beautypg.com

Cisco ASA 5505 User Manual

Page 617

background image

31-11

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 31 Configuring Twice NAT

Configuring Twice NAT

Step 4

(Optional)

Network object:

object network

obj_name

{host ip_address | subnet

subnet_address netmask | range

ip_address_1 ip_address_2}

Network object group:

object-group network

grp_name

{network-object {object net_obj_name |

subnet_address netmask |

host

ip_address} |

group-object

grp_obj_name}

Example:

hostname(config)# object network

Server1_mapped

hostname(config-network-object)# host

10.1.1.67

Configure the mapped destination addresses.

The destination translation is always static. For identity NAT, you
can skip this step and simply use the same object or group for both
the real and mapped addresses.

If you want to translate the destination address, you can configure
either a network object or a network object group. The static
mapping is typically one-to-one, so the real addresses have the
same quantity as the mapped addresses. You can, however, have
different quantities if desired. For more information, see the

“Static NAT” section on page 29-3

.

For static interface NAT with port translation (routed mode only),
you can skip this step and specify the interface keyword instead
of a network object/group for the mapped address. For more
information, see the

“Static Interface NAT with Port Translation”

section on page 29-5

.

Step 5

(Optional)

object service

obj_name

service

{tcp | udp} destination

operator port

Example:

hostname(config)# object service REAL_SVC

hostname(config-service-object)# service

tcp destination eq 80

hostname(config)# object service

MAPPED_SVC

hostname(config-service-object)# service

tcp destination eq 8080

Configure service objects for:

Destination real port

Destination mapped port

Dynamic PAT does not support additional port translation.
However, because the destination translation is always static, you
can perform port translation for the destination port. A service
object can contain both a source and destination port, but only the
destination port is used in this case. If you specify the source port,
it will be ignored. NAT only supports TCP or UDP. When
translating a port, be sure the protocols in the real and mapped
service objects are identical (both TCP or both UDP). For identity
NAT, you can use the same service object for both the real and
mapped ports. The “not equal” (neq) operator is not supported.

Command

Purpose

This manual is related to the following products:
See also other documents in the category Cisco Hardware: