Monitoring Nat - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Monitoring NAT
Example
hostname(config)# nat (inside,outside) source static MyInsNet MyInsNet
destination static Server1 Server1
Where:
•
•
•
•
•
•
•
•
•
Monitoring NAT
To monitor object NAT, use the following commands:
•
Cisco ASA Series Firewall CLI Configuration Guide
9-40
Interfaces—(Required for transparent mode.) Specify the real (real_ifc) and mapped (mapped_ifc)
interfaces. Be sure to include the parentheses. In routed mode, if you do not specify the real and
mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of
the interfaces, for example (any,outside).
Section and Line—(Optional.) By default, the NAT rule is added to the end of section 1 of the NAT
table (see
NAT Rule Order, page
network object NAT rules), then use the after-auto keyword. You can insert a rule anywhere in the
applicable section using the line argument.
Source addresses—Specify a network object, group, or the any keyword for both the real and
mapped addresses.
Destination addresses (Optional):
Mapped—Specify a network object or group, or for static interface NAT with port translation
–
only, specify the interface keyword (routed mode only). If you specify ipv6, then the IPv6
address of the interface is used. If you specify interface, be sure to also configure the service
keyword (in this case, the service objects should include only the destination port). For this
option, you must configure a specific interface for the real_ifc.
Real—Specify a network object or group. For identity NAT, simply use the same object or group
–
for both the real and mapped addresses.
Ports—(Optional.) Specify the service keyword along with the real and mapped service objects. For
source port translation, the objects must specify the source service. The order of the service objects
in the command for source port translation is service real_obj mapped_obj. For destination port
translation, the objects must specify the destination service. The order of the service objects for
destination port translation is service mapped_obj real_obj. In the rare case where you specify both
the source and destination ports in the object, the first service object contains the real source
port/mapped destination port; the second service object contains the mapped source port/real
destination port. For identity port translation, simply use the same service object for both the real
and mapped ports (source and/or destination ports, depending on your configuration).
No Proxy ARP—(Optional.) Specify no-proxy-arp to disable proxy ARP for incoming packets to
the mapped IP addresses. See
Route lookup—(Optional; routed mode only; interfaces specified.) Specify route-lookup to
determine the egress interface using a route lookup instead of using the interface specified in the
NAT command. See
Determining the Egress Interface, page 10-14
Inactive—(Optional.) To make this rule inactive without having to remove the command, use the
inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.
Description—Optional.) Provide a description up to 200 characters using the description keyword.
show nat
9-5). If you want to add the rule into section 3 instead (after the
Mapped Addresses and Routing, page 10-12
Chapter 9
Network Address Translation (NAT)
for more information.
for more information.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
