4-30
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Configuring Network Object NAT
Feature History for Network Object NAT
Automatic NAT rules to translate a VPN peer’s
local IP address back to the peer’s real IP
address
8.4(3) In rare situations, you might want to use a VPN peer’s real
IP address on the inside network instead of an assigned local
IP address. Normally with VPN, the peer is given an
assigned local IP address to access the inside network.
However, you might want to translate the local IP address
back to the peer’s real public IP address if, for example,
your inside servers and network security is based on the
peer’s real IP address.
You can enable this feature on one interface per tunnel
group. Object NAT rules are dynamically added and deleted
when the VPN session is established or disconnected. You
can view the rules using the show nat command.
Note Because of routing issues, we do not recommend
using this feature unless you know you need this
feature; contact Cisco TAC to confirm feature
compatibility with your network. See the following
limitations:
• Only supports Cisco IPsec and AnyConnect Client.
• Return traffic to the public IP addresses must be
routed back to the ASA so the NAT policy and VPN
policy can be applied.
• Does not support load-balancing (because of
routing issues).
• Does not support roaming (public IP changing).
We introduced the following command:
nat-assigned-to-public-ip interface (tunnel-group
general-attributes configuration mode).
NAT support for IPv6 9.0(1) NAT now supports IPv6 traffic, as well as translating
between IPv4 and IPv6. Translating between IPv4 and IPv6
is not supported in transparent mode.
We modified the following commands: nat (object network
configuration mode), show nat, show nat pool, show xlate.
Table 4-1 Feature History for Network Object NAT (continued)
Feature Name
Platform
Releases Feature Information