五六红5五限不白板军萝6k8【剑网三交易吧】_百度贴吧
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&签到排名:今日本吧第个签到,本吧因你更精彩,明天继续来努力!
本吧签到人数:0可签7级以上的吧50个
本月漏签0次!成为超级会员,赠送8张补签卡连续签到:天&&累计签到:天超级会员单次开通12个月以上,赠送连续签到卡3张
关注:505,711贴子:
五六红5五限不白板军萝6k8
五六红5五限不白板军萝6k8
「剑网3」自由捏脸,双人轻功,副本竞技,海量身份,大美江湖诚邀探索!国民网游升级次世代画质,公平模式人人爱玩,注册领取豪华礼包!
✽空间300+账号 奇遇号/心血号/小资号/CW号✽10定金+成交3%接1K+账号!5K+免定!✽负责任上新快!✽【门19莫问791相知52984牌】====✽五毒✽====1184号【毒姐5w可刀】电五唯满侠红发除四红狗红全金发除倒闭金元宵金全情阅紫白菜蓝螺母粉公主粉人面蓝不期红年轮白粉娃娃粉蓝兰庭蓝九壤红蓝舞步老七夕衣蓝盒红盒青盒焰归珠盏情人枕六翼画卷狼头白莲花12披风里飞沙踏秋双椅子月伴晨星5w资历三山四海红黑白路全小铁满毒姐1181号【毒姐7500】电五姨妈五红羊红蝶金鸡金粉娃娃红禹梦红舞步雪月套蓝盒子2下架天火流丹血凰流火披风脚气马化玉玄晶毒姐1177号【毒姐3600】电一红尘鸡红狐金鸡金考金白水云黄沐云紫玫瑰红寒梅红白菜粉望云月华青盒1下架素玉鸾翔鎏金火凰披风椅子3w9资历23奇遇纵江湖侠万里毒姐1175号【毒姐1600】电一白帝鸡红八红蝶金鸡金白水云红玫瑰红寒梅粉中宵雪月套青盒子1白1黑2成衣华焰披锦乌蹄抱月丹心纵江湖土豪头像毒姐1167号【毒姐2500】电五唯满侠八红狗红考金国金倒闭金国金黄年轮紫水云红玫瑰黑重天红霆螭黑寒梅红白菜红贺华紫望云蓝中宵黑白风华青盒白盒粉盒新七夕盒3下架挂宠团团毒姐1160号【毒姐1300】电五唯满侠猴红鸡金蓝水云白玫瑰雪月套老七夕盒1白发3成衣晴云紫氛华焰披锦披风脚气马3w8资历5奇遇双修土豪头像毒姐1156号【毒萝1250】电五姨妈七红蝶金喵金蓝兰庭黄中宵黑策马雪月套渐变舞步白盒全套丛云凋雪]披风椅子4w资历9奇遇化玉玄晶丹心傲岸土豪头像毒萝1153号【毒萝1700】电五唯满侠考金蝶金粉白菜粉螺母1下架1w9资历补天双修丹心小红手土豪头像毒萝1150号【毒萝5500】电五唯满侠六红猴红5红一代金狐金蝶金7金白金夜斩蓝公主黄娃娃蓝金陵红禹梦紫水云蓝沐云青盒粉盒老七夕盒7下架钰瓣羽毛情人枕8披风5w资历8奇遇火鲤毒萝1146号【毒姐1000】电一长安猴红苏金白水云红霆螭绿白菜雪月套肆翼漆纱披风里飞沙补天双修侠客行飘花头像毒姐1140号【毒姐6500】电八亢龙四红猴红猴金狐金黑花开白无色粉九壤红禹梦4复刻11下架一代红玄墨焰凰披风里飞沙踏秋3w资历纵江湖毒姐1128号【毒姐2800】电八战无羊红猴红鸡红八红苏金鸡金国金红九曲黄娃娃蓝金陵白水云红霆螭黑寒梅唐盒7下架珠盏映粉蕊一代红肆翼漆纱庭棠疏帘披风双椅子4w5资历黑白路6奇遇毒姐1125号【毒姐1W7】电一情深五红鸡红蝶金鸡金苏金粉人面白重天黑天涯粉中宵红绿白菜红白贺华红盒青盒新七夕盒重阳盒6下架挂宠滚滚辰昊团团青霄北斗重缦轻罗赤羽逍遥几度春披风4w资历红黑白路23奇遇纵江湖毒姐1121号【毒萝1200】电五双梦猴金鸡金白金陵2白4黑7成衣化翼归澹烟生庭棠疏帘披风3w资历生死判飞仙玄晶双修傲岸毒萝1104号【毒姐4000】电五姨妈羊红猴红狐金考金4红6金粉白菜粉人面蓝金陵蓝兰庭蓝水云白重天青盒5下架画卷二代紫特效粉澹烟生透碧宵肆翼漆纱莹扇轻罗披风里飞沙踏秋踏炎不羁椅子4w资历毒姐1103号【毒姐6200】电五姨妈猴红七红八红狗红猴金狐金6金粉无色粉兰庭红长天紫封川白水云白望云黑盒粉盒下架白菜青翎翠羽秋渚夜雨明如雪10披风脚气马3w资历3奇遇双修土豪头像毒姐1086号【毒萝6100】双一天鹅坪六红猴红一代金猴金狐金6金双五限白螺母紫风华粉公主蓝不期黄娃娃蓝兰庭白月华唐盒粉盒3下架如意金箍画卷情人枕6披风5w6资历3奇遇化玉玄晶纵江湖侠万里毒萝1067号【毒姐1300】电一蝶恋花鸡红蝶金考金月华白重天绿白菜雪月套双下架螺母玄天覆雪脚气马1w5资历3奇遇pvp补天2w1火鲤飘花头像毒姐1063号【毒姐9000】电八绝代绛玉拨云CW1100品四红一代金鸡金国金苏金粉娃娃白水云绿白菜双色繁红盒青盒粉盒3下架夜话白鹭挂宠肉肉椅3w6资历30奇遇pve双修毒姐1054号【毒萝950】电五华乾鸡红蝶金鸡金元宵黑黄无色黄封川粉水云蓝沐云白月华繁故幽2白1黑几度春披风毒萝1042号【毒姐950】电八风骨鸡红苏金蝶金鸡金紫兰庭紫水云2下架1白发1成衣1w7资历2奇遇pve补天2w丹心土豪头像毒姐1009号【毒姐900】电五双梦考金青盒雪月套山海间平生心愿遗失美好pve毒经2w丹心土豪头像毒姐1008号【毒姐2600】电一长安猴红鸡红蝶金鸡金考金国金黄娃娃白无色白水云黑天涯黑寒梅青盒全套黑脚气马椅子4w资历6奇遇三修土豪狐金头像毒姐956号【毒萝1800】电一长安一代金国金苏金粉公主粉娃娃 