Cisco ASA 5506-X Configuration Manual page 63
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 4
Network Address Translation (NAT
•
•
Twice NAT Guidelines for Service Objects for Real and Mapped Ports
You can optionally configure service objects for:
•
•
Use the object service command to create the objects.
Consider the following guidelines when creating objects for twice NAT.
•
•
•
•
•
•
•
Source Identity NAT
The real and mapped objects must match. You can use the same object for both, or you can
–
create separate objects that contain the same IP addresses.
Destination Static NAT or Static NAT with port translation (the destination translation is always
static):
–
Although the main feature of twice NAT is the inclusion of the destination IP address, the
destination address is optional. If you do specify the destination address, you can configure
static translation for that address or just use identity NAT for it. You might want to configure
twice NAT without a destination address to take advantage of some of the other qualities of
twice NAT, including the use of network object groups for real addresses, or manually ordering
of rules. For more information, see
For identity NAT, the real and mapped objects must match. You can use the same object for both,
–
or you can create separate objects that contain the same IP addresses.
–
The static mapping is typically one-to-one, so the real addresses have the same quantity as the
mapped addresses. You can, however, have different quantities if desired.
–
For static interface NAT with port translation (routed mode only), you can specify the interface
keyword instead of a network object/group for the mapped address.
Source real port (Static only) or Destination real port
Source mapped port (Static only) or Destination mapped port
NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and
mapped service objects are identical (both TCP or both UDP).
The "not equal" (neq) operator is not supported.
For identity port translation, you can use the same service object for both the real and mapped ports.
Source Dynamic NAT—Source Dynamic NAT does not support port translation.
Source Dynamic PAT (Hide)—Source Dynamic PAT does not support port translation.
Source Static NAT, Static NAT with port translation, or Identity NAT—A service object can contain
both a source and destination port; however, you should specify either the source or the destination
port for both service objects. You should only specify both the source and destination ports if your
application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. For
example, if you want to translate the port for the source host, then configure the source service.
Destination Static NAT or Static NAT with port translation (the destination translation is always
static)—For non-static source NAT, you can only perform port translation on the destination. A
service object can contain both a source and destination port, but only the destination port is used
in this case. If you specify the source port, it will be ignored.
Comparing Network Object NAT and Twice NAT, page
Cisco ASA Series Firewall CLI Configuration Guide
Guidelines for NAT
4-4.
4-11
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
