Cisco ASA 5506-X Configuration Manual page 69
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Chapter 4
Network Address Translation (NAT
–
Destination addresses (Optional):
•
–
–
•
Destination port—(Optional.) Specify the service keyword along with the mapped and real service
objects. For identity port translation, simply use the same service object for both the real and
mapped ports.
DNS—(Optional; for a source-only rule.) The dns keyword translates DNS replies. Be sure DNS
•
inspection is enabled (it is enabled by default). You cannot configure the dns keyword if you
configure a destination address. See
Unidirectional—(Optional.) Specify unidirectional so the destination addresses cannot initiate
•
traffic to the source addresses.
Inactive—(Optional.) To make this rule inactive without having to remove the command, use the
•
inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.
•
Description—Optional.) Provide a description up to 200 characters using the description keyword.
Examples
The following example configures dynamic NAT for inside network 10.1.1.0/24 when accessing servers
on the 209.165.201.1/27 network as well as servers on the 203.0.113.0/24 network:
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0
hostname(config)# object network MAPPED_1
hostname(config-network-object)# range 209.165.200.225 209.165.200.254
hostname(config)# object network MAPPED_2
hostname(config-network-object)# range 209.165.202.129 209.165.200.158
hostname(config)# object network SERVERS_1
hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224
hostname(config)# object network SERVERS_2
hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination
static SERVERS_1 SERVERS_1
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination
static SERVERS_2 SERVERS_2
Mapped—Specify a different network object or group. You can optionally configure the
following fallback method:
Interface PAT fallback—(Routed mode only) The interface keyword enables interface PAT
fallback. If you specify ipv6, then the IPv6 address of the interface is used. After the mapped
IP addresses are used up, then the IP address of the mapped interface is used. For this option,
you must configure a specific interface for the mapped_ifc.
Mapped—Specify a network object or group, or for static interface NAT with port translation
only, specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface
is used. If you specify interface, be sure to also configure the service keyword. For this option,
you must configure a specific interface for the real_ifc. See
Translation, page 4-29
for more information.
Real—Specify a network object or group. For identity NAT, simply use the same object or group
for both the real and mapped addresses.
DNS and NAT, page 5-21
Cisco ASA Series Firewall CLI Configuration Guide
Dynamic NAT
Static Interface NAT with Port
for more information.
4-17
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
