5-3
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 5 Configuring Twice NAT
Guidelines and Limitations
• For routed mode, you can also translate between IPv4 and IPv6.
• For transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating
between two IPv6 networks, or between two IPv4 networks is supported.
• For transparent mode, a PAT pool is not supported for IPv6.
• For static NAT, you can specify an IPv6 subnet up to /64. Larger subnets are not supported.
• When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client
must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT
commands are not supported with IPv6.
Additional Guidelines
• You cannot configure FTP destination port translation when the source IP address is a subnet (or any
other application that uses a secondary connection); the FTP data channel establishment does not
succeed. For example, the following configuration does not work:
object network MyInsNet
subnet 10.1.2.0 255.255.255.0
object network MapInsNet
subnet 209.165.202.128 255.255.255.224
object network Server1
host 209.165.200.225
object network Server1_mapped
host 10.1.2.67
object service REAL_ftp
service tcp destination eq ftp
object service MAPPED_ftp
service tcp destination eq 2021
object network MyOutNet
subnet 209.165.201.0 255.255.255.224
nat (inside,outside) source static MyInsNet MapInsNet destination static
Server1_mapped Server1 service MAPPED_ftp REAL_ftp
• If you change the NAT configuration, and you do not want to wait for existing translations to time
out before the new NAT information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections that use
translations.
Note If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses
that overlap the addresses in the removed rule, then the new rule will not be used until all
connections associated with the removed rule time out or are cleared using the clear xlate
command. This safeguard ensures that the same address is not assigned to multiple hosts.
• You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include
only one type of address.
• When using the any keyword in a NAT rule, the definition of “any” traffic (IPv4 vs. IPv6) depends
on the rule. Before the ASA performs NAT on a packet, the packet must be IPv6-to-IPv6 or
IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of any in a NAT rule. For
example, if you configure a rule from “any” to an IPv6 server, and that server was mapped from an
IPv4 address, then any means “any IPv6 traffic.” If you configure a rule from “any” to “any,” and
you map the source to the interface IPv4 address, then any means “any IPv4 traffic” because the
mapped interface address implies that the destination is also IPv4.
• Objects and object groups used in NAT cannot be undefined; they must include IP addresses.