Twice Nat Guidelines For Real And Mapped Address Objects - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Guidelines for NAT
•
•
Twice NAT Guidelines for Real and Mapped Address Objects
For each NAT rule, configure up to four network objects or groups for:
•
•
•
•
Objects are required unless you specify the any keyword inline to represent all traffic, or for some types
of NAT, the interface keyword to represent the interface address. Network object groups are particularly
useful for creating a mapped address pool with discontinuous IP address ranges or multiple hosts or
subnets. Use the object network and object-group network commands to create the objects.
Consider the following guidelines when creating objects for twice NAT.
•
•
•
•
•
Cisco ASA Series Firewall CLI Configuration Guide
9-10
Instead of using an object, you can optionally configure an inline host address or specify the
–
interface address.
–
If you use an object, the object or group cannot contain a subnet. The object must define a host,
or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges.
Static NAT or Static NAT with port translation:
–
Instead of using an object, you can configure an inline address or specify the interface address
(for static NAT-with-port-translation).
If you use an object, the object or group can contain a host, range, or subnet.
–
Identity NAT
–
Instead of using an object, you can configure an inline address.
–
If you use an object, the object must match the real addresses you want to translate.
Source real address
Source mapped address
Destination real address
Destination mapped address
A network object group can contain objects or inline addresses of either IPv4 or IPv6 addresses. The
group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.
See
Additional Guidelines for NAT, page 9-8
addresses.
Source Dynamic NAT:
–
You typically configure a larger group of real addresses to be mapped to a smaller group.
–
The mapped object or group cannot contain a subnet; the object must define a range; the group
can include hosts and ranges.
–
If a mapped network object contains both ranges and host IP addresses, then the ranges are used
for dynamic NAT, and the host IP addresses are used as a PAT fallback.
Source Dynamic PAT (Hide):
–
If you use an object, the object or group cannot contain a subnet. The object must define a host,
or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges.
Source Static NAT or Static NAT with port translation:
The mapped object or group can contain a host, range, or subnet.
–
–
The static mapping is typically one-to-one, so the real addresses have the same quantity as the
mapped addresses. You can, however, have different quantities if desired.
Chapter 9
Network Address Translation (NAT)
for information about disallowed mapped IP
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
