Cisco Systems and the ASA Services Module, ASA 5545-X, ASA 5555-X, ASA 5580, ASA 5585-X, ASA 5505 Example

4-15

Cisco ASA Series Firewall CLI Configuration Guide

Chapter4 Configuring Network Object NAT

Configuring Network Object NAT

Example

The following example maps a host address to itself using an inline mapped address:

ciscoasa(config)# object network my-host-obj1

ciscoasa(config-network-object)# host 10.1.1.1

ciscoasa(config-network-object)# nat (inside,outside) static 10.1.1.1

Step3 {host ip_address | subnet subnet_address

netmask | range ip_address_1 ip_address_2}

Example:

ciscoasa(config-network-object)# subnet

10.1.1.0 255.255.255.0

If you are creating a new network object, defines the real IP

address(es) (IPv4 or IPv6) to which you want to perform identity

NAT. If you configured a network object for the mapped addresses

in Step 1, then these addresses must match.

Step4 nat [(real_ifc,mapped_ifc)] static

{mapped_inline_ip | mapped_obj}

[no-proxy-arp] [route-lookup]

Example:

ciscoasa(config-network-object)# nat

(inside,outside) static MAPPED_IPS

Configures identity NAT for the object IP addresses.

Note You can only define a single NAT rule for a given object.

See the “Additional Guidelines” section on page4-3.

See the following guidelines:

•Interfaces—(Required for transparent mode) Specify the real

and mapped interfaces. Be sure to include the parentheses in

your command. In routed mode, if you do not specify the real

and mapped interfaces, all interfaces are used; you can also

specify the keyword any for one or both of the interfaces.

•Mapped IP addresses—Be sure to configure the same IP

address for both the mapped and real address. Use one of the

following:

–

Network object—Including the same IP address as the

real object (see Step 1).

–

Inline IP address—The netmask or range for the mapped

network is the same as that of the real network. For

example, if the real network is a host, then this address

will be a host address. In the case of a range, then the

mapped addresses include the same number of addresses

as the real range. For example, if the real address is

defined as a range from 10.1.1.1 through 10.1.1.6, and

you specify 10.1.1.1 as the mapped address, then the

mapped range will include 10.1.1.1 through 10.1.1.6.

•No Proxy ARP—Specify no-proxy-arp to disable proxy

ARP for incoming packets to the mapped IP addresses. See

the “Mapped Addresses and Routing” section on page3-20

for more information.

•Route lookup—(Routed mode only; interface(s) specified)

Specify route-lookup to determine the egress interface using

a route lookup instead of using the interface specified in the

NAT command. See the “Determining the Egress Interface”

section on page3-22 for more information.

Command Purpose

Cisco Systems manual Example

Models: and the ASA Services Module ASA 5545-X ASA 5555-X ASA 5580 ASA 5585-X ASA 5505