5-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 5 Configuring Twice NAT
Default Settings
• You can use the same objects in multiple rules.
• The mapped IP address pool cannot include:
–
The mapped interface IP address. If you specify any interface for the rule, then all interface IP
addresses are disallowed. For interface PAT (routed mode only), use the interface keyword
instead of the IP address.
–
(Transparent mode) The management IP address.
–
(Dynamic NAT) The standby interface IP address when VPN is enabled.
–
Existing VPN pool addresses.
Default Settings
• By default, the rule is added to the end of section 1 of the NAT table.
• (Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces.
• If you specify an optional interface, then the ASA uses the NAT configuration to determine the
egress interface, but you have the option to always use a route lookup instead.
Configuring Twice NAT
This section describes how to configure twice NAT. This section includes the following topics:
• Adding Network Objects for Real and Mapped Addresses, page 5-4
• (Optional) Adding Service Objects for Real and Mapped Ports, page 5-6
• Configuring Dynamic NAT, page 5-7
• Configuring Dynamic PAT (Hide), page 5-11
• Configuring Static NAT or Static NAT-with-Port-Translation, page 5-18
• Configuring Identity NAT, page 5-21
• Configuring Per-Session PAT Rules, page 5-24
Adding Network Objects for Real and Mapped Addresses
For each NAT rule, configure up to four network objects or groups for:
• Source real address
• Source mapped address
• Destination real address
• Destination mapped address
Objects are required unless you specify the any keyword inline to represent all traffic, or for some types
of NAT, the interface keyword to represent the interface address. For more information about
configuring a network object or group, see the general operations configuration guide.