Cisco ASA 5506-X Configuration Manual page 76
Cli
Hide thumbs
Also See for ASA 5506-X:
- Installation manual (46 pages) ,
- Hardware installation manual (26 pages) ,
- Quick start manual (14 pages)
Advertisement
Dynamic PAT
Destination addresses (Optional):
•
–
–
Destination port—(Optional.) Specify the service keyword along with the mapped and real service
•
objects. For identity port translation, simply use the same service object for both the real and
mapped ports.
DNS—(Optional; for a source-only rule.) The dns keyword translates DNS replies. Be sure DNS
•
inspection is enabled (it is enabled by default). You cannot configure the dns keyword if you
configure a destination address. See
Unidirectional—(Optional.) Specify unidirectional so the destination addresses cannot initiate
•
traffic to the source addresses.
Inactive—(Optional.) To make this rule inactive without having to remove the command, use the
•
inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.
Description—Optional.) Provide a description up to 200 characters using the description keyword.
•
Examples
The following example configures interface PAT for inside network 192.168.1.0/24 when accessing
outside Telnet server 209.165.201.23, and Dynamic PAT using a PAT pool when accessing any server on
the 203.0.113.0/24 network.
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config)# object network PAT_POOL
hostname(config-network-object)# range 209.165.200.225 209.165.200.254
hostname(config)# object network TELNET_SVR
hostname(config-network-object)# host 209.165.201.23
hostname(config)# object service TELNET
hostname(config-service-object)# service tcp destination eq 23
hostname(config)# object network SERVERS
hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0
Cisco ASA Series Firewall CLI Configuration Guide
4-24
creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with
extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as
well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
-- Flat range—The flat keyword enables use of the entire 1024 to 65535 port range when
allocating ports. When choosing the mapped port number for a translation, the ASA uses the
real source port number if it is available. However, without this option, if the real port is not
available, by default the mapped ports are chosen from the same range of ports as the real port
number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low
ranges, configure this setting. To use the entire range of 1 to 65535, also specify the
include-reserve keyword.
Mapped—Specify a network object or group, or for static interface NAT with port translation
only (routed mode), specify the interface keyword. If you specify ipv6, then the IPv6 address
of the interface is used. If you specify interface, be sure to also configure the service keyword.
For this option, you must configure a specific interface for the real_ifc. See
with Port Translation, page 4-29
Real—Specify a network object or group. For identity NAT, simply use the same object or group
for both the real and mapped addresses.
Chapter 4
for more information.
DNS and NAT, page 5-21
Network Address Translation (NAT
Static Interface NAT
for more information.
- Quick Links:
- Table of Contents
Hide quick links:
Advertisement
