Nat Types; Network Object Nat And Twice Nat - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 9
Network Address Translation (NAT)
NAT Types
You can implement NAT using the following methods:
•
•
•
•
Network Object NAT and Twice NAT
The ASA can implement address translation in two ways: network object NAT and twice NAT.
We recommend using network object NAT unless you need the extra features that twice NAT provides.
Network object NAT is easier to configure, and might be more reliable for applications such as Voice
over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a
failure in the translation of indirect addresses that do not belong to either of the objects.)
•
•
•
Network Object NAT
All NAT rules that are configured as a parameter of a network object are considered to be network object
NAT rules. Network object NAT is a quick and easy way to configure NAT for a network object, which
can be a single IP address, a range of addresses, or a subnet.
After you configure the network object, you can then identify the mapped address for that object, either
as an inline address or as another network object or network object group.
When a packet enters the ASA, both the source and destination IP addresses are checked against the
network object NAT rules. The source and destination address in the packet can be translated by separate
rules if separate matches are made. These rules are not tied to each other; different combinations of rules
can be used depending on the traffic.
Because the rules are never paired, you cannot specify that sourceA/destinationA should have a different
translation than sourceA/destinationB. Use twice NAT for that kind of functionality (twice NAT lets you
identify the source and destination address in a single rule).
Twice NAT
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the
source and destination addresses lets you specify that sourceA/destinationA can have a different
translation than sourceA/destinationB.
Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP
addresses, on a first come, first served basis. Only the real host can initiate traffic. See
NAT, page
9-12.
Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP
address using a unique source port of that IP address. See
Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional
traffic initiation. See
Static NAT, page
Identity NAT—A real address is statically translated to itself, essentially bypassing NAT. You might
want to configure NAT this way when you want to translate a large group of addresses, but then want
to exempt a smaller subset of addresses. See
Network Object NAT, page 9-3
Twice NAT, page 9-3
Comparing Network Object NAT and Twice NAT, page 9-4
Dynamic PAT, page
9-27.
Identity NAT, page
9-37.
Cisco ASA Series Firewall CLI Configuration Guide
NAT Basics
Dynamic
9-18.
9-3
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