下架螺母1白发3成衣虎仔肆翼漆纱天辉抱月2披风里飞沙踏秋2w9资历红衣歌纵江湖侠万里土豪头像毒萝930号【毒萝1600】电五姨妈国金喵金情阅月华雪月衣红牵云复刻黑墨韵1白3黑2成衣白兔包玄天覆雪脚气马3w5资历多宠物9奇遇三修毒萝926号【毒萝1600】电一长安鸡红狐金粉无色雪月套红盒中秋粉盒喵面具白兔包黄龙乘云玄天覆雪披风脚气马椅2w4资历纵江湖狐金头像毒萝920号【毒萝1100】电一龙虎蝶金双五限情阅白螺母蓝不期粉金陵中秋粉盒1下架夜幕星河侠客行傲岸土豪头像毒萝903号【毒姐2500】电八亢龙猴红鸡红苏金鸡金考金粉人面蓝水云黑重天紫天涯青盒二代紫青翎翠羽3披风5w资历9奇遇踏炎椅子三修土豪头像毒姐897号【毒萝2100】电一白帝猴红七红鸡红猴金蝶金鸡金喵金考金苏金蓝九曲蓝无色蓝沐云粉玫瑰中秋蓝衣元宵盒衣如意金箍青翎翠羽重缦轻罗鹤影天青3披风里飞沙3w资历10奇遇土豪头像毒萝892号【毒萝2700】电八亢龙蝶金喵金五限白螺母粉封川紫玫瑰雪月套蓝盒蝶偶嬉尘华焰披锦披风脚气马4w资历11奇遇pvp补天2w1丹心傲岸土豪头像毒萝891号【毒姐5200】电一蝶恋花八红鸡金喵金考金蓝水云红白菜蓝盒青盒唐盒新七夕盒下架蓝螺母双兔包透碧宵玲珑意新中秋盒8披风乌蹄抱月5w资历23奇遇70小铁满三修丹心狐金头像毒姐888号【毒姐4000】电五华乾猴红考金2红4金紫白菜蓝兰庭白水云白重天雪月衣月华青盒1下架脚气马椅子1w9资历pvp补天2w1侠客行丹心傲岸土豪头像毒姐872号【毒哥6000】电五金榜猴红八红狐金喵金考金国金白娃娃红玫瑰红锦夜黑寒梅雪月套青盒唐盒白盒1下架16页拓印情人枕落英解语血凰流火栩栩蝶翼10披风踏炎霸地里飞沙踏秋6w8资历8奇遇化玉玄晶95小铁满三修土豪狐金头像毒哥864号【毒姐2500】电八战无鸡红八红蝶金鸡金考金国金苏金白水云白玫瑰黑天涯红白菜雪月套青盒全套2下架7页拓印双兔包玄天覆雪乌蹄抱月pvp补天2w1丹心 新增蓝中宵粉盒子854号【毒萝7000】电五唯满侠五红鸡红蝶金考金5金三五限橙繁粉白菜红彩云蓝无色蓝封川青水云蓝沐云双复刻3下架几度春华焰披锦2披风椅子四象舞轮5w资历3奇遇双修纵江湖侠万里土豪头像毒萝845号【毒姐1W2】电五四合一四红五红蝶金鸡金蓝公主蓝娃娃蓝九壤贺华惊蛰6下架桃源春晓栩栩蝶翼玄天覆雪化翼归4披风里飞沙踏秋3w资历4奇遇红尘追梦人土豪头像毒姐803号【毒姐9W】电一情深绛玉拨云CW1030品红发除四红全金发除猴金全五五限双色白菜双色螺母情阅双色公主双色九曲双色人面双色不期三色年轮四色娃娃蓝盒黑盒红盒青盒唐盒白盒粉盒65限珠盏夜话白鹭挂宠辰昊栽火莲情人枕六翼流苏周公御龙天辉抱月42披风劲足赤兔双椅子银月金虹四象舞轮6w资历10五甲20奇遇三修济世菩萨毒姐802号【毒姐1500】电五姨妈鸡红鸡金考金粉金陵紫封川蓝水云白兔包澹烟生玄天覆雪点墨凝湘3披风pvp补天2w2丹心火鲤毒姐791号【毒萝2000】电一长安猴红猴金狐金蝶金喵金蓝娃娃白九壤羽毛披风椅子4w资历14奇遇双修土豪头像毒萝789号【毒姐5600】电五唯满侠八红一代金狐金考金2红5金红年轮白长天白水云白重天元宵衣双复刻蓝盒青盒新七夕盒白莲花透碧宵5披风脚气马椅子黑白路4奇遇可重置毒姐781号【毒姐3500】电八引仙猴红八红蝶金考金5红4金黑年轮白水云白重天中秋粉衣粉紫封川绿红白菜复刻红贺华青盒新七夕盒4下架澹烟生赤羽逍遥华焰披锦披风椅子4w资历14奇遇pvp双修纵江湖侠万里土豪头像毒姐773号【毒萝2000】电一蝶恋花一代金猴金绿不期白娃娃蓝无色3下架一步银华天火流丹血凰流火3披风碧蕊白莲侠客行飘花头像毒萝746号【毒姐5000】电一长安绛玉拨云CW1030品鸡红八红蝶金鸡金喵金粉娃娃白无色蓝长天白水云蓝盒红盒元宵盒中秋蓝盒白莲花披风双椅子3w资历4奇遇pve毒经2w2中立土豪狐金头像毒姐722号【毒萝3000】电五姨妈猴红八红一代金狐金3红6金蓝公主粉兰庭绿长天紫玫瑰雪月套夜斩黯然9成衣6页拓印白兔包画卷星空阵营3披风脚气马3w7资历生死判pvp双修土豪头像毒萝718号【毒姐7000】电五剑胆猴红八红狐金考金4红4金蓝年轮粉娃娃白长天粉蓝兰庭新老七夕盒双色中秋盒蓝盒青盒唐盒15成衣狼头画卷白莲花情人枕黑白荷花11披风银月金虹土豪狐金头像毒姐690号【毒萝1100】电五唯满侠七红鸡红蝶金喵金考金绿不期3下架1白3黑3成衣脚气马椅子补天双修飘花头像毒萝648号【毒萝1400】电八引仙猴红七红鸡红蝶金粉无色雪月套老七夕盒1白发1成衣华焰披锦披风4w9资历11奇遇95小铁满三修毒萝650R通宝随号出644号【毒姐3500】电五唯满侠鸡红八红蝶金鸡金考金白长天红舞步蓝紫白水云红盒唐盒白盒雪月套3下架蓝兔包脚气马椅子3w4资历补天双修绝版经脉称号毒姐529号【毒萝2500】电五唯满侠猴红七红猴金鸡金国金蓝公主绿不期粉娃娃蓝无色1白5黑2成衣多拓印青青子衿披风脚气马4w5资历绝版经脉称号土豪头像毒萝524号【毒萝4500】电五金榜七红鸡红一代金狐金蝶金鸡金喵金蓝公主蓝娃娃蓝兰庭紫舞步紫水云青水云老七夕盒蓝中秋盒元宵盒元旦全套8复刻外观4下架成衣晴云紫氛几度春2