( real_ifc , mapped_ifc )
|
(Optional) Specifies the real and mapped interfaces. If you do not specify the real and
mapped interfaces, all interfaces are used. You can also specify the keyword
any for one or both of the interfaces. For bridge group member
interfaces (in transparent or routed mode), you must specify the real and mapped
interfaces; you cannot use any .
Because twice NAT can translate both the source and destination addresses, these
interfaces are better understood to be the source and destination interfaces.
|
after-auto
|
Inserts the rule at the end of section 3 of the NAT table, after the network object NAT
rules. By default, twice NAT rules are added to section 1. You can insert a rule anywhere
in section 3 using the line argument.
|
any
|
(Optional) Specifies a wildcard value. The main uses for any
are:
-
Interfaces—You can use any for one or both interfaces
((any,outside) , for example). If you do not specify the
interfaces, then any is the default. However,
any does not apply to bridge group member interfaces, and
any is not available in transparent mode.
-
Static NAT source real and mapped IP addresses—You can specify
source
static
any
any to enable identity NAT for all addresses.
-
Dynamic NAT or PAT source real addresses—You can translate all addresses on the source
interface by specifying source
dynamic
any
mapped_obj
For static NAT, although any is also available for the real
source port/mapped destination port, or for the source or destination real address (without
any as the mapped address), these uses might result in
unpredictable behavior.
Note
|
The definition of “any” traffic (IPv4 vs. IPv6) depends on the rule. Before the ASA
performs NAT on a packet, the packet must be IPv6-to-IPv6 or IPv4-to-IPv4; with this
prerequisite, the ASA can determine the value of any in a NAT
rule. For example, if you configure a rule from “any” to an IPv6 server, and that server
was mapped from an IPv4 address, then any means “any IPv6
traffic.” If you configure a rule from “any” to “any,” and you map the source to the
interface IPv4 address, then any means “any IPv4 traffic” because
the mapped interface address implies that the destination is also IPv4.
|
|
block-allocation
|
Enables port block allocation. For carrier-grade or large-scale PAT, you can allocate a
block of ports for each host, rather than have NAT allocate one port translation at a time.
If you allocate a block of ports, subsequent connections from the host use new
randomly-selected ports within the block. If necessary, additional blocks are allocated if
the host has active connections for all ports in the original block. Port blocks are
allocated in the 1024-65535 range only. Port block allocation is compatible with
round-robin , but you cannot use the
extended or flat
[include-reserve ] options. You also cannot use interface PAT
fallback.
|
description
desc
|
(Optional) Provides a description up to 200 characters.
|
destination
|
(Optional) Configures translation for the destination address. Although the main feature
of twice NAT is the inclusion of the destination IP address, the destination address is
optional. If you do specify the destination address, you can configure static translation
for that address or just use identity NAT for it. You might want to configure twice NAT
without a destination address to take advantage of some of the other qualities of twice
NAT, including the use of network object groups for real addresses, or manually ordering of
rules. For more information, see the CLI configuration guide.
|
dns
|
(Optional) Translates DNS replies. Be sure DNS inspection is enabled
(inspect
dns ) (it is enabled by default). You cannot configure the
dns keyword if you configure a
destination address. Do not use this option with PAT rules. See
the CLI configuration guide for more information.
|
dynamic
|
Configures dynamic NAT or PAT for the source addresses. The destination translation is
always static.
|
extended
|
(Optional) Enables extended PAT for a PAT pool. Extended PAT uses 65535 ports per
service , as opposed to per IP address, by including the destination address and
port in the translation information. Normally, the destination port and address are not
considered when creating PAT translations, so you are limited to 65535 ports per PAT
address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when
going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to
192.168.1.7:80.
|
flat [include-reserve ]
include-reserve
|
(Optional, pre-9.15) Enables use of the entire 1024 to 65535 port range when allocating
ports. When choosing the mapped port number for a translation, the ASA uses the real source
port number if it is available. However, without this option, if the real port is
not available, by default the mapped ports are chosen from the same range of ports
as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of
ports at the low ranges, configure this setting. To use the entire range of 1 to 65535,
also specify the include-reserve keyword.
(9.15+) Starting with 9.15, flat is the default and unconfigurable behavior for a PAT
pool. The include-reserve keyword is independent from the flat
keyword, so you can still elect to include the reserved ports, 1-1023, in the PAT pool.
|
inactive
|
(Optional) To make this rule inactive without having to remove the command, use the
inactive keyword. To reactivate it, reenter the whole command
without the inactive keyword.
|
interface
[ipv6 ]
|
(Optional) Uses the interface IP address as the mapped address. If you specify
ipv6 , then the IPv6 address of the interface is used.
For the dynamic NAT source mapped address, if you specify a mapped object or group
followed by the interface keyword, then the IP address of the
mapped interface is only used if all other mapped addresses are already allocated.
For dynamic PAT, you can specify interface alone for the
source mapped address.
For static NAT with port translation (source or destination), be sure to also configure
the service keyword.
