Cisco FirePOWER ASA 5500 series Configuration Manual page 317
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Chapter 17
Applying NAT
You cannot use the same real or mapped address in multiple static statements between the same two
interfaces. Do not use a mapped address in the static command that is also defined in a global command
for the same mapped interface.
For more information about static PAT, see the
If you remove a static command, existing connections that use the translation are not affected. To remove
Note
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static PAT, enter one of the following commands.
For policy static PAT, enter the following command:
•
hostname(config)# static (real_interface,mapped_interface) {tcp | udp}
{mapped_ip | interface} mapped_port access-list acl_name [dns] [norandomseq]
[[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the
section on page
command. For example, if you specify tcp in the static command, then you must specify tcp in the
access list. Specify the port using the eq operator. This access list should include only permit ACEs.
The source subnet mask used in the access list is also used for the mapped addresses. Policy NAT
does not consider the inactive or time-range keywords; all ACEs are considered to be active for
policy NAT configuration.
If you specify a network for translation (for example, 10.1.1.0 255.255.255.0), then the security
appliance translates the .0 and .255 addresses. If you want to prevent access to these addresses, be
sure to configure an access list to deny access.
See the
options.
To configure regular static PAT, enter the following command:
•
hostname(config)# static (real_interface,mapped_interface) {tcp | udp} {mapped_ip |
interface} mapped_port real_ip real_port [netmask mask] [dns] [norandomseq] [[tcp]
tcp_max_conns [emb_limit]] [udp udp_max_conns]
See the
options.
For example, for Telnet traffic initiated from hosts on the 10.1.3.0 network to the security appliance
outside interface (10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering the
following commands:
hostname(config)# access-list TELNET permit tcp host 10.1.1.15 eq telnet 10.1.3.0
255.255.255.0 eq telnet
hostname(config)# static (inside,outside) tcp 10.1.2.14 telnet access-list TELNET
For HTTP traffic initiated from hosts on the 10.1.3.0 network to the security appliance outside interface
(10.1.2.14), you can redirect the traffic to the inside host at 10.1.1.15 by entering:
hostname(config)# access-list HTTP permit tcp host 10.1.1.15 eq http 10.1.3.0
255.255.255.0 eq http
hostname(config)# static (inside,outside) tcp 10.1.2.14 http access-list HTTP
OL-10088-01
16-5). The protocol in the access list must match the protocol you set in this
"Configuring Dynamic NAT or PAT" section on page 17-22
"Configuring Dynamic NAT or PAT" section on page 17-22
"Static PAT" section on page
"Adding an Extended Access List"
Cisco Security Appliance Command Line Configuration Guide
Using Static PAT
17-8.
for information about the other
for information about the
17-27
Advertisement
Table of Contents
Troubleshooting
