The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Twice NAT lets you identify both the source and destination address in a single rule. This chapter shows you how to configure twice NAT and includes the following sections:
Note For detailed information about how NAT works, see Chapter4, “Information About NAT”
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y, for example.
Note For static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in commands and descriptions throughout this guide even though a given connection might originate at the “destination” address. For example, if you configure static NAT with port address translation, and specify the source address as a Telnet server, and you want all traffic going to that Telnet server to have the port translated from 2323 to 23, then in the command, you must specify the source ports to be translated (real: 23, mapped: 2323). You specify the source ports because you specified the Telnet server address as the source address.
The destination address is optional. If you specify the destination address, you can either map it to itself (identity NAT), or you can map it to a different address. The destination mapping is always a static mapping.
Twice NAT also lets you use service objects for static NAT-with-port-translation; network object NAT only accepts inline definition.
For detailed information about the differences between twice NAT and network object NAT, see How NAT is Implemented.
Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3. For more information about NAT ordering, see NAT Rule Order.
|
|
---|---|
For specific guidelines for objects and groups, see the configuration section for the NAT type you want to configure. See also the Guidelines and Limitations section.
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Note If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses that overlap the addresses in the removed rule, then the new rule will not be used until all connections associated with the removed rule time out or are cleared using the clear xlate command. This safeguard ensures that the same address is not assigned to multiple hosts.
– The mapped interface IP address. If you specify any interface for the rule, then all interface IP addresses are disallowed. For interface PAT (routed mode only), use the interface keyword instead of the IP address.
– (Transparent mode) The management IP address.
– (Dynamic NAT) The standby interface IP address when VPN is enabled.
This section describes how to configure twice NAT. This section includes the following topics:
For each NAT rule, configure up to four network objects or groups for:
Objects are required unless you specify the any keyword inline to represent all traffic, or for some types of NAT, the interface keyword to represent the interface address. For more information about configuring a network object or group, see the general operations configuration guide.
– You typically configure a larger group of real addresses to be mapped to a smaller group.
– The mapped object or group cannot contain a subnet; the object must define a range; the group can include hosts and ranges.
– If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and the host IP addresses are used as a PAT fallback.
– The mapped object or group cannot contain a subnet; a network object must define a host, or for a PAT pool, a range; a network object group (for a PAT pool) can include hosts and ranges.
– The mapped object or group can contain a host, range, or subnet.
– The static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see Static NAT.
– The real and mapped objects must match; you can use the same object for both, or you can create separate objects that contain the same IP addresses.
– Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see Main Differences Between Network Object NAT and Twice NAT.
– For identity NAT, the real and mapped objects must match; you can use the same object for both, or you can create separate objects that contain the same IP addresses.
– The static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see Static NAT.
– For static interface NAT with port translation (routed mode only), you can specify the interface keyword instead of a network object/group for the mapped address. For more information, see Static Interface NAT with Port Translation.
Configure service objects for:
For more information about configuring a service object, see the general operations configuration guide.
|
|
|
---|---|---|
hostname(config)# object service REAL_SRC_SVC hostname(config-service-object)# service tcp source eq 80 |
This section describes how to configure twice NAT for dynamic NAT. For more information, see Dynamic NAT.
|
|
|
---|---|---|
See Adding Network Objects for Real and Mapped Addresses. If you want to translate all source traffic, you can skip adding an object for the source real addresses, and instead specify the any keyword in the nat command. If you want to configure destination static interface NAT with port translation only, you can skip adding an object for the destination mapped addresses, and instead specify the interface keyword in the nat command. |
||
See (Optional) Adding Service Objects for Real and Mapped Ports. |
||
nat [ ( real_ifc , mapped_ifc ) ] [ line | { after-auto [ line ]}] source dynamic { real_obj | any } { mapped_obj [ interface [ ipv6 ]]} [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service mapped_dest_svc_obj real_dest_svc_obj ] [ dns ] [ unidirectional ] [ inactive ] [ description desc ] hostname(config)# nat (inside,outside) source dynamic MyInsNet NAT_POOL destination static Server1_mapped Server1 service MAPPED_SVC REAL_SVC |
Configure dynamic NAT. See the following guidelines:
– Real—Specify a network object, group, or the any keyword. – Mapped—Specify a different network object or group. You can optionally configure the following fallback method: Interface PAT fallback—(Routed mode only) The interface keyword enables interface PAT fallback. If you specify ipv6, then the IPv6 address of the interface is used. After the mapped IP addresses are used up, then the IP address of the mapped interface is used. For this option, you must configure a specific interface for the mapped_ifc. |
|
– Mapped—Specify a network object or group, or for static interface NAT with port translation only, specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword. For this option, you must configure a specific interface for the real_ifc. See Static Interface NAT with Port Translation for more information. – Real—Specify a network object or group. For identity NAT, simply use the same object or group for both the real and mapped addresses.
