Network Object Nat Guidelines For Mapped Address Objects - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 9
Network Address Translation (NAT)
•
•
•
•
•
•
•
Network Object NAT Guidelines for Mapped Address Objects
For dynamic NAT, you must use an object or group for the mapped addresses. For the other NAT types,
you can use an object or group, or you have the option of using inline addresses. Network object groups
are particularly useful for creating a mapped address pool with discontinuous IP address ranges or
multiple hosts or subnets. Use the object network and object-group network commands to create the
objects.
Consider the following guidelines when creating objects for mapped addresses.
•
•
•
•
mapped from an IPv4 address, then any means "any IPv6 traffic." If you configure a rule from "any"
to "any," and you map the source to the interface IPv4 address, then any means "any IPv4 traffic"
because the mapped interface address implies that the destination is also IPv4.
You can use the same mapped object or group in multiple NAT rules.
The mapped IP address pool cannot include:
–
The mapped interface IP address. If you specify "any" interface for the rule, then all interface
IP addresses are disallowed. For interface PAT (routed mode only), use the interface keyword
instead of the IP address.
(Transparent mode) The management IP address.
–
(Dynamic NAT) The standby interface IP address when VPN is enabled.
–
Existing VPN pool addresses.
–
Avoid using overlapping addresses in static and dynamic NAT policies. For example, with
overlapping addresses, a PPTP connection can fail to get established if the secondary connection for
PPTP hits the static instead of dynamic xlate.
For application inspection limitations with NAT or PAT, see
Limitations, page
12-6.
The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You
can disable proxy ARP if desired. See
If you specify an optional interface, then the ASA uses the NAT configuration to determine the
egress interface, but you have the option to always use a route lookup instead. See
Packets, page 10-11
for more information.
You can improve system performance and reliability by using the transactional commit model for
NAT. See the basic settings chapter in the general operations configuration guide for more
information. Use the asp rule-engine transactional-commit nat command.
A network object group can contain objects or inline addresses of either IPv4 or IPv6 addresses. The
group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.
See
Additional Guidelines for NAT, page 9-8
addresses.
Dynamic NAT:
–
You cannot use an inline address; you must configure a network object or group.
The object or group cannot contain a subnet; the object must define a range; the group can
–
include hosts and ranges.
–
If a mapped network object contains both ranges and host IP addresses, then the ranges are used
for dynamic NAT, and then the host IP addresses are used as a PAT fallback.
Dynamic PAT (Hide):
Default Inspections and NAT
Routing NAT Packets, page 10-11
for information about disallowed mapped IP
Cisco ASA Series Firewall CLI Configuration Guide
Guidelines for NAT
for more information.
Routing NAT
9-9
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
