Additional Guidelines For Nat - Cisco ASA Series Configuration Manual

Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs Also See for ASA Series:
Table of Contents

Advertisement

Guidelines for NAT

Additional Guidelines for NAT

Cisco ASA Series Firewall CLI Configuration Guide
9-8
be mapped to 201b::0.192.168.1.4 (shown with mixed notation). If the prefix is smaller, such as /64,
then the IPv4 address is appended after the prefix, and a suffix of 0s is appended after the IPv4
address. You can also optionally translate the addresses net-to-net, where the first IPv4 address maps
to the first IPv6 address, the second to the second, and so on.
NAT64 (IPv6-to-IPv4)—You may not have enough IPv4 addresses to accommodate the number of
IPv6 addresses. We recommend using a dynamic PAT pool to provide a large number of IPv4
translations.
(Network object NAT only.) You can only define a single NAT rule for a given object; if you want
to configure multiple NAT rules for an object, you need to create multiple objects with different
names that specify the same IP address, for example, object network obj-10.10.10.1-01, object
network obj-10.10.10.1-02, and so on.
(Twice NAT only.) You cannot configure FTP destination port translation when the source IP address
is a subnet (or any other application that uses a secondary connection); the FTP data channel
establishment does not succeed. For example, the following configuration does not work:
object network MyInsNet
subnet 10.1.2.0 255.255.255.0
object network MapInsNet
subnet 209.165.202.128 255.255.255.224
object network Server1
host 209.165.200.225
object network Server1_mapped
host 10.1.2.67
object service REAL_ftp
service tcp destination eq ftp
object service MAPPED_ftp
service tcp destination eq 2021
object network MyOutNet
subnet 209.165.201.0 255.255.255.224
nat (inside,outside) source static MyInsNet MapInsNet destination static
Server1_mapped Server1 service MAPPED_ftp REAL_ftp
If you change the NAT configuration, and you do not want to wait for existing translations to time
out before the new NAT configuration is used, you can clear the translation table using the clear
xlate command. However, clearing the translation table disconnects all current connections that use
translations.
If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses
Note
that overlap the addresses in the removed rule, then the new rule will not be used until all
connections associated with the removed rule time out or are cleared using the clear xlate
command. This safeguard ensures that the same address is not assigned to multiple hosts.
Objects and object groups used in NAT cannot be undefined; they must include IP addresses.
You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include
only one type of address.
(Twice NAT only.) When using the any keyword in a NAT rule, the definition of "any" traffic (IPv4
vs. IPv6) depends on the rule. Before the ASA performs NAT on a packet, the packet must be
IPv6-to-IPv6 or IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of any in a
NAT rule. For example, if you configure a rule from "any" to an IPv6 server, and that server was
Chapter 9
Network Address Translation (NAT)

Hide quick links:

Advertisement

Table of Contents
loading

Table of Contents