披风丹心傲岸毒萝523号【毒萝1W】电八亢龙七红鸡红八红苏金一代金蝶金鸡金喵金绿不期蓝无色蓝兰庭绿长天紫舞步粉封川青水云红盒新七夕盒元旦全套5下架外观玲珑意玄天覆雪4披风椅子7w3资历23奇遇纵江湖侠万里土豪头像毒萝516号【毒萝4500】电五剑胆猴红七红鸡红一代金狐金蝶金喵金考金国金蓝不期粉娃娃白无色蓝无色粉兰庭白长天紫舞步粉水云中秋蓝盒青盒元旦全套夜话白鹭羽毛粉短6披风脚气马6w资历7奇遇毒萝496号【毒姐1900】双一念破狐金苏金蓝水云紫玫瑰元旦套风露寒沧海冷川螺母漂泊1白3黑1成衣栩栩蝶翼披风里飞沙踏秋椅子3w7资历2奇遇补天双修绝版经脉称号土豪头像毒姐488号【毒姐1000】电一长安猴红鸡红蝶金鸡金黄年轮白无色白水云红玫瑰1白发2成衣2武器拓印3w资历成就马pvp补天2w土豪头像毒姐483号【毒萝2400】电五双梦猴红一代金蝶金鸡金元宵黑发蓝公主白娃娃粉舞步老七夕盒多拓印重缦轻罗披风里飞沙踏秋3w9资历生死判双修纵江湖侠万里毒萝429号【毒萝1250】电一情深七红八红考金粉公主蓝九曲新七夕盒1白1黑1成衣多拓印玄天覆雪披风脚气马捉妖记pvp补天2w1飘花头像毒萝420号【毒哥980】电八绝代狐金1成衣成就马傲岸积分通宝随号出毒哥343号【毒萝3800】电五唯满侠猴红七红猴金蝶金考金白螺母蓝公主蓝不期蓝兰庭白盒全套4白13黑6成衣16页拓印粉钰瓣披风脚气马4w6资历4奇遇80小铁满土豪头像毒萝341号【毒萝2800】电一情深猴红七红鸡红狐金蝶金喵金国金粉封川蓝水云青薇草白霆螭青盒新七夕盒10成衣阵营披风脚气马5w6资历13奇遇三修纵江湖侠万里毒萝295号【毒萝1w1】电一金蛇羊猴七**红金发除新金全蓝不期粉娃娃蓝无色蓝金陵白长天蓝舞步蓝封川蓝水云蓝红青唐盒中秋蓝盒新/老七夕盒22限量18页拓印多成衣头发六翼情人枕画卷几度春白莲花17披风夜话白鹭花马绘多挂件亮点7w资历27奇遇四象舞轮6500分宠物双椅子里飞沙踏秋70大铁70/80小铁满四修济世菩萨毒萝280号【毒姐8000】电五华乾猴**红苏蝶鸡喵考金紫白菜红情阅粉人面黄兰庭红舞步蓝水云红盒青盒新七夕盒兰陵幽思几度春4披风夜话白鹭脚气马双修土豪头像毒姐232号【毒姐2600】电五双梦考金蝶金鸡金苏金1白2黑蓝不期蓝舞步紫水云红玫瑰青盒外装2成衣蓝盒披风及肩饰椅子侠客行丹心土豪飘花头像118号【毒萝2200】电八战无鸡红喵金4黑发中秋粉盒4成衣8奇遇5w6资历
抱歉打扰啦 【温暖家情号ds】门牌 58=防囤=777=防囤=57收急出心血/cw号6k+【免】定 成交3%
中【界】/呆开 1%2065【道长3k5】电五华乾2金1红黑年轮青盒子一玳白3披风里飞沙双修2129【道长6k8】电五风雨狐金4金2红蓝年轮兰亭桑海等11限黑红青中秋双七夕6盒子8披风脚气马2330【道长2w89】电一长安95cw渊微指玄六红狐猴一代金四年轮双娃娃双公主等30限红蓝黑青糖七夕中秋7盒子狼头孔雀情r枕53披风多挂件黄金船狼车银月金虹三修2587【道长1w6】电五唯满侠95cw周流星位狐金一代金7金3红蓝年轮粉娃娃黄封川桑海黑红青糖白七夕6盒子qr枕11披风脚气马双修2651【道长4k9】电五四合一95cw周流星位1红1金青盒子双披风里飞沙二内藏剑双修2067【喵哥2w5】电五华乾95cw残月惊天五六红狐金6红6金黑玉蟒黑年轮等15限一代黑狼头情r枕11披风里飞沙珠盏5w资历2172【喵哥4k3】电五唯满侠狐金4金3红暮雨七夕青糖蓝盒4盒子狼头7披风脚气马2322【喵哥2k7】电五双梦狐金红九曲新七夕盒狼头双披风脚气马双修2358【喵哥8k5】电五华乾狐金白娃娃红年轮玄苍黑红青七夕四盒子一玳白狼头情r枕10披风九霄剑胆6w2资历脚气马三修2535【喵姐1w】电五双梦五红考金蓝墨韵紫白菜等10限红青双盒子qr枕5披风赤兔里飞沙2642【喵姐4k5】电五唯满侠95cw残月惊天2红3金雪涛月华等7限红青糖3盒子业火劫5披风里飞沙三修2690【喵哥1w8】电八风骨双95cw残月惊天执手五红狐猴一代金3红6金白螺母白娃娃双年轮等14限七夕黑红青糖白6盒子狼头16披风里飞沙银月金虹三修2237【丐萝8k9】电八战无狐猴金7金4红粉白菜白螺母黑风华蓝公主兰亭绿不期黄娃娃等29限蓝红黑糖白中秋七夕7盒子9披风脚气马
4728号【2W2造化异轨炮哥】六红狐金猴金蓝娃娃黑年轮绿不欺蓝人面中秋双七夕17限33成衣24披风栽火莲情人枕狼头画卷业火劫青白唐黑粉盒资历5W5赤兔不灭狼车5044号【1W85炮哥】六红狐金猴金白娃娃黑年轮红年轮白人面蓝公主中秋元宵12限19成衣17披风栽火莲狼头天辉二代蓝金鱼情人枕红黑盒珠盏夜话月伴4996号【7K黑白路碎屏沉星炮哥】狐金雪月5披风二代蓝搞事蓝华焰黑盒资历5W14884号【6K8炮哥】六红狐金蓝年轮月华4限5成衣1披风黑盒资历5W34976号【5K2炮哥】五红狐金白金夜斩白紫风华冷绣煌天8成衣4披风栽火莲二代红唐盒4636号【4666炮哥】狐金4金红年轮兰亭新七夕7限11成衣5披风龙头业火劫搞事红青盒夜话资历5W14525号【4K炮哥】5白发白金夜斩白蓝玉蟒黑年轮月华9成衣3披风情人枕羽毛夜话4616号【3K5炮哥】八红2金流蕴元旦4限12成衣4披风情人枕白黑盒夜话切糕武器4351号【3K炮哥】2红猴金黑年轮白人面10成衣7披风二代蓝搞事红天辉唐盒银月4433号【2K9炮哥】狐金八红蓝人面红九曲新七夕5限7成衣2披风天辉业火劫4112号【2K2炮哥】狐金蓝年轮4成衣4披风狼头羽毛星空火凰23八级炮姐:5058号【1W3炮姐】五红5红2金情阅黑玉蟒宴陵9限19成衣6披风栽火莲搞事红狼头青白唐盒夜话4833号【6K8炮姐】五红2金白螺母红九曲冷绣故幽桂月17成衣5披风情人枕业火劫唐盒5110号【6K7炮姐】五红叽金粉白菜蓝九曲8成衣4披风白莲花白盒、粉盒单披风4487号【5K7炮姐】五红2金红年轮绿封川雪涛老七夕9限17成衣拓印11页6披风玄墨中秋唐白盒赤兔踏夕4707号【3W炮萝】四五六红一代金狐猴金7五限粉白菜红彩云红风露情阅白金夜斩白蓝娃娃双不欺蓝公主粉人面兰庭21限44成衣拓印31页50白6黑11披风一代白情人枕二代白孔雀画卷狼车珠盏多CW4556号【1W炮萝】五红一代金狐猴金红彩云情阅黑金夜斩白红风露蓝公主绿不期黄娃娃12限16成衣6披风六翼二代白狼头画卷青盒赤兔怒风珠盏3912号【5980炮萝】狐金5五限双白菜蓝彩云红风露情阅红年轮兰庭中秋13限25成衣6披风一代紫粉兔红蓝盒4375号【5K7炮萝】五红猴金粉白菜白螺母九曲7限16成衣拓印8页3披风一代粉青盒 4847号【3K9炮萝】六红狐金3红5金紫白菜白娃娃中秋兰亭新七夕10限14成衣3披风白狐狸毛业火劫 5006号【3K8炮萝】五红猴金4金红墨韵白长天重阳新七夕12限17成衣3披风星空唐盒4750号【3K5炮萝】猴金2红4金黄娃娃写晖点霜元宵9限14成衣3披风墨翎歌唐盒资历7W4海芝球307电352杏⑤55
真的看这个号很烦了!买就送双十一粉!送!
给自己顶一顶
24奇遇阴阳两界霸红尘一代金考金猴金老七夕白发蓝红青三盒子 蓝舞步粉雪涛宴陵花姐可以换吗
给自己顶一顶
贴吧热议榜
使用签名档&&
保存至快速回贴Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 - Configuring Network Object NAT [Cisco ASA 5500-X Series Firewalls] - Cisco
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6
Book Contents
Book Contents
Getting Started with the ASA
Configuring Firewall and Security Context Modes
Configuring Interfaces
Configuring Basic Settings
Configuring Objects and Access Lists
Configuring IP Routing
Configuring Network Address Translation
Configuring Service Policies Using the Modular Policy Framework
Configuring Access Control
Configuring Application Inspection
Configuring Unified Communications
Configuring Connection Settings and QoS
Configuring Advanced Network Protection
Configuring Modules
Configuring High Availability
Configuring VPN
Configuring Logging, SNMP, and Smart Call Home
System Administration
Available Languages
Download Options
Book Title
Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6
Chapter Title
Configuring Network Object NAT
View with Adobe Reader on a variety of devices
Chapter: Configuring Network Object NAT
Chapter Contents
Configuring Network Object NAT
All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a single IP address, a range of addresses, or a subnet. After you configure the network object, you can then identify the mapped address for that object.
This chapter describes how to configure network object NAT, and it includes the following sections:
Note For detailed information about how NAT works, see
When a packet enters the ASA, both the source and destination IP addresses are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are no different combinations of rules can be used depending on the traffic.
Because the rules are never paired, you cannot specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y. Use twice NAT for that kind of functionality (twice NAT lets you identify the source and destination address in a single rule).
For detailed information about the differences between twice NAT and network object NAT, see the .
Network object NAT rules are added to section 2 of the NAT rules table. For more information about NAT ordering, see the .
The following table shows the licensing requirements for this feature:
All models
Base License.
Depending on the configuration, you can configure the mapped address inline if desired or you can create a separate network object or network object group for the mapped address (the object network or object-group network command). Network object groups are particularly useful for creating a mapped address pool with discontinous IP address ranges or multiple hosts or subnets. To create a network object or group, see the .
For specific guidelines for objects and groups, see the configuration section for the NAT type you want to configure. See also the
Context Mode Guidelines
Supported in single and multiple context mode.
Firewall Mode Guidelines
oSupported in routed and transparent firewall mode.
oIn transparent mode, you must specify the real a you cannot use any.
oIn transparent mode, you cannot configure interface PAT, because the transparent mode interfaces do not have IP addresses. You also cannot use the management IP address as a mapped address.
IPv6 Guidelines
Does not support IPv6.
Additional Guidelines
oYou can only define a single NAT rul if you want to configure multiple NAT rules for an object, you need to create multiple objects with different names that specify the same IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02, and so on.
oIf you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT configuration is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations.
Note If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses that overlap the addresses in the removed rule, then the new rule will not be used until all connections associated with the removed rule time out or are cleared using the clear xlate command. This safeguard ensures that the same address is not assigned to multiple hosts.
oObjects and object groups used in NAT they must include IP addresses.
oYou can use the same mapped object or group in multiple NAT rules.
oThe mapped IP address pool cannot include:
–The mapped interface IP address. If you specify any interface for the rule, then all interface IP addresses are disallowed. For interface PAT (routed mode only), use the interface keyword instead of the IP address.
–(Transparent mode) The management IP address.
–(Dynamic NAT) The standby interface IP address when VPN is enabled.
–Existing VPN pool addresses.
oFor application inspection limitations with NAT or PAT, see the
o(Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces.
o(8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. See the
for more information.
oIf you specify an optional interface, then the ASA uses the NAT configuration to determine the egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default behavior is to use the NAT configuration, but you have the option to always use a route lookup instead. See the
for more information.
This section describes how to configure network object NAT and includes the following topics:
This section describes how to configure network object NAT for dynamic NAT. For more information, see the .
Network object:
object network obj_name
range ip_address_1 ip_address_2
Network object group:
object-group network grp_name
{network-object {object net_obj_name |
host&ip_address} |
group-object&grp_obj_name}
hostname(config)# object network TEST hostname(config-network-object)# range 10.1.1.1 10.1.1.70
hostname(config)# object network TEST2 hostname(config-network-object)# range 10.1.2.1 10.1.2.70
hostname(config-network-object)# object-group network MAPPED_IPS hostname(config-network)# network-object object TEST hostname(config-network)# network-object object TEST2 hostname(config-network)# network-object host 10.1.2.79
To specify the mapped addresses (that you want to translate to), configure a network object or network object group. A network object group can contain objects and/or inline addresses.
Note The object or group cannot contain a subnet.
If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback.
for information about disallowed mapped IP addresses.
For more information about configuring a network object or group, see the .
object network obj_name
hostname(config)# object network my-host-obj1
Configures a network object for which you want to configure NAT, or enters object network configuration mode for an existing network object.
{host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2}
hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0
If you are creating a new network object, defines the real IP address(es) that you want to translate.
nat [(real_ifc,mapped_ifc)] dynamic mapped_obj [interface] [dns]
hostname(config-network-object)# nat (inside,outside) dynamic MAPPED_IPS interface
Configures dynamic NAT for the object IP addresses.
Note You can only define a single NAT rule for a given object. See the .
See the following guidelines:
oInterfaces—(Required for transparent mode) Specify the real and mapped interfaces. Be sure to include the parentheses in your command. In routed mode, if you do not specify the real and mapped interfaces, all you can also specify the keyword any for one or both of the interfaces.
oMapped IP address—Specify the mapped IP address as:
–An existing network object (see ).
–An existing network object group (see ).
oInterface PAT fallback—(Optional) The interface keyword enables interface PAT fallback. After the mapped IP addresses are used up, then the IP address of the mapped interface is used. For this option, you must configure a specific interface for the mapped_ifc. (You cannot specify interface in transparent mode).
oDNS—(Optional) The dns keyword translates DNS replies. Be sure DNS inspection is enabled (it is enabled by default). See the
for more information.
The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of outside addresses 10.2.2.1 through 10.2.2.10:
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 10.2.2.1 10.2.2.10
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside interface address.
hostname(config)# object network nat-range1
hostname(config-network-object)# range 10.10.10.10 10.10.10.20
hostname(config-network-object)# object network pat-ip1
hostname(config-network-object)# host 10.10.10.21
hostname(config-network-object)# object-group network nat-pat-grp
hostname(config-network-object)# network-object object nat-range1
hostname(config-network-object)# network-object object pat-ip1
hostname(config-network-object)# object network my_net_obj5
hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface
This section describes how to configure network object NAT for dynamic PAT (hide). For more information, see the .
