Cisco ASA 5505 User Manual
Page 629
31-23
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 31 Configuring Twice NAT
Configuring Twice NAT
Step 5
nat
[(real_ifc,mapped_ifc)]
[line | {after-object [line]}]
source static
{nw_obj nw_obj | any any}
[destination static {mapped_obj |
interface
} real_obj]
[service real_src_mapped_dest_svc_obj
mapped_src_real_dest_svc_obj]
[no-proxy-arp] [route-lookup] [inactive]
[description desc]
Example:
hostname(config)# nat (inside,outside)
source static MyInsNet MyInsNet
destination static Server1 Server1
Configures identity NAT. See the following guidelines:
•
Interfaces—(Required for transparent mode) Specify the real
and mapped interfaces. Be sure to include the parentheses in
your command. In routed mode, if you do not specify the real
and mapped interfaces, all interfaces are used; you can also
specify the keyword any for one or both of the interfaces.
•
Section and Line—(Optional) By default, the NAT rule is
added to the end of section 1 of the NAT table. See the
Rule Order” section on page 29-20
for more information
about sections. If you want to add the rule into section 3
instead (after the network object NAT rules), then use the
after-auto keyword. You can insert a rule anywhere in the
applicable section using the line argument.
•
Source addresses—Specify a network object, group, or the
any keyword for both the real and mapped addresses (see
).
•
Destination addresses (Optional):
–
Mapped—Specify a network object or group, or for static
interface NAT with port translation only, specify the
interface keyword (routed mode only) (see
). If
you specify interface, be sure to also configure the
service keyword (in this case, the service objects should
include only the destination port). For this option, you
must configure a specific interface for the real_ifc. See
the
“Static Interface NAT with Port Translation” section
for more information.
–
Real—Specify a network object or group (see
).
For identity NAT, simply use the same object or group for
both the real and mapped addresses.
•
Port—(Optional) Specify the service keyword along with the
real and mapped service objects (see
). For source port
translation, the objects must specify the source service. The
order of the service objects in the command for source port
translation is service real_obj mapped_obj. For destination
port translation, the objects must specify the destination
service. The order of the service objects for destination port
translation is service mapped_obj real_obj. In the rare case
where you specify both the source and destination ports in the
object, the first service object contains the real source
port/mapped destination port; the second service object
contains the mapped source port/real destination port. For
identity port translation, simply use the same service object
for both the real and mapped ports (source and/or destination
ports, depending on your configuration).
Command
Purpose