31-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter31 Configuring Twice NAT
Configuring Twice NAT
Configuring Dynamic PAT (Hide)
This section describes how to configure twice NAT for dynamic PAT (hide). For more information, see
the “Dynamic PAT” section on page29-10.
Guidelines
For a PAT pool:
If available, the real source port number is used for the mapped port. However, if the real port is not
available, by default the mapped ports are chosen from the same range of ports as the real port
number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small
PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic
that uses the lower port ranges, you can now specify a flat range of ports to be used instead of the
three unequal-sized tiers: either 1024 to 65535, or 1to 65535.
(8.4(3) and later, not including 8.5(1) or 8.6(1)) If you use the same PAT pool object in two separate
rules, then be sure to specify the same options for each rule. For example, if one rule specifies
extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range.
For extended PAT for a PAT pool (8.4(3) and later, not including 8.5(1) or 8.6(1)):
(Continued)
Destination addresses (Optional):
Mapped—Specify a network object or group, or for static
interface NAT with port translation only, specify the
interface keyword (see Step 4). If you specify interface,
be sure to also configure the service keyword. For this
option, you must configure a specific interface for the
real_ifc. See the “Static Interface NAT with Port
Translation” section on page29-5 for more information.
Real—Specify a network object or group (see Step3).
For identity NAT, simply use the same object or group for
both the real and mapped addresses.
Destination port—(Optional) Specify the service keyword
along with the mapped and real service objects (see Step 5).
For identity port translation, simply use the same service
object for both the real and mapped ports.
DNS—(Optional; for a source-only rule) The dns keyword
translates DNS replies. Be sure DNS inspection is enabled (it
is enabled by default). You cannot configure the dns keyword
if you configure a destination address. See the “DNS and
NAT” section on page29-24 for more information.
Inactive—(Optional) To make this rule inactive without
having to remove the command, use the inactive keyword. To
reactivate it, reenter the whole command without the inactive
keyword.
Description—Optional) Provide a description up to 200
characters using the description keyword.
Command Purpose