Configuring identity nat – Cisco ASA 5505 User Manual

31-20

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 31 Configuring Twice NAT

Configuring Twice NAT

which host sent the packet. In this example, connections are originated from outside to inside, so the
“source” address and port of the FTP server is actually the destination address and port in the originating
packet.

hostname(config)# object service FTP_PASV_PORT_RANGE

hostname(config-service-object)# service tcp source range 65000 65004

hostname(config)# object network HOST_FTP_SERVER

hostname(config-network-object)# host 192.168.10.100

hostname(config)# nat (inside,outside) source static HOST_FTP_SERVER interface service

FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE

Configuring Identity NAT

This section describes how to configure an identity NAT rule using twice NAT. For more information
about identity NAT, see the

“Identity NAT” section on page 29-11

.

Detailed Steps

Command

Purpose

Step 1

Network object:

object network

obj_name

{host ip_address | subnet

subnet_address netmask | range

ip_address_1 ip_address_2}

Network object group:

object-group network

grp_name

{network-object {object net_obj_name |

subnet_address netmask |

host

ip_address} |

group-object

grp_obj_name}

Example:

hostname(config)# object network MyInsNet

hostname(config-network-object)# subnet

10.1.1.0 255.255.255.0

Configure the real source addresses.

You can configure either a network object or a network object
group. For more information, see the

“Configuring Objects”

section on page 13-3

.

These are the addresses on which you want to perform identity
NAT. If you want to perform identity NAT for all addresses, you
can skip this step and instead use the keywords any any.