Cisco ASA Series Configuration Manual page 200
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
History for NAT
Feature Name
Identity NAT configurable proxy ARP and route
lookup
PAT pool and round robin address assignment
Round robin PAT pool allocation uses the same
IP address for existing hosts
Cisco ASA Series Firewall CLI Configuration Guide
9-42
Platform
Releases
Description
8.4(2)/8.5(1)
In earlier releases for identity NAT, proxy ARP was
disabled, and a route lookup was always used to determine
the egress interface. You could not configure these settings.
In 8.4(2) and later, the default behavior for identity NAT
was changed to match the behavior of other static NAT
configurations: proxy ARP is enabled, and the NAT
configuration determines the egress interface (if specified)
by default. You can leave these settings as is, or you can
enable or disable them discretely. Note that you can now
also disable proxy ARP for regular static NAT.
For pre-8.3 configurations, the migration of NAT exempt
rules (the nat 0 access-list command) to 8.4(2) and later
now includes the following keywords to disable proxy ARP
and to use a route lookup: no-proxy-arp and route-lookup.
The unidirectional keyword that was used for migrating to
8.3(2) and 8.4(1) is no longer used for migration. When
upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all
identity NAT configurations will now include the
no-proxy-arp and route-lookup keywords, to maintain
existing functionality. The unidirectional keyword is
removed.
We modified the following command: nat static
[no-proxy-arp] [route-lookup].
8.4(2)/8.5(1)
You can now specify a pool of PAT addresses instead of a
single address. You can also optionally enable round-robin
assignment of PAT addresses instead of first using all ports
on a PAT address before using the next address in the pool.
These features help prevent a large number of connections
from a single PAT address from appearing to be part of a
DoS attack and makes configuration of large numbers of
PAT addresses easy.
We modifed the following commands: nat dynamic
[pat-pool mapped_object [round-robin]] and nat source
dynamic [pat-pool mapped_object [round-robin]].
8.4(3)
When using a PAT pool with round robin allocation, if a host
has an existing connection, then subsequent connections
from that host will use the same PAT IP address if ports are
available.
We did not modify any commands.
This feature is not available in 8.5(1) or 8.6(1).
Chapter 9
Network Address Translation (NAT)
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
