4-4
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter4 Configuring Network Object NAT (ASA 8.3 and Later)
Configuring Network Object NAT
instead. See the “Routing NAT Packets” section on page3-22 for more information.
Configuring Network Object NAT
This section describes how to configure network object NAT and includes the following topics:
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool, page4-4
Configuring Dynamic PAT (Hide), page 4-9
Configuring Static NAT or Static NAT-with-Port-Translation, page 4-12
Configuring Identity NAT, page4-15
Configuring Per-Session PAT Rules, page4-19

Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool

This section describes how to configure network object NAT for dynamic NAT or for dynamic PAT using
a PAT pool. For more information, see the “Dynamic NAT” section on page3-8 or the “Dynamic PAT”
section on page 3-10.
Guidelines
For a PAT pool:
If available, the real source port number is used for the mapped port. However, if the real port is not
available, by default the mapped ports are chosen from the same range of ports as the real port
number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small
PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic
that uses the lower port ranges, you can now specify for a PAT pool a flat range of ports to be used
instead of the three unequal-sized tiers: either 1024 to 65535, or 1to 65535.
If you use the same PAT pool object in two separate rules, then be sure to specify the same options
for each rule. For example, if one rule specifies extended PAT and a flat range, then the other rule
must also specify extended PAT and a flat range.
For extended PAT for a PAT pool:
Many application inspections do not support extended PAT. See the “Default Settings and NAT
Limitations” section on page10-4 in Chapter 10, “Getting Started with Application Layer Protocol
Inspection,” for a complete list of unsupported inspections.
If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT
pool as the PAT address in a separate staticNAT with port translation rule. For example, if the PAT
pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1
as the PAT address.
If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT.
For VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the
PAT binding to be the same for all destinations.
For round robin for a PAT pool:
If a host has an existing connection, then subsequent connections from that host will use the same
PAT IP address if ports are available. Note: This “stickiness” does not survive a failover. If the ASA
fails over, then subsequent connections from a host may not use the initial IP address.