Cisco FirePOWER ASA 5500 series Configuration Manual page 320
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Bypassing NAT
information about policy NAT). For example, you can use policy static identity NAT for an inside address
when it accesses the outside interface and the destination is server A, but use a normal translation when
accessing the outside server B.
Figure 17-24
Figure 17-24
209.165.201.1
209.165.201.2
If you remove a static command, existing connections that use the translation are not affected. To remove
Note
these connections, enter the clear local-host command.
You cannot clear static translations from the translation table with the clear xlate command; you must
remove the static command instead. Only dynamic translations created by the nat and global commands
can be removed with the clear xlate command.
To configure static identity NAT, enter one of the following commands:
To configure policy static identity NAT, enter the following command:
•
hostname(config)# static (real_interface,mapped_interface) real_ip access-list acl_id
[dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Create the access list using the access-list command (see the
section on page
address in the access list matches the real_ip in this command. Policy NAT does not consider the
inactive or time-range keywords; all ACEs are considered to be active for policy NAT
configuration. See the
See the
options.
To configure regular static identity NAT, enter the following command:
•
hostname(config)# static (real_interface,mapped_interface) real_ip real_ip [netmask
mask] [dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]
Specify the same IP address for both real_ip arguments.
See the
options.
For example, the following command uses static identity NAT for an inside IP address (10.1.1.3) when
accessed by the outside:
hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255
Cisco Security Appliance Command Line Configuration Guide
17-30
shows a typical static identity NAT scenario.
Static Identity NAT
Security
Appliance
209.165.201.1
209.165.201.2
Inside Outside
16-5). This access list should include only permit ACEs. Make sure the source
"Policy NAT" section on page 17-9
"Configuring Dynamic NAT or PAT" section on page 17-22
"Configuring Dynamic NAT or PAT" section on page 17-22
Chapter 17
"Adding an Extended Access List"
for more information.
for information about the other
for information about the other
Applying NAT
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
