31-20
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter31 Configuring Twice NAT
Configuring Twice NAT
which host sent the packet. In this example, connections are originated from outside to inside, so the
“source” address and port of the FTP server is actually the destination address and port in the originating
packet.
hostname(config)# object service FTP_PASV_PORT_RANGE
hostname(config-service-object)# service tcp source range 65000 65004
hostname(config)# object network HOST_FTP_SERVER
hostname(config-network-object)# host 192.168.10.100
hostname(config)# nat (inside,outside) source static HOST_FTP_SERVER interface service
FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE
Configuring Identity NAT
This section describes how to configure an identity NAT rule using twice NAT. For more information
about identity NAT, see the “Identity NAT” section on page29-11.
Detailed Steps
Command Purpose
Step1 Network object:
object network obj_name
{host ip_address | subnet
subnet_address netmask | range
ip_address_1 ip_address_2}
Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host ip_address} |
group-object grp_obj_name}
Example:
hostname(config)# object network MyInsNet
hostname(config-network-object)# subnet
10.1.1.0 255.255.255.0
Configure the real source addresses.
You can configure either a network object or a network object
group. For more information, see the “Configuring Objects”
section on page 13-3.
These are the addresses on which you want to perform identity
NAT. If you want to perform identity NAT for all addresses, you
can skip this step and instead use the keywords any any.