For a PAT pool:
oIf available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1&to 65535.
o(8.4(3) and later, not including 8.5(1) or 8.6(1)) If you use the same PAT pool object in two separate rules, then be sure to specify the same options for each rule. For example, if one rule specifies extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range.
For extended PAT for a PAT pool (8.4(3) and later, not including 8.5(1) or 8.6(1)):
oMany application inspections do not support extended PAT. See the
for a complete list of unsupported inspections.
oIf you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT pool as the PAT address in a separate static NAT-with-port-translation rule. For example, if the PAT pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1 as the PAT address.
oIf you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT.
oFor VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the PAT binding to be the same for all destinations.
For round robin for a PAT pool:
o(8.4(3) and later, not including 8.5(1) or 8.6(1)) If a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available. Note: This &stickiness& does not survive a failover. If the ASA fails over, then subsequent connections from a host may not use the initial IP address.
o(8.4(2), 8.5(1), and 8.6(1)) If a host has an existing connection, then subsequent connections from that host will likely use different PAT addresses for each connection because of the round robin allocation. In this case, you may have problems when accessing two websites that exchange information about the host, for example an e-commerce site and a payment site. When these sites see two different IP addresses for what is supposed to be a single host, the transaction may fail.
oRound robin, especially when combined with extended PAT, can consume a large amount of memory. Because NAT pools are created for every mapped protocol/IP address/port range, round robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results in an even larger number of concurrent NAT pools.
(Optional)
Network object:
object network obj_name
{host ip_address | range ip_address_1
ip_address_2}
Network object group:
object-group network grp_name
{network-object {object net_obj_name |
host&ip_address} |
group-object&grp_obj_name}
hostname(config)# object network PAT_POOL1 hostname(config-network-object)# range 10.5.1.80 10.7.1.80
hostname(config)# object network PAT_POOL2 hostname(config-network-object)# range 10.9.1.1 10.10.1.1
hostname(config)# object network PAT_IP hostname(config-network-object)# host 10.5.1.79
hostname(config-network-object)# object-group network PAT_POOLS hostname(config-network)# network-object object PAT_POOL1 hostname(config-network)# network-object object PAT_POOL2 hostname(config-network)# network-object object PAT_IP
Specify the mapped address(es) (that you want to translate to). You can configure a single address or, for a PAT pool, multiple addresses. Configure a network object or network object group. A network object group can contain objects and/or inline addresses. Alternatively, you can skip this step if you want to enter a single IP&address as an inline value for the nat command or if you want to use the interface address by specifying the interface keyword.
For mapped addresses used as a PAT pool, all addresses in the object or group, including ranges, are used as PAT addresses.
Note The object or group cannot contain a subnet.
for information about disallowed mapped IP addresses.
For more information about configuring a network object or group, see the .
object network obj_name
hostname(config)# object network my-host-obj1
Configures a network object for which you want to configure NAT, or enters object network configuration mode for an existing network object.
{host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2}
hostname(config-network-object)# range 10.1.1.1 10.1.1.90
If you are creating a new network object, defines the real IP address(es) that you want to translate.
nat [(real_ifc,mapped_ifc)] dynamic {mapped_inline_host_ip | mapped_obj | pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]] | interface} [interface] [dns]
hostname(config-network-object)# nat (any,outside) dynamic interface
Configures dynamic PAT for the object IP addresses. You can only define a single NAT rule for a given object. See the .
See the following guidelines:
oInterfaces—(Required for transparent mode) Specify the real and mapped interfaces. Be sure to include the parentheses in your command. In routed mode, if you do not specify the real and mapped interfaces, all you can also specify the keyword any for one or both of the interfaces.
oMapped IP address—You can specify the mapped IP address as:
–An inline host address.
–An existing network object that is defined as a host address (see ).
–pat-pool—An existing network object or group that contains multiple addresses.
–interface—(Routed mode only) The IP address of the mapped interface is used as the mapped address. For this option, you must configure a specific interface for the mapped_ifc. You must use this keyword when you want to use the interface IP you cannot enter it inline or as an object.
oFor a PAT pool, you can specify one or more of the following options:
–Round robin—The round-robin keyword enables round-robin address allocation for a PAT pool. Without round robin, by default all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on.
(continued)
(continued)
–Extended PAT—(8.4(3) and later, not including 8.5(1) or 8.6(1)) The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
–Flat range—(8.4(3) and later, not including 8.5(1) or 8.6(1)) The flat keyword enables use of the entire 1024 to 65535 port range when allocating ports. When choosing the mapped port number for a translation, the ASA uses the real source port number if it is available. However, without this option, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword.
oInterface PAT fallback—(Optional) The interface keyword enables interface PAT fallback when entered after a primary PAT address. After the primary PAT address(es) are used up, then the IP address of the mapped interface is used. For this option, you must configure a specific interface for the mapped_ifc. (You cannot specify interface in transparent mode).
oDNS—(Optional) The dns keyword translates DNS replies. Be sure DNS inspection is enabled (it is enabled by default). See the
for more information.
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 10.2.2.2:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
This section describes how to configure a static NAT rule using network object NAT. For more information, see the .
(Optional)
Network object:
object network obj_name
{host ip_address |
subnet&subnet_address netmask |
range&ip_address_1 ip_address_2}
Network object group:
object-group network grp_name
{network-object {object net_obj_name |
subnet_address netmask |
host&ip_address} |
group-object&grp_obj_name}
hostname(config)# object network MAPPED_IPS hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0
To specify the mapped addresses (that you want to translate to), configure a network object or network object group. A network object group can contain objects and/or inline addresses. Alternatively, you can skip this step if you want to enter the IP&addresses as an inline value for the nat command or if you want to use the interface address (for static NAT-with-port-translation) by specifying the interface keyword.
for information about disallowed mapped IP addresses.
For more information about configuring a network object or group, see the .
object network obj_name
hostname(config)# object network my-host-obj1
Configures a network object for which you want to configure NAT, or enters object network configuration mode for an existing network object.
