Feature history for twice nat – Cisco ASA 5505 User Manual

Page 634

Advertising
background image

31-28

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 31 Configuring Twice NAT

Feature History for Twice NAT

Feature History for Twice NAT

Table 31-1

lists each feature change and the platform release in which it was implemented.

Table 31-1

Feature History for Twice NAT

Feature Name

Platform
Releases

Feature Information

Twice NAT

8.3(1)

Twice NAT lets you identify both the source and destination
address in a single rule.

We modified or introduced the following commands: nat,
show nat, show xlate, show nat pool.

Identity NAT configurable proxy ARP and route
lookup

8.4(2)

In earlier releases for identity NAT, proxy ARP was
disabled, and a route lookup was always used to determine
the egress interface. You could not configure these settings.
In 8.4(2) and later, the default behavior for identity NAT
was changed to match the behavior of other static NAT
configurations: proxy ARP is enabled, and the NAT
configuration determines the egress interface (if specified)
by default. You can leave these settings as is, or you can
enable or disable them discretely. Note that you can now
also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt
rules (the nat 0 access-list command) to 8.4(2) and later
now includes the following keywords to disable proxy ARP
and to use a route lookup: no-proxy-arp and route-lookup.
The unidirectional keyword that was used for migrating to
8.3(2) and 8.4(1) is no longer used for migration. When
upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all
identity NAT configurations will now include the
no-proxy-arp and route-lookup keywords, to maintain
existing functionality. The unidirectional keyword is
removed.

We modified the following commands: nat source static
[no-proxy-arp] [route-lookup].

PAT pool and round robin address assignment

8.4(2)

You can now specify a pool of PAT addresses instead of a
single address. You can also optionally enable round-robin
assignment of PAT addresses instead of first using all ports
on a PAT address before using the next address in the pool.
These features help prevent a large number of connections
from a single PAT address from appearing to be part of a
DoS attack and makes configuration of large numbers of
PAT addresses easy.

We modified the following commands: nat source dynamic
[pat-pool mapped_object [round-robin]].

Advertising