Filter
Top Products
5-3
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later)
Guidelines and Limitations
IPv6 Guidelines
• Supports IPv6.
• For routed mode, you can also translate between IPv4 and IPv6.
• For transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating
between two IPv6 networks, or between two IPv4 networks is supported.
• For transparent mode, a PAT pool is not supported for IPv6.
• For static NAT, you can specify an IPv6 subnet up to /64. Larger subnets are not supported.
• When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client
must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT
commands are not supported with IPv6.
Additional Guidelines
• You cannot configure FTP destination port translation when the source IP address is a subnet (or any
other application that uses a secondary connection); the FTP data channel establishment does not
succeed.
• If you change the NAT configuration, and you do not want to wait for existing translations to time
out before the new NAT information is used, you can clear the translation table using the clear xlate
command. However, clearing the translation table disconnects all current connections that use
translations.
Note If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses
that overlap the addresses in the removed rule, then the new rule will not be used until all
connections associated with the removed rule time out or are cleared using the clear xlate
command. This safeguard ensures that the same address is not assigned to multiple hosts.
• You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include
only one type of address.
• When using the any keyword in a NAT rule, the definition of “any” traffic (IPv4 vs. IPv6) depends
on the rule. Before the ASA performs NAT on a packet, the packet must be IPv6-to-IPv6 or
IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of any in a NAT rule. For
example, if you configure a rule from “any” to an IPv6 server, and that server was mapped from an
IPv4 address, then any means “any IPv6 traffic.” If you configure a rule from “any” to “any,” and
you map the source to the interface IPv4 address, then any means “any IPv4 traffic” because the
mapped interface address implies that the destination is also IPv4.
• Objects and object groups used in NAT cannot be undefined; they must include IP addresses.
• You can use the same objects in multiple rules.
• The mapped IP address pool cannot include:
–
The mapped interface IP address. If you specify --Any-- interface for the rule, then all interface
IP addresses are disallowed. For interface PAT (routed mode only), use the interface name
instead of the IP address.
–
(Transparent mode) The management IP address.
–
(Dynamic NAT) The standby interface IP address when VPN is enabled.
–
Existing VPN pool addresses.