Cisco ASA 5505 User Manual

Page 591

Advertising
background image

30-9

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 30 Configuring Network Object NAT

Configuring Network Object NAT

Examples

The following example configures dynamic PAT that hides the 192.168.2.0 network behind address
10.2.2.2:

hostname(config)# object network my-inside-net

hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0

hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2

The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside
interface address:

hostname(config)# object network my-inside-net

hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0

hostname(config-network-object)# nat (inside,outside) dynamic interface

(continued)

Extended PAT—(8.4(3) and later, not including 8.5(1) or
8.6(1)) The extended keyword enables extended PAT.
Extended PAT uses 65535 ports per service, as opposed
to per IP address, by including the destination address
and port in the translation information. Normally, the
destination port and address are not considered when
creating PAT translations, so you are limited to 65535
ports per PAT address. For example, with extended PAT,
you can create a translation of 10.1.1.1:1027 when going
to 192.168.1.7:23 as well as a translation of
10.1.1.1:1027 when going to 192.168.1.7:80.

Flat range—(8.4(3) and later, not including 8.5(1) or
8.6(1)) The flat keyword enables use of the entire 1024
to 65535 port range when allocating ports. When
choosing the mapped port number for a translation, the
ASA uses the real source port number if it is available.
However, without this option, if the real port is not
available, by default the mapped ports are chosen from
the same range of ports as the real port number: 1 to 511,
512 to 1023, and 1024 to 65535. To avoid running out of
ports at the low ranges, configure this setting. To use the
entire range of 1 to 65535, also specify the
include-reserve keyword.

Interface PAT fallback—(Optional) The interface keyword
enables interface PAT fallback when entered after a primary
PAT address. After the primary PAT address(es) are used up,
then the IP address of the mapped interface is used. For this
option, you must configure a specific interface for the
mapped_ifc. (You cannot specify interface in transparent
mode).

DNS—(Optional) The dns keyword translates DNS replies.
Be sure DNS inspection is enabled (it is enabled by default).
See the

“DNS and NAT” section on page 29-24

for more

information.

Command

Purpose

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals