Using Static Nat - Cisco FirePOWER ASA 5500 series Configuration Manual

Chapter 17 Applying NAT

Using Static NAT

This section describes how to configure a static translation.
Figure 17-21
remote hosts can originate connections, and the mapped address is statically assigned by the static
command.
Figure 17-21
10.1.1.1
10.1.1.2
You cannot use the same real or mapped address in multiple static commands between the same two
interfaces. Do not use a mapped address in the static command that is also defined in a global command
for the same mapped interface.
For more information about static NAT, see the
Note If you remove a static command, existing connections that use the translation are not affected. To remove
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static NAT, enter one of the following commands.
•
•
OL-10088-01
shows a typical static NAT scenario. The translation is always active so both translated and
Static NAT
Security
Appliance
209.165.201.1
209.165.201.2
Inside Outside
For policy static NAT, enter the following command:
hostname(config)# static (real_interface,mapped_interface) {mapped_ip | interface}
access-list acl_name [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]]
[udp udp_max_conns]
Create the access list using the access-list command (see the
section on page 16-5). This access list should include only permit ACEs. The source subnet mask
used in the access list is also used for the mapped addresses. You can also specify the real and
destination ports in the access list using the eq operator. Policy NAT does not consider the inactive
or time-range keywords; all ACEs are considered to be active for policy NAT configuration. See
the "Policy NAT" section on page 17-9
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the "Configuring Dynamic NAT or PAT" section on page 17-22
options.
To configure regular static NAT, enter the following command:
"Static NAT" section on page
"Adding an Extended Access List"
for more information.
Cisco Security Appliance Command Line Configuration Guide
Using Static NAT
17-7.
for information about the other
17-25