4-18
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Network Address Translation (NAT
Dynamic PAT
The following example configures dynamic NAT for an IPv6 inside network 2001:DB8:AAAA::/96
when accessing servers on the IPv4 209.165.201.1/27 network as well as servers on the 203.0.113.0/24
network:
hostname(config)#
object network INSIDE_NW
hostname(config-network-object)#
subnet 2001:DB8:AAAA::/96
hostname(config)#
object network MAPPED_1
hostname(config-network-object)#
range 209.165.200.225 209.165.200.254
hostname(config)#
object network MAPPED_2
hostname(config-network-object)#
range 209.165.202.129 209.165.200.158
hostname(config)#
object network SERVERS_1
hostname(config-network-object)#
subnet 209.165.201.0 255.255.255.224
hostname(config)#
object network SERVERS_2
hostname(config-network-object)#
subnet 203.0.113.0 255.255.255.0
hostname(config)#
nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination
static SERVERS_1 SERVERS_1
hostname(config)#
nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination
static SERVERS_2 SERVERS_2
Dynamic PAT
The following topics describe dynamic PAT.
•
•
Configure Dynamic Network Object PAT, page 4-20
•
Configure Dynamic Twice PAT, page 4-22
•
Configure Per-Session PAT or Multi-Session PAT, page 4-25
About Dynamic PAT
Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real
address and source port to the mapped address and a unique port. If available, the real source port number
is used for the mapped port. However, if the real port is
not
available, by default the mapped ports are
chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535.
Therefore, ports below 1024 have only a small PAT pool that can be used. If you have a lot of traffic that
uses the lower port ranges, you can specify a flat range of ports to be used instead of the three
unequal-sized tiers.
Each connection requires a separate translation session because the source port differs for each
connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......