5-9
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 5 Configuring Twice NAT (ASA 8.3 and Later)
Configuring Twice NAT
Note The object or group cannot contain a subnet.
• Dynamic PAT using a PAT pool—.To configure a PAT pool, check the PAT Pool Translated
Address check box, then click the browse button and choose an existing network object or group or
create a new object or group from the Browse Translated PAT Pool Address dialog box. Note: Leave
the Source Address field empty.
Note The object or group cannot contain a subnet.
(Optional) For a PAT pool, configure the following options:
–
To assign addresses/ports in a round-robin fashion, check the Round Robin check box. Without
round-robin, by default, all ports for a PAT address will be allocated before the next PAT address
is used. The round-robin method assigns an address/port from each PAT address in the pool
before returning to use the first address again, and then the second address, and so on.
–
(8.4(3) and later, not including 8.5(1) or 8.6(1)) Check the Extend PAT uniqueness to per
destination instead of per interface check box to use extended PAT. Extended PAT uses 65535
ports per service, as opposed to per IP address, by including the destination address and port in
the translation information. Normally, the destination port and address are not considered when
creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with
extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as
well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
–
(8.4(3) and later, not including 8.5(1) or 8.6(1)) Check the Translate TCP or UDP ports into
flat range (1024-65535) check box to use the 1024 to 65535 port range as a single flat range
when allocating ports. When choosing the mapped port number for a translation, the ASA uses
the real source port number if it is available. However, without this option, if the real port is not
available, by default the mapped ports are chosen from the same range of ports as the real port
number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low
ranges, configure this setting. To use the entire range of 1 to 65535, also check the Include
range 1 to 1023 check box.
b. (Optional, Routed Mode Only) To use the interface IP address as a backup method if the other
mapped source addresses are already allocated, check the Fall through to interface PAT check box.
To use the IPv6 interface address, also check the Use IPv6 for interface PAT check box.
The destination interface IP address is used. This option is only available if you configure a specific
Destination Interface.