|
The following example configures dynamic NAT for inside network 10.1.1.0/24 when accessing servers on the 209.165.201.1/27 network as well as servers on the 203.0.113.0/24 network:
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0
hostname(config)# object network MAPPED_1
hostname(config-network-object)# range 209.165.200.225 209.165.200.254
hostname(config)# object network MAPPED_2
hostname(config-network-object)# range 209.165.202.129 209.165.200.158
hostname(config)# object network SERVERS_1
hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224
hostname(config)# object network SERVERS_2
hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination static SERVERS_1 SERVERS_1
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2
The following example configures dynamic NAT for an IPv6 inside network 2001:DB8:AAAA::/96 when accessing servers on the IPv4 209.165.201.1/27 network as well as servers on the 203.0.113.0/24 network:
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 2001:DB8:AAAA::/96
hostname(config)# object network MAPPED_1
hostname(config-network-object)# range 209.165.200.225 209.165.200.254
hostname(config)# object network MAPPED_2
hostname(config-network-object)# range 209.165.202.129 209.165.200.158
hostname(config)# object network SERVERS_1
hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224
hostname(config)# object network SERVERS_2
hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination static SERVERS_1 SERVERS_1
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2
This section describes how to configure twice NAT for dynamic PAT (hide). For more information, see Dynamic PAT.
For extended PAT for a PAT pool:
For round robin for a PAT pool:
|
|
|
---|---|---|
See Adding Network Objects for Real and Mapped Addresses. If you want to translate all source traffic, you can skip adding an object for the source real addresses, and instead specify the any keyword in the nat command. If you want to use the interface address as the mapped address, you can skip adding an object for the source mapped addresses, and instead specify the interface keyword in the nat command. If you want to configure destination static interface NAT with port translation only, you can skip adding an object for the destination mapped addresses, and instead specify the interface keyword in the nat command. |
||
See (Optional) Adding Service Objects for Real and Mapped Ports. |
||
nat [ ( real_ifc , mapped_ifc ) ] [ line | { after-auto [ line ]}] source dynamic { real-obj | any } { mapped_obj [ interface [ ipv6 ]] | [ pat-pool mapped_obj [ round-robin ] [ extended ] [ flat [ include-reserve ]] [ interface [ ipv6 ]] | interface [ ipv6 ]} [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service mapped_dest_svc_obj real_dest_svc_obj ] [ dns ] [ unidirectional ] [ inactive ] [ description desc ] hostname(config)# nat (inside,outside) source dynamic MyInsNet interface destination static Server1 Server1 description Interface PAT for inside addresses when going to server 1 |
Configures dynamic PAT (hide). See the following guidelines:
– Real—Specify a network object, group, or the any keyword. Use the any keyword if you want to translate all traffic from the real interface to the mapped interface. – Mapped—Configure one of the following: - Network object—Specify a network object that contains a host address. - pat-pool —Specify the pat-pool keyword and a network object or group that contains multiple addresses. - interface —(Routed mode only) Specify the interface keyword alone to only use interface PAT. If you specify ipv6, then the IPv6 address of the interface is used. When specified with a PAT pool or network object, the interface keyword enables interface PAT fallback. After the PAT IP addresses are used up, then the IP address of the mapped interface is used. For this option, you must configure a specific interface for the mapped_ifc. |
|
For a PAT pool, you can specify one or more of the following options: -- Round robin—The round-robin keyword enables round-robin address allocation for a PAT pool. Without round robin, by default all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on. -- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80. -- Flat range—The flat keyword enables use of the entire 1024 to 65535 port range when allocating ports. When choosing the mapped port number for a translation, the ASA uses the real source port number if it is available. However, without this option, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword. |
||
– Mapped—Specify a network object or group, or for static interface NAT with port translation only (routed mode), specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword. For this option, you must configure a specific interface for the real_ifc. See Static Interface NAT with Port Translation for more information. – Real—Specify a network object or group. For identity NAT, simply use the same object or group for both the real and mapped addresses.
|
The following example configures interface PAT for inside network 192.168.1.0/24 when accessing outside Telnet server 209.165.201.23, and Dynamic PAT using a PAT pool when accessing any server on the 203.0.113.0/24 network.
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config)# object network PAT_POOL
hostname(config-network-object)# range 209.165.200.225 209.165.200.254
hostname(config)# object network TELNET_SVR
hostname(config-network-object)# host 209.165.201.23
hostname(config)# object service TELNET
hostname(config-service-object)# service tcp destination eq 23
hostname(config)# object network SERVERS
hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW interface destination static TELNET_SVR TELNET_SVR service TELNET TELNET
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool PAT_POOL destination static SERVERS SERVERS
The following example configures interface PAT for inside network 192.168.1.0/24 when accessing outside IPv6 Telnet server 2001:DB8::23, and Dynamic PAT using a PAT pool when accessing any server on the 2001:DB8:AAAA::/96 network.
This section describes how to configure a static NAT rule using twice NAT. For more information about static NAT, see Static NAT.
|
|
|
---|---|---|
See Adding Network Objects for Real and Mapped Addresses. If you want to configure source static interface NAT with port translation only, you can skip adding an object for the source mapped addresses, and instead specify the interface keyword in the nat command. If you want to configure destination static interface NAT with port translation only, you can skip adding an object for the destination mapped addresses, and instead specify the interface keyword in the nat command. |
||
See (Optional) Adding Service Objects for Real and Mapped Ports. |
||
nat [ ( real_ifc , mapped_ifc ) ] [ line | { after-object [ line ]}] source static real_ob [ mapped_obj | interface [ ipv6 ]] [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj ][ net-to-net ] [ dns ] [ unidirectional | no-proxy-arp ] [ inactive ] [ description desc ] hostname(config)# nat (inside,dmz) source static MyInsNet MyInsNet_mