Here are some general rules for dynamic NAT, you must use an object
or group for the mapped addresses. Other NAT types have the option of
using inline addresses, or you can create an object or group.
For more information about configuring a network object or group see below.
Guidelines
A network object group can contain objects and/or inline addresses of either IPv4 or IPv6 addresses. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.
Dynamic NAT:
– You cannot use an inline address; you must configure a network object or group.
– The object or group cannot contain a subnet; the object must define a range; the object-group can include hosts and ranges.
– If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback.
Examples:
The following example configures dynamic NAT that hides 192.168.1.0 network behind a range of outside addresses 10.2.2.1 through 10.2.2.10:
ciscoasa(config)# object network MAP_ADD_RANGE_OBJ
ciscoasa(config-network-object)# range 10.2.2.1 10.2.2.10
ciscoasa(config)# object network INSIDE_NET_OBJ
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic MAPPED_ADD_RANGE_OBJ
----------------------------------------------------------------------------------------------------------
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.80.10.0 are mapped first to the MAP_ADD_RANGE_OBJ1 pool (10.10.10.10-10.10.10.20). After all addresses in the MAP_ADD_RANGE_OBJ1 pool are allocated, dynamic PAT is performed using the MAP_ADD_PAT address (10.10.10.21).
ciscoasa(config)# object network MAP_ADD_RANGE_OBJ1
ciscoasa(config-network-object)# range 10.10.10.10 10.10.10.20
ciscoasa(config-network-object)# object network MAP_ADD_PAT
ciscoasa(config-network-object)# host 10.10.10.21
ciscoasa(config-network-object)# object-group network MAP_ADD_PAT_GRP
ciscoasa(config-network-object)# network-object object MAP_ADD_RANGE_OBJ1
ciscoasa(config-network-object)# network-object object MAP_ADD_PAT
ciscoasa(config-network-object)# object network INSIDE_NET
ciscoasa(config-network-object)# subnet 10.80.10.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic MAP_ADD_PAT_GRP interface
--------------------------------------------------------------------------------------------------------
Dynamic PAT (Hide):
– Instead of using an object, you can optionally configure an inline host address or specify the interface address.
– If you use an object, the object or group cannot contain a subnet; the object must define a host, or for a PAT pool, a range; the group (for a PAT pool) can include hosts and ranges.
Examples:
The following example configures dynamic PAT that hides the 192.168.1.0 network behind address 10.1.1.1:
ciscoasa(config)# object network INSIDE_NET
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic 10.1.1.1
Instead of using ip address, you can create object network, and use that object network in NAT configuration.
ciscoasa(config)# object network MAPP_ADD
ciscoasa(config-network-object)# host 10.1.1.1
The following example configures dynamic PAT that hides the 192.168.1.0 network behind the outside interface address:
ciscoasa(config)# object network INSIDE_NET
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface
--------------------------------------------------------------------------------------------------------
Static NAT:
– Instead of using an object, you can configure an inline address or specify the interface address (for static NAT-with-port-translation).
– If you use an object, the object or group can contain a host, range, or subnet.
Source: cisco.com
For more information about configuring a network object or group see below.
Guidelines
A network object group can contain objects and/or inline addresses of either IPv4 or IPv6 addresses. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.
Dynamic NAT:
– You cannot use an inline address; you must configure a network object or group.
– The object or group cannot contain a subnet; the object must define a range; the object-group can include hosts and ranges.
– If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback.
Examples:
The following example configures dynamic NAT that hides 192.168.1.0 network behind a range of outside addresses 10.2.2.1 through 10.2.2.10:
ciscoasa(config)# object network MAP_ADD_RANGE_OBJ
ciscoasa(config-network-object)# range 10.2.2.1 10.2.2.10
ciscoasa(config)# object network INSIDE_NET_OBJ
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic MAPPED_ADD_RANGE_OBJ
----------------------------------------------------------------------------------------------------------
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.80.10.0 are mapped first to the MAP_ADD_RANGE_OBJ1 pool (10.10.10.10-10.10.10.20). After all addresses in the MAP_ADD_RANGE_OBJ1 pool are allocated, dynamic PAT is performed using the MAP_ADD_PAT address (10.10.10.21).
ciscoasa(config)# object network MAP_ADD_RANGE_OBJ1
ciscoasa(config-network-object)# range 10.10.10.10 10.10.10.20
ciscoasa(config-network-object)# object network MAP_ADD_PAT
ciscoasa(config-network-object)# host 10.10.10.21
ciscoasa(config-network-object)# object-group network MAP_ADD_PAT_GRP
ciscoasa(config-network-object)# network-object object MAP_ADD_RANGE_OBJ1
ciscoasa(config-network-object)# network-object object MAP_ADD_PAT
ciscoasa(config-network-object)# object network INSIDE_NET
ciscoasa(config-network-object)# subnet 10.80.10.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic MAP_ADD_PAT_GRP interface
--------------------------------------------------------------------------------------------------------
Dynamic PAT (Hide):
– Instead of using an object, you can optionally configure an inline host address or specify the interface address.
– If you use an object, the object or group cannot contain a subnet; the object must define a host, or for a PAT pool, a range; the group (for a PAT pool) can include hosts and ranges.
Examples:
The following example configures dynamic PAT that hides the 192.168.1.0 network behind address 10.1.1.1:
ciscoasa(config)# object network INSIDE_NET
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic 10.1.1.1
Instead of using ip address, you can create object network, and use that object network in NAT configuration.
ciscoasa(config)# object network MAPP_ADD
ciscoasa(config-network-object)# host 10.1.1.1
The following example configures dynamic PAT that hides the 192.168.1.0 network behind the outside interface address:
ciscoasa(config)# object network INSIDE_NET
ciscoasa(config-network-object)# subnet 192.168.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) dynamic interface
--------------------------------------------------------------------------------------------------------
Static NAT:
– Instead of using an object, you can configure an inline address or specify the interface address (for static NAT-with-port-translation).
– If you use an object, the object or group can contain a host, range, or subnet.
Source: cisco.com
No comments:
Post a Comment