Cisco ASA 5506-X Configuration Manual page 75

Chapter 4 Network Address Translation (NAT
(Optional.) Create service objects for the destination real ports and the destination mapped ports.
Step 2
For dynamic NAT, you can only perform port translation on the destination. A service object can contain
both a source and destination port, but only the destination port is used in this case. If you specify the
source port, it will be ignored.
Step 3 Configure dynamic PAT.
nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}]
source dynamic {real-obj | any}
{mapped_obj [interface [ipv6]] |
[pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]] [interface [ipv6]]
| interface [ipv6]}
[destination static {mapped_obj | interface [ipv6]} real_obj]
[service mapped_dest_svc_obj real_dest_svc_obj]
[dns] [unidirectional] [inactive] [description desc]
Example
hostname(config)# nat (inside,outside) source dynamic MyInsNet interface
destination static Server1 Server1
description Interface PAT for inside addresses when going to server 1
Where:
Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)
•
interfaces. Be sure to include the parentheses. In routed mode, if you do not specify the real and
mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of
the interfaces, for example (any,outside).
Section and Line—(Optional.) By default, the NAT rule is added to the end of section 1 of the NAT
•
table (see
network object NAT rules), then use the after-auto keyword. You can insert a rule anywhere in the
applicable section using the line argument.
Source addresses:
•
–
–
NAT Rule Order, page
Real—Specify a network object, group, or the any keyword. Use the any keyword if you want
to translate all traffic from the real interface to the mapped interface.
Mapped—Configure one of the following:
- Network object—Specify a network object that contains a host address.
- pat-pool—Specify the pat-pool keyword and a network object or group that contains multiple
addresses.
- interface—(Routed mode only.) Specify the interface keyword alone to only use interface
PAT. If you specify ipv6, then the IPv6 address of the interface is used. When specified with a
PAT pool or network object, the interface keyword enables interface PAT fallback. After the
PAT IP addresses are used up, then the IP address of the mapped interface is used. For this
option, you must configure a specific interface for the mapped_ifc.
For a PAT pool, you can specify one or more of the following options:
-- Round robin—The round-robin keyword enables round-robin address allocation for a PAT
pool. Without round robin, by default all ports for a PAT address will be allocated before the
next PAT address is used. The round-robin method assigns an address/port from each PAT
address in the pool before returning to use the first address again, and then the second address,
and so on.
-- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535
ports per service, as opposed to per IP address, by including the destination address and port in
the translation information. Normally, the destination port and address are not considered when
4-5). If you want to add the rule into section 3 instead (after the
Cisco ASA Series Firewall CLI Configuration Guide
Dynamic PAT
4-23