{host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2}
hostname(config-network-object)# subnet 10.2.1.0 255.255.255.0
If you are creating a new network object, defines the real IP address(es) that you want to translate.
nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface} [dns | service {tcp | udp} real_port mapped_port] [no-proxy-arp]
hostname(config-network-object)# nat (inside,outside) static MAPPED_IPS service tcp 80 8080
Configures static NAT for the object IP addresses.
Note You can only define a single NAT rule for a given object. See the .
See the following guidelines:
oInterfaces—(Required for transparent mode) Specify the real and mapped interfaces. Be sure to include the parentheses in your command. In routed mode, if you do not specify the real and mapped interfaces, all you can also specify the keyword any for one or both of the interfaces.
oMapped IP Addresses—You can specify the mapped IP address as:
–An inline IP address. The netmask or range for the mapped network is the same as that of the real network. For example, if the real network is a host, then this address will be a host address. In the case of a range, then the mapped addresses include the same number of addresses as the real range. For example, if the real address is defined as a range from 10.1.1.1 through 10.1.1.6, and you specify 172.20.1.1 as the mapped address, then the mapped range will include 172.20.1.1 through 172.20.1.6.
–An existing network object or group (see ).
–interface—(Static NAT-with-port- routed mode) For this option, you must configure a specific interface for the mapped_ifc. Be sure to also configure the service keyword.
Typically, you configure the same number of mapped addresses as real addresses for a one-to-one mapping. You can, however, have a mismatched number of addresses. For more information, see the .
oDNS—(Optional) The dns keyword translates DNS replies. Be sure DNS inspection is enabled (it is enabled by default). See the
for more information. This option is not available if you specify the service keyword.
oPort translation—(Static NAT-with-port-translation only) Specify tcp or udp and the real and mapped ports. You can enter either a port number or a well-known port name (such as ftp).
oNo Proxy ARP—(Optional) Specify no-proxy-arp to disable proxy ARP for incoming packets to the mapped IP addresses. See the
for more information.
The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside with DNS rewrite enabled.
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns
The following example configures static NAT for the real host 10.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.
hostname(config)# object network my-mapped-obj
hostname(config-network-object)# host 10.2.2.2
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-mapped-obj
The following example configures static NAT-with-port-translation for 10.1.1.1 at TCP port 21 to the outside interface at port 2121.
hostname(config)# object network my-ftp-server
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121
This section describes how to configure an identity NAT rule using network object NAT. For more information, see the .
(Optional)
object network obj_name
{host ip_address |
subnet&subnet_address netmask |
range&ip_address_1 ip_address_2}
hostname(config)# object network MAPPED_IPS hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0
For the mapped addresses (which will be the same as the real addresses), configure a network object. Alternatively, you can skip this step if you want to enter the IP&addresses as an inline value for the nat command.
For more information about configuring a network object, see the .
object network obj_name
hostname(config)# object network my-host-obj1
Configures a network object for which you want to perform identity NAT, or enters object network configuration mode for an existing network object.
{host ip_address | subnet subnet_address netmask | range ip_address_1 ip_address_2}
hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0
If you are creating a new network object, defines the real IP address(es) to which you want to perform identity NAT. If you configured a network object for the mapped addresses in , then these addresses must match.
nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj} [no-proxy-arp] [route-lookup]
hostname(config-network-object)# nat (inside,outside) static MAPPED_IPS
Configures identity NAT for the object IP addresses.
Note You can only define a single NAT rule for a given object. See the .
See the following guidelines:
oInterfaces—(Required for transparent mode) Specify the real and mapped interfaces. Be sure to include the parentheses in your command. In routed mode, if you do not specify the real and mapped interfaces, all you can also specify the keyword any for one or both of the interfaces.
oMapped IP addresses—Be sure to configure the same IP address for both the mapped and real address. Use one of the following:
–Network object—Including the same IP address as the real object (see ).
–Inline IP address—The netmask or range for the mapped network is the same as that of the real network. For example, if the real network is a host, then this address will be a host address. In the case of a range, then the mapped addresses include the same number of addresses as the real range. For example, if the real address is defined as a range from 10.1.1.1 through 10.1.1.6, and you specify 10.1.1.1 as the mapped address, then the mapped range will include 10.1.1.1 through 10.1.1.6.
oNo Proxy ARP—Specify no-proxy-arp to disable proxy ARP for incoming packets to the mapped IP addresses. See the
for more information.
oRoute lookup—(R interface(s) specified) Specify route-lookup to determine the egress interface using a route lookup instead of using the interface specified in the NAT command. See the
for more information.
The following example maps a host address to itself using an inline mapped address:
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
The following example maps a host address to itself using a network object:
hostname(config)# object network my-host-obj1-identity
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-host-obj1-identity
To monitor object NAT, enter one of the following commands:
Shows NAT statistics, including hits for each NAT rule.
show nat pool
Shows NAT pool statistics, including the addresses and ports allocated, and how many times they were allocated.
show running-config nat
Shows the NAT configuration.
Note You cannot view the NAT configuration using the show running-config object command. You cannot reference objects or object groups that have not yet been created in nat commands. To avoid forward or circular references in show command output, the show running-config command shows the object command two times: first, where the IP address(es) and later, where the nat command is defined. This command output guarantees that objects are defined first, then object groups, and finally NAT. For example:
hostname# show running-config
object network obj1
range 192.168.49.1 192.150.49.100
object network obj2
object 192.168.49.100
object network network-1
subnet &network-1&
object network network-2
subnet &network-2&
object-group network pool
network-object object obj1
network-object object obj2
object network network-1
nat (inside,outside) dynamic pool
object network network-2
nat (inside,outside) dynamic pool
show xlate
Shows current NAT session information.
This section includes the following configuration examples:
The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. (See ).