For this option, you must configure a specific interface for the mapped_ifc .
This option is not available in transparent mode. In routed mode, you cannot use this
option if the destination interface is a bridge group member.
|
line
|
(Optional) Inserts a rule anywhere in section 1 of the NAT table. By default, the NAT
rule is added to the end of section 1 (see the CLI configuration guide for more
information). If you want to add the rule into section 3 instead (after the network object
NAT rules), then use the after-auto
line option.
|
mapped_dest_svc_obj
|
(Optional) For dynamic NAT/PAT, specifies the mapped destination port (the destination
translation is always static). See the service keyword for more
information.
|
mapped_object
|
Identifies the mapped network object or object group (object
network
or object-group
network ).
For dynamic NAT, you typically configure a larger group of addresses to be mapped to a
smaller group.
Note
|
The mapped object or group cannot contain a subnet.You can share this mapped IP
address across different dynamic NAT rules, if desired.You cannot use an object group with
both IPv4 and IPv6 addresses; the object group must include only one type of
address.
|
For dynamic PAT, configure a group of addresses to be mapped to a single address. You
can either translate the real addresses to a single mapped address of your choosing, or you
can translate them to the mapped interface address. If you want to use the interface
address, do not configure a network object for the mapped address; instead use the
interface keyword.
For static NAT, the mapping is typically one-to-one, so the real addresses have the same
quantity as the mapped addresses. You can, however, have different quantities if desired.
For more information, see the CLI configuration guide.
|
mapped_src_real_dest_svc_obj
|
(Optional) For static NAT, specifies the either the mapped source port, the real
destination port, or both together. See the service keyword for
more information.
|
net-to-net
|
(Optional) For static NAT 46, specify net-to-net to translate
the first IPv4 address to the first IPv6 address, the second to the second, and so on.
Without this option, the IPv4-embedded method is used. For a one-to-one translation, you
must use this keyword.
|
no-proxy-arp
|
(Optional) For static NAT, disables proxy ARP for incoming packets to the mapped IP
addresses.
|
pat-pool
mapped_obj
|
(Optional) Enables a PAT pool of addresses; all addresses in the object are used as PAT
addresses. For dynamic NAT, you can configure the PAT pool as a fallback method. You cannot
use an object group with both IPv4 and IPv6 addresses; the object group must include only
one type of address.
|
real_dest_svc_obj
|
(Optional) For dynamic NAT/PAT, specifies the real destination port (the destination
translation is always static). See the service keyword for more
information.
|
real_ifc
|
(Optional) Specifies the name of the interface where packets may originate. For source
option. For the source option, the origin_ifc is the real interface. For the destination
option, the real_ifc is the mapped interface.
|
real_object
|
Identifies the real network object or object group (object
network
or object-group
network ). You cannot use an object group with both IPv4 and IPv6
addresses; the object group must include only one type of address.
|
real_src_mapped_dest_svc_obj
|
(Optional) For static NAT, specifies the either the real source port, the mapped
destination port, or both together. See the service keyword for
more information.
|
round-robin
|
(Optional) Enables round-robin address allocation for a PAT pool. By default, all ports
for a PAT address will be allocated before the next PAT address is used. The round-robin
method assigns an address/port from each PAT address in the pool before returning to use
the first address again, and then the second address, and so on.
|
route-lookup
|
(Optional) For identity NAT in routed mode, determines the egress interface using a
route lookup instead of using the interface specified in the NAT command. If you do not
specify interfaces in the NAT command, a route lookup is used by default.
|
service
|
(Optional) Specifies the port translation.
-
Dynamic NAT and PAT—Dynamic NAT and PAT do not support (additional) port translation.
However, because the destination translation is always static, you can perform
port translation for the destination port. A service object (object
service ) can contain both a source and destination port, but only the
destination port is used in this case. If you specify the source port, it will be
ignored.
-
Static NAT with port translation—You should specify either the source or
the destination port for both service objects. You should only specify both the
source and destination ports if your application uses a fixed source port (such as some
DNS servers); but fixed source ports are rare.
For source port translation, the objects must specify the source service. The order of
the service objects in the command in this case is service
real_port mapped_port . For destination port translation, the objects must specify the
destination service. The order of the service objects in this case is
service
mapped_port real_port . In the rare case where you specify both the source and
destination ports in the object, the first service object contains the real source
port/mapped destination port; the second service object contains the mapped source
port/real destination port. See the “Usage Guidelines” section for more information about “source” and
“destination” terminology.
For identity port translation, simply use the same service object for both the real and
mapped ports (source and/or destination ports, depending on your configuration). The “not
equal” (neq ) operator is not supported.
NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real
and mapped service objects are identical (both TCP or both UDP).
|
source
|
Configures translation for the source address.
|
static
|
Configures static NAT or static NAT with port translation.
|
unidirectional
|
(Optional) For static NAT, makes the translarion unidirection from the source to the
destination; the destination addresses cannot initiate traffic to the source addresses.
This option might be useful for testing purposes.
|