Filter
Top Products
4-17
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 4 Configuring Network Object NAT
Monitoring Network Object NAT
Detailed Steps
Examples
The following example creates a deny rule for H.323 traffic, so that it uses multi-session PAT:
ciscoasa(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720
ciscoasa(config)# xlate per-session deny udp any4 209.165.201.7 range 1718 1719
Monitoring Network Object NAT
To monitor object NAT, enter one of the following commands:
Command Purpose
xlate per-session {permit | deny} {tcp | udp}
source_ip [operator src_port] destination_ip
operator dest_port
Example:
ciscoasa(config)# xlate per-session deny tcp any4
209.165.201.3 eq 1720
Creates a permit or deny rule. This rule is placed above the default
rules, but below any other manually-created rules. Be sure to
create your rules in the order you want them applied.
For the source and destination IP addresses, you can configure the
following:
• host ip_address—Specifies an IPv4 host address.
• ip_address mask—Specifies an IPv4 network address and
subnet mask.
• ipv6-address/prefix-length—Specifies an IPv6 host or
network address and prefix.
• any4 and any6—any4 specifies only IPv4 traffic; and any6
specifies any6 traffic.
The operator matches the port numbers used by the source or
destination. The permitted operators are as follows:
• lt—less than
• gt—greater than
• eq—equal to
• neq—not equal to
• range—an inclusive range of values. When you use this
operator, specify two port numbers, for example:
range 100 200
Command Purpose
show nat
Shows NAT statistics, including hits for each NAT rule.
show nat pool
Shows NAT pool statistics, including the addresses and ports allocated,
and how many times they were allocated.