4-3
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later)
Default Settings
• When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client
must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT
commands are not supported with IPv6.
Additional Guidelines
• You can only define a single NAT rule for a given object; if you want to configure multiple NAT
rules for an object, you need to create multiple objects with different names that specify the same
IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02,
and so on.
• If you change the NAT configuration, and you do not want to wait for existing translations to time
out before the new NAT configuration is used, you can clear the translation table using the clear
xlate command. However, clearing the translation table disconnects all current connections that use
translations.
Note If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses
that overlap the addresses in the removed rule, then the new rule will not be used until all
connections associated with the removed rule time out or are cleared using the clear xlate
command. This safeguard ensures that the same address is not assigned to multiple hosts.
• Objects and object groups used in NAT cannot be undefined; they must include IP addresses.
• You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include
only one type of address.
• You can use the same mapped object or group in multiple NAT rules.
• The mapped IP address pool cannot include:
–
The mapped interface IP address. If you specify --Any-- interface for the rule, then all interface
IP addresses are disallowed. For interface PAT (routed mode only), use the interface name
instead of the IP address.
–
(Transparent mode) The management IP address.
–
(Dynamic NAT) The standby interface IP address when VPN is enabled.
–
Existing VPN pool addresses.
• For application inspection limitations with NAT or PAT, see the “Default Settings and NAT
Limitations” section on page 10-4 in Chapter 10, “Getting Started with Application Layer Protocol
Inspection.”
Default Settings
• (Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces.
• (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You
cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy
ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. See the
“Routing NAT Packets” section on page 3-22 for more information.
• If you specify an optional interface, then the ASA uses the NAT configuration to determine the
egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses
a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default
behavior is to use the NAT configuration, but you have the option to always use a route lookup