Filter
Top Products
5-4
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later)
Default Settings
Default Settings
• By default, the rule is added to the end of section 1 of the NAT table.
• (Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces.
• (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You
cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy
ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired.
• If you specify an optional interface, then the ASA uses the NAT configuration to determine the
egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses
a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default
behavior is to use the NAT configuration, but you have the option to always use a route lookup
instead.
Configuring Twice NAT
This section describes how to configure twice NAT. This section includes the following topics:
• Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool, page 5-4
• Configuring Dynamic PAT (Hide), page 5-12
• Configuring Static NAT or Static NAT-with-Port-Translation, page 5-18
• Configuring Identity NAT, page 5-24
• Configuring Per-Session PAT Rules, page 5-29
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool
This section describes how to configure twice NAT for dynamic NAT or for dynamic PAT using a PAT
pool. For more information, see the “Dynamic NAT” section on page 3-8 or the “Dynamic PAT” section
on page 3-10.
Guidelines
For a PAT pool:
• If available, the real source port number is used for the mapped port. However, if the real port is not
available, by default the mapped ports are chosen from the same range of ports as the real port
number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small
PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic
that uses the lower port ranges, you can now specify for a PAT pool a flat range of ports to be used
instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535.
• (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you use the same PAT pool object in two separate
rules, then be sure to specify the same options for each rule. For example, if one rule specifies
extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range.
For extended PAT for a PAT pool (8.4(3) and later, not including 8.5(1) or 8.6(1)):
• Many application inspections do not support extended PAT. See the “Default Settings and NAT
Limitations” section on page 10-4 in Chapter 10, “Getting Started with Application Layer Protocol
Inspection,” for a complete list of unsupported inspections.