5-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 5 Configuring Twice NAT
Configuring Twice NAT
Detailed Steps
(Optional) Adding Service Objects for Real and Mapped Ports
Configure service objects for:
• Source real port (Static only) or Destination real port
• Source mapped port (Static only) or Destination mapped port
For more information about configuring a service object, see the general operations configuration guide.
Guidelines
• NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and
mapped service objects are identical (both TCP or both UDP).
• The “not equal” (neq) operator is not supported.
• For identity port translation, you can use the same service object for both the real and mapped ports.
• Source Dynamic NAT—Source Dynamic NAT does not support port translation.
Command Purpose
object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}
Example:
ciscoasa(config)# object network MyInsNet
ciscoasa(config-network-object)# subnet
10.1.1.0 255.255.255.0
Adds a network object, either IPv4 or IPv6.
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}
Example:
ciscoasa(config)# object network TEST
ciscoasa(config-network-object)# range
10.1.1.1 10.1.1.70
ciscoasa(config)# object network TEST2
ciscoasa(config-network-object)# range
10.1.2.1 10.1.2.70
ciscoasa(config-network-object)#
object-group network MAPPED_IPS
ciscoasa(config-network)# network-object
object TEST
ciscoasa(config-network)# network-object
object TEST2
ciscoasa(config-network)# network-object
host 10.1.2.79
Adds a network object group, either IPv4 or IPv6.
