35-21
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 35 Configuring NAT (ASA 8.2 and Earlier)
Using Dynamic NAT
Figure 35-18 Outside NAT and Inside NAT Combined
Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces
When you create a NAT rule for a group of IP addresses, then you must perform NAT on that group of
addresses when they access any lower or same security level interface; you must create a global pool
with the same pool ID on each interface, or use a static rule. NAT is not required for that group when it
accesses a higher security interface. If you create an outside NAT rule, then the NAT requirements
preceding come into effect for that group of addresses when they access all higher security interfaces.
Traffic identified by a static rule is not affected.
Managing Global Pools
Dynamic NAT uses global pools for translation. For information about how global pools work, see the
“Dynamic NAT Implementation” section on page 35-16.
To manage a global pool, perform the following steps:
Step 1 In the Configuration > Firewall > Objects > Global Pools pane, click Add to add a new pool, or select a
pool, and click Edit.
You can also manage global pools from the Add/Edit Dynamic NAT Rule dialog box by clicking
Manage.
The Add/Edit Global Address Pool dialog box appears.
Outside
DMZ
Inside
Global 1: 209.165.201.3-
209.165.201.10
Global 1: 10.1.2.30-
10.1.2.40
Static to DMZ: 10.1.2.27 10.1.1.5
Outside NAT 1: 10.1.1.0/24
NAT 1: 10.1.1.0/24
10.1.1.15
10.1.2.27
Translation
209.165.201.410.1.1.15
Translation
10.1.2.3010.1.1.15
Undo Translation
10.1.2.2710.1.1.5
132940