Configure Dynamic Network Object Pat - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Dynamic PAT
For extended PAT for a PAT pool
•
•
•
•
For round robin for a PAT pool
•
•
Configure Dynamic Network Object PAT
This section describes how to configure network object NAT for dynamic PAT.
Procedure
(Optional.) Create a host or range network object (object network command), or a network object group
Step 1
(object-group network command), for the mapped addresses.
•
•
Create or edit the network object for which you want to configure NAT.
Step 2
object network obj_name
Example
hostname(config)# object network my-host-obj1
(Skip when editing an object that has the right address.) Define the real IPv4 or IPv6 addresses that you
Step 3
want to translate.
•
•
Cisco ASA Series Firewall CLI Configuration Guide
9-20
Many application inspections do not support extended PAT. See
Limitations, page 12-6
for a complete list of unsupported inspections.
If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT
pool as the PAT address in a separate static NAT with port translation rule. For example, if the PAT
pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1
as the PAT address.
If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT.
For VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the
PAT binding to be the same for all destinations.
If a host has an existing connection, then subsequent connections from that host will use the same
PAT IP address if ports are available. Note: This "stickiness" does not survive a failover. If the ASA
fails over, then subsequent connections from a host may not use the initial IP address.
Round robin, especially when combined with extended PAT, can consume a large amount of
memory. Because NAT pools are created for every mapped protocol/IP address/port range, round
robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results
in an even larger number of concurrent NAT pools.
Instead of using an object, you can optionally configure an inline host address or specify the
interface address.
If you use an object, the object or group cannot contain a subnet; the object must define a host, or
for a PAT pool, a range; the group (for a PAT pool) can include hosts and ranges.
host {IPv4_address | IPv6_address}—The IPv4 or IPv6 address of a single host. For example,
10.1.1.1 or 2001:DB8::0DB8:800:200C:417A.
subnet {IPv4_address IPv4_mask | IPv6_address/IPv6_prefix}—The address of a network. For
IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the
address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60.
Chapter 9
Network Address Translation (NAT)
Default Inspections and NAT
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
