1-4
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Twice NAT
Default Settings
IPv4 address, then any means “any IPv6 traffic.” If you configure a rule from “any” to “any,” and
you map the source to the interface IPv4 address, then any means “any IPv4 traffic” because the
mapped interface address implies that the destination is also IPv4.
• Objects and object groups used in NAT cannot be undefined; they must include IP addresses.
• You can use the same objects in multiple rules.
• The mapped IP address pool cannot include:
–
The mapped interface IP address. If you specify any interface for the rule, then all interface IP
addresses are disallowed. For interface PAT (routed mode only), use the interface keyword
instead of the IP address.
–
(Transparent mode) The management IP address.
–
(Dynamic NAT) The standby interface IP address when VPN is enabled.
–
Existing VPN pool addresses.
Default Settings
• By default, the rule is added to the end of section 1 of the NAT table.
• (Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces.
• If you specify an optional interface, then the ASA uses the NAT configuration to determine the
egress interface, but you have the option to always use a route lookup instead.
Configuring Twice NAT
This section describes how to configure twice NAT. This section includes the following topics:
• Adding Network Objects for Real and Mapped Addresses, page 1-4
• (Optional) Adding Service Objects for Real and Mapped Ports, page 1-6
• Configuring Dynamic NAT, page 1-7
• Configuring Dynamic PAT (Hide), page 1-11
• Configuring Static NAT or Static NAT-with-Port-Translation, page 1-18
• Configuring Identity NAT, page 1-21
• Configuring Per-Session PAT Rules, page 1-24
Adding Network Objects for Real and Mapped Addresses
For each NAT rule, configure up to four network objects or groups for:
• Source real address
• Source mapped address
• Destination real address
• Destination mapped address
To Next Page
Loading...
Need help?
General
