Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
35-27
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 35 Configuring NAT (ASA 8.2 and Earlier)
Using Static NAT
Policy NAT lets you identify real addresses for address translation by specifying the source and
destination addresses. You can also optionally specify the source and destination ports. Regular NAT can
only consider the source addresses, and not the destination. See the “Policy NAT” section on page 35-10
for more information.
Static PAT lets you translate the real IP address to a mapped IP address, as well as the real port to a
mapped port. You can choose to translate the real port to the same port, which lets you translate only
specific types of traffic, or you can take it further by translating to a different port. For applications that
require application inspection for secondary channels (for example, FTP and VoIP), the ASA
automatically translates the secondary ports. For more information about static PAT, see the “Static PAT”
section on page 35-9.
You cannot use the same real or mapped address in multiple static rules between the same two interfaces
unless you use static PAT. Do not use a mapped address in the static rule that is also defined in a global
pool for the same mapped interface.
Static identity NAT translates the real IP address to the same IP address.
This section includes the following topics:
Configuring Static NAT, PAT, or Identity NAT, page 35-27
Configuring Static Policy NAT, PAT, or Identity NAT, page 35-30
Configuring Static NAT, PAT, or Identity NAT
Figure 35-21 shows typical static NAT, static PAT, and static identity NAT scenarios. The translation is
always active so both translated and remote hosts can originate connections.
Figure 35-21 Static NAT Scenarios
To configure static NAT, PAT, or identity NAT, perform the following steps:
10.1.1.1 209.165.201.1
Inside Outside
10.1.1.2 209.165.201.2
Security
Appliance
Static NAT
Static Identity NAT
Static PAT
10.1.1.1:23 209.165.201.1:23
Inside Outside
10.1.1.2:8080 209.165.201.2:80
Security
Appliance
209.165.201.1 209.165.201.1
Inside Outside
209.165.201.2 209.165.201.2
Security
Appliance
191660