Figure&30-1 Static NAT for an Inside Web Server
Step&1 Create a network object for the internal web server:
hostname(config)# object network myWebServ
Step&2 Define the web server address:
hostname(config-network-object)# host 10.1.2.27
Step&3 Configure static NAT for the object:
hostname(config-network-object)# nat (inside,outside) static 209.165.201.10
The following example configures dynamic NAT for inside users on a private network when they access the outside. Also, when inside users connect to an outside web server, that web server address is translated to an address that appears to be on the inside network. (See ).
Figure&30-2 Dynamic NAT for Inside, Static NAT for Outside Web Server
Step&1 Create a network object for the dynamic NAT pool to which you want to translate the inside addresses:
hostname(config)# object network myNatPool
hostname(config-network-object)# range 209.165.201.20 209.165.201.30
Step&2 Create a network object for the inside network:
hostname(config)# object network myInsNet
hostname(config-network-object)# subnet 10.1.2.0 255.255.255.0
Step&3 Enable dynamic NAT for the inside network:
hostname(config-network-object)# nat (inside,outside) dynamic myNatPool
Step&4 Create a network object for the outside web server:
hostname(config)# object network myWebServ
Step&5 Define the web server address:
hostname(config-network-object)# host 209.165.201.12
Step&6 Configure static NAT for the web server:
hostname(config-network-object)# nat (outside,inside) static 10.1.2.20
The following example shows an inside load balancer that is translated to multiple IP addresses. When an outside host accesses one of the mapped IP addresses, it is untranslated to the single load balancer address. Depending on the URL requested, it redirects traffic to the correct web server. (See ).
Figure&30-3 Static NAT with One-to-Many for an Inside Load Balancer
Step&1 Create a network object for the addresses to which you want to map the load balancer:
hostname(config)# object network myPublicIPs
hostname(config-network-object)# range 209.165.201.3 209.265.201.8
Step&2 Create a network object for the load balancer:
hostname(config)# object network myLBHost
Step&3 Define the load balancer address:
hostname(config-network-object)# host 10.1.2.27
Step&4 Configure static NAT for the load balancer:
hostname(config-network-object)# nat (inside,outside) static myPublicIPs
The following static NAT-with-port-translation example provides a single address for remote users to access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for each server, you can specify static NAT-with-port-translation rules that use the same mapped IP address, but different ports. (See .)
Figure&30-4 Static NAT-with-Port-Translation
Step&1 Create a network object for the FTP server address:
hostname(config)# object network FTP_SERVER
Step&2 Define the FTP server address, and configure static NAT with identity port translation for the FTP server:
hostname(config-network-object)# host 10.1.2.27
hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp ftp
Step&3 Create a network object for the HTTP server address:
hostname(config)# object network HTTP_SERVER
Step&4 Define the HTTP server address, and configure static NAT with identity port translation for the HTTP server:
hostname(config-network-object)# host 10.1.2.28
hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp
Step&5 Create a network object for the SMTP server address:
hostname(config)# object network SMTP_SERVER
Step&6 Define the SMTP server address, and configure static NAT with identity port translation for the SMTP server:
hostname(config-network-object)# host 10.1.2.29
hostname(config-network-object)# nat (inside,outside) static 209.165.201.3 service tcp
For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. (See .) In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address.
When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly.
Figure&30-5 DNS Reply Modification
Step&1 Create a network object for the FTP server address:
hostname(config)# object network FTP_SERVER
Step&2 Define the FTP server address, and configure static NAT with DNS modification:
hostname(config-network-object)# host 10.1.3.14
hostname(config-network-object)# nat (inside,outside) static 209.165.201.10 dns
shows a web server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.
Figure&30-6 DNS Reply Modification Using Outside NAT
Step&1 Create a network object for the FTP server address:
hostname(config)# object network FTP_SERVER
Step&2 Define the FTP server address, and configure static NAT with DNS modification:
hostname(config-network-object)# host 209.165.201.10
hostname(config-network-object)# nat (outside,inside) static 10.1.2.56 dns
lists each feature change and the platform release in which it was implemented.
Table&30-1 Feature History for Network Object NAT&
Network Object NAT
Configures NAT for a network object IP address(es).
We introduced or modified the following commands: nat (object network configuration mode), show nat, show xlate, show nat pool.
Identity NAT configurable proxy ARP and route lookup
In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.
When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality.
We modified the following commands: nat static [no-proxy-arp] [route-lookup].
PAT pool and round robin address assignment
You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.
We modifed the following commands: nat dynamic [pat-pool mapped_object [round-robin]].
Round robin PAT pool allocation uses the same IP address for existing hosts
When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available.
We did not modify any commands.
This feature is not available in 8.5(1) or 8.6(1).
Flat range of PAT ports for a PAT pool
If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool.
If you have a lot of traffic that uses the lower port ranges, when using a PAT pool, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1&to 65535.
We modifed the following commands: nat dynamic [pat-pool mapped_object [flat [include-reserve]]].
This feature is not available in 8.5(1) or 8.6(1).
Extended PAT for a PAT pool
Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information.
We modifed the following commands: nat dynamic [pat-pool mapped_object [extended]].
This feature is not available in 8.5(1) or 8.6(1).
Automatic NAT rules to translate a VPN peer's local IP address back to the peer's real IP address
In rare situations, you might want to use a VPN peer's real IP address on the inside network instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local IP address to access the inside network. However, you might want to translate the local IP address back to the peer's real public IP address if, for example, your inside servers and network security is based on the peer's real IP address.
You can enable this feature on one interface per tunnel group. Object NAT rules are dynamically added and deleted when the VPN session is established or disconnected. You can view the rules using the show nat command.
Note Because of routing issues, we do not recommend using this feature unless you know y contact Cisco TAC to confirm feature compatibility with your network. See the following limitations:
oOnly supports Cisco IPsec and AnyConnect Client.
oReturn traffic to the public IP addresses must be routed back to the ASA so the NAT policy and VPN policy can be applied.
oDoes not support load-balancing (because of routing issues).
oDoes not support roaming (public IP changing).
We introduced the following command: nat-assigned-to-public-ip interface (tunnel-group general-attributes configuration mode).
Was this Document Helpful?
Let Us Help
(Requires a )
Related Support Community Discussions
