4-8
Cisco ASA Series Firewall CLI Configuration Guide
Chapter4 Configuring Network Object NAT
Configuring Network Object NAT
If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT
pool as the PAT address in a separate static NAT-with-port-translation rule. For example, if the PAT
pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1
as the PAT address.
If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT.
For VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the
PAT binding to be the same for all destinations.
For round robin for a PAT pool:
If a host has an existing connection, then subsequent connections from that host will use the same
PAT IP address if ports are available. Note: This “stickiness” does not survive a failover. If the ASA
fails over, then subsequent connections from a host may not use the initial IP address.
Round robin, especially when combined with extended PAT, can consume a large amount of
memory. Because NAT pools are created for every mapped protocol/IP address/port range, round
robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results
in an even larger number of concurrent NAT pools.
Detailed Steps
Command Purpose
Step1 (Optional) Create a network object or group for
the mapped addresses.
See the “Adding Network Objects for Mapped Addresses” section
on page 4-4.
Step2 object network obj_name
Example:
ciscoasa(config)# object network
my-host-obj1
Configures a network object for which you want to configure
NAT, or enters object network configuration mode for an existing
network object.
Step3 {host ip_address | subnet subnet_address
netmask | range ip_address_1 ip_address_2}
Example:
ciscoasa(config-network-object)# range
10.1.1.1 10.1.1.90
If you are creating a new network object, defines the real IP
address(es) (either IPv4 or IPv6) that you want to translate.