9-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 9 Network Address Translation (NAT)
Guidelines for NAT
be mapped to 201b::0.192.168.1.4 (shown with mixed notation). If the prefix is smaller, such as /64,
then the IPv4 address is appended after the prefix, and a suffix of 0s is appended after the IPv4
address. You can also optionally translate the addresses net-to-net, where the first IPv4 address maps
to the first IPv6 address, the second to the second, and so on.
•
NAT64 (IPv6-to-IPv4)—You may not have enough IPv4 addresses to accommodate the number of
IPv6 addresses. We recommend using a dynamic PAT pool to provide a large number of IPv4
translations.
Additional Guidelines for NAT
•
(Network object NAT only.) You can only define a single NAT rule for a given object; if you want
to configure multiple NAT rules for an object, you need to create multiple objects with different
names that specify the same IP address, for example,
object network obj-10.10.10.1-01
,
object
network obj-10.10.10.1-02
, and so on.
•
(Twice NAT only.) You cannot configure FTP destination port translation when the source IP address
is a subnet (or any other application that uses a secondary connection); the FTP data channel
establishment does not succeed. For example, the following configuration does not work:
object network MyInsNet
subnet 10.1.2.0 255.255.255.0
object network MapInsNet
subnet 209.165.202.128 255.255.255.224
object network Server1
host 209.165.200.225
object network Server1_mapped
host 10.1.2.67
object service REAL_ftp
service tcp destination eq ftp
object service MAPPED_ftp
service tcp destination eq 2021
object network MyOutNet
subnet 209.165.201.0 255.255.255.224
nat (inside,outside) source static MyInsNet MapInsNet destination static
Server1_mapped Server1 service MAPPED_ftp REAL_ftp
•
If you change the NAT configuration, and you do not want to wait for existing translations to time
out before the new NAT configuration is used, you can clear the translation table using the
clear
xlate
command. However, clearing the translation table disconnects all current connections that use
translations.
Note
If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses
that overlap the addresses in the removed rule, then the new rule will not be used until all
connections associated with the removed rule time out or are cleared using the
clear xlate
command. This safeguard ensures that the same address is not assigned to multiple hosts.
•
Objects and object groups used in NAT cannot be undefined; they must include IP addresses.
•
You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include
only one type of address.
•
(Twice NAT only.) When using the
any
keyword in a NAT rule, the definition of “any” traffic (IPv4
vs. IPv6) depends on the rule. Before the ASA performs NAT on a packet, the packet must be
IPv6-to-IPv6 or IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of
any
in a
NAT rule. For example, if you configure a rule from “any” to an IPv6 server, and that server was
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......