Firewall Mode Guidelines For Nat; Ipv6 Nat Guidelines; Ipv6 Nat Recommendations - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 9
Network Address Translation (NAT)
•
•
•
•
•
Firewall Mode Guidelines for NAT
NAT is supported in routed and transparent firewall mode. However, transparent mode has the following
restrictions:
•
•
•
IPv6 NAT Guidelines
NAT supports IPv6 with the following guidelines and restrictions.
•
•
•
•
•
IPv6 NAT Recommendations
You can use NAT to translate between IPv6 networks, and also to translate between IPv4 and IPv6
networks (routed mode only). We recommend the following best practices:
•
•
IPv6 NAT Recommendations, page 9-7
Additional Guidelines for NAT, page 9-8
Network Object NAT Guidelines for Mapped Address Objects, page 9-9
Twice NAT Guidelines for Real and Mapped Address Objects, page 9-10
Twice NAT Guidelines for Service Objects for Real and Mapped Ports, page 9-11
In transparent mode, you must specify the real and mapped interfaces; you cannot specify "any" as
the interface.
In transparent mode, you cannot configure interface PAT, because the transparent mode interfaces
do not have IP addresses. You also cannot use the management IP address as a mapped address.
In transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating
between two IPv6 networks, or between two IPv4 networks is supported.
For routed mode, you can also translate between IPv4 and IPv6.
For transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating
between two IPv6 networks, or between two IPv4 networks is supported.
For transparent mode, a PAT pool is not supported for IPv6.
For static NAT, you can specify an IPv6 subnet up to /64. Larger subnets are not supported.
When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client
must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT
commands are not supported with IPv6.
NAT66 (IPv6-to-IPv6)—We recommend using static NAT. Although you can use dynamic NAT or
PAT, IPv6 addresses are in such large supply, you do not have to use dynamic NAT. If you do not
want to allow returning traffic, you can make the static NAT rule unidirectional (twice NAT only).
NAT46 (IPv4-to-IPv6)—We recommend using static NAT. Because the IPv6 address space is so
much larger than the IPv4 address space, you can easily accommodate a static translation. If you do
not want to allow returning traffic, you can make the static NAT rule unidirectional (twice NAT
only). When translating to an IPv6 subnet (/96 or lower), the resulting mapped address is by default
an IPv4-embedded IPv6 address, where the 32-bits of the IPv4 address is embedded after the IPv6
prefix. For example, if the IPv6 prefix is a /96 prefix, then the IPv4 address is appended in the last
32-bits of the address. For example, if you map 192.168.1.0/24 to 201b::0/96, then 192.168.1.4 will
Cisco ASA Series Firewall CLI Configuration Guide
Guidelines for NAT
9-7
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
