Cisco ASA 5505 User Manual
Page 625
31-19
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 31 Configuring Twice NAT
Configuring Twice NAT
Examples
The following example shows the use of static interface NAT with port translation. Hosts on the outside
access an FTP server on the inside by connecting to the outside interface IP address with destination port
65000 through 65004. The traffic is untranslated to the internal FTP server at 192.168.10.100:6500
through :65004. Note that you specify the source port range in the service object (and not the destination
port) because you want to translate the source address and port as identified in the command; the
destination port is “any.” Because static NAT is bidirectional, “source” and “destination” refers primarily
to the command keywords; the actual source and destination address and port in a packet depends on
(Continued)
•
Ports—(Optional) Specify the service keyword along with
the real and mapped service objects (see
). For source
port translation, the objects must specify the source service.
The order of the service objects in the command for source
port translation is service real_obj mapped_obj. For
destination port translation, the objects must specify the
destination service. The order of the service objects for
destination port translation is service mapped_obj real_obj.
In the rare case where you specify both the source and
destination ports in the object, the first service object contains
the real source port/mapped destination port; the second
service object contains the mapped source port/real
destination port. For identity port translation, simply use the
same service object for both the real and mapped ports
(source and/or destination ports, depending on your
configuration).
•
DNS—(Optional; for a source-only rule) The dns keyword
translates DNS replies. Be sure DNS inspection is enabled (it
is enabled by default). You cannot configure the dns keyword
if you configure a destination address. See the
for more information.
•
No Proxy ARP—(Optional) Specify no-proxy-arp to disable
proxy ARP for incoming packets to the mapped IP addresses.
See the
“Mapped Addresses and Routing” section on
for more information.
•
Inactive—(Optional) To make this rule inactive without
having to remove the command, use the inactive keyword. To
reactivate it, reenter the whole command without the inactive
keyword.
•
Description—(Optional) Provide a description up to 200
characters using the description keyword.
Command
Purpose