object for both the real and
mapped ports.
•
DNS—(Optional; for a source-only rule.) The
dns
keyword translates DNS replies. Be sure DNS
inspection is enabled (it is enabled by default). You cannot configure the
dns
keyword if you
configure a
destination
address. See
for more information.
•
Unidirectional—(Optional.) Specify
unidirectional
so the destination addresses cannot initiate
traffic to the source addresses.
•
Inactive—(Optional.) To make this rule inactive without having to remove the command, use the
inactive
keyword. To reactivate it, reenter the whole command without the
inactive
keyword.
•
Description—Optional.) Provide a description up to 200 characters using the
description
keyword.
Examples
The following example configures dynamic NAT for inside network 10.1.1.0/24 when accessing servers
on the 209.165.201.1/27 network as well as servers on the 203.0.113.0/24 network:
hostname(config)#
object network INSIDE_NW
hostname(config-network-object)#
subnet 10.1.1.0 255.255.255.0
hostname(config)#
object network MAPPED_1
hostname(config-network-object)#
range 209.165.200.225 209.165.200.254
hostname(config)#
object network MAPPED_2
hostname(config-network-object)#
range 209.165.202.129 209.165.200.158
hostname(config)#
object network SERVERS_1
hostname(config-network-object)#
subnet 209.165.201.0 255.255.255.224
hostname(config)#
object network SERVERS_2
hostname(config-network-object)#
subnet 203.0.113.0 255.255.255.0
hostname(config)#
nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination
static SERVERS_1 SERVERS_1
hostname(config)#
nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination
static SERVERS_2 SERVERS_2
Содержание ASA 5512-X
Страница 5: ...P A R T 1 Service Policies and Access Control ...
Страница 6: ......
Страница 50: ...3 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 3 Access Rules History for Access Rules ...
Страница 51: ...P A R T 2 Network Address Translation ...
Страница 52: ......
Страница 126: ...5 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 5 NAT Examples and Reference DNS and NAT ...
Страница 127: ...P A R T 3 Application Inspection ...
Страница 128: ......
Страница 255: ...P A R T 4 Connection Settings and Quality of Service ...
Страница 256: ......
Страница 288: ...12 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 12 Quality of Service History for QoS ...
Страница 303: ...P A R T 5 Advanced Network Protection ...
Страница 304: ......
Страница 339: ...P A R T 6 ASA Modules ...
Страница 340: ......
Страница 398: ...17 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 ASA CX Module History for the ASA CX Module ...