Cisco ASA 5505 User Manual

1-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 1 Introduction to the Cisco ASA 5500 Series

New Features

Extended PAT for a PAT pool Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough

translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports
per service, as opposed to per IP address, by including the destination address and port in the
translation information.

This feature is not available in 8.5(1) or 8.6(1).

Configurable timeout for
PAT xlate

When a PAT xlate times out (by default after 30 seconds), and the ASA reuses the port for a
new translation, some upstream routers might reject the new connection because the previous
connection might still be open on the upstream device. The PAT xlate timeout is now
configurable, to a value between 30 seconds and 5 minutes.

This feature is not available in 8.5(1) or 8.6(1).

Automatic NAT rules to
translate a VPN peer’s local
IP address back to the peer’s
real IP address

In rare situations, you might want to use a VPN peer’s real IP address on the inside network
instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local
IP address to access the inside network. However, you might want to translate the local IP
address back to the peer’s real public IP address if, for example, your inside servers and
network security is based on the peer’s real IP address.

You can enable this feature on one interface per tunnel group. Object NAT rules are
dynamically added and deleted when the VPN session is established or disconnected. You can
view the rules using the show nat command.

Note

Because of routing issues, we do not recommend using this feature unless you know
you need this feature; contact Cisco TAC to confirm feature compatibility with your
network. See the following limitations:

•

Only supports Cisco IPsec and AnyConnect Client.

•

Return traffic to the public IP addresses must be routed back to the ASA so the NAT
policy and VPN policy can be applied.

•

Does not support load-balancing (because of routing issues).

•

Does not support roaming (public IP changing).

We introduced the following command: nat-assigned-to-public-ip interface (tunnel-group
general-attributes configuration mode).

Remote Access Features

Clientless SSL VPN browser
support

The ASA now supports clientless SSL VPN with Microsoft Internet Explorer 9 and Firefox 4.

Table 1-4

New Features for ASA Version 8.4(3) (continued)

Feature

Description