Configure Dynamic Twice Pat - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Dynamic PAT
•
•
Examples
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address
10.2.2.2:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside
interface address:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
The following example configures dynamic PAT with a PAT pool to translate the inside IPv6 network to
an outside IPv4 network:
hostname(config)# object network IPv4_POOL
hostname(config-network-object)# range 203.0.113.1 203.0.113.254
hostname(config)# object network IPv6_INSIDE
hostname(config-network-object)# subnet 2001:DB8::/96
hostname(config-network-object)# nat (inside,outside) dynamic pat-pool IPv4_POOL
Configure Dynamic Twice PAT
This section describes how to configure twice NAT for dynamic PAT.
Procedure
Create host or range network objects (object network command), or network object groups
Step 1
(object-group network command), for the source real addresses, the source mapped addresses, the
destination real addresses, and the destination mapped addresses.
•
•
•
If you use an object, the object or group cannot contain a subnet. The object must define a host, or for a
PAT pool, a range. The group (for a PAT pool) can include hosts and ranges.
Cisco ASA Series Firewall CLI Configuration Guide
9-22
Interface PAT fallback—(Optional.) The interface keyword enables interface PAT fallback when
entered after a primary PAT address. After the primary PAT addresses are used up, then the IP
address of the mapped interface is used. If you specify ipv6, then the IPv6 address of the interface
is used. For this option, you must configure a specific interface for the mapped_ifc. (You cannot
specify interface in transparent mode.)
DNS—(Optional.) The dns keyword translates DNS replies. Be sure DNS inspection is enabled (it
is enabled by default). See
If you want to translate all source traffic, you can skip adding an object for the source real addresses,
and instead specify the any keyword in the nat command.
If you want to use the interface address as the mapped address, you can skip adding an object for
the source mapped addresses, and instead specify the interface keyword in the nat command.
If you want to configure destination static interface NAT with port translation only, you can skip
adding an object for the destination mapped addresses, and instead specify the interface keyword
in the nat command.
DNS and NAT, page 10-21
Chapter 9
Network Address Translation (NAT)
for more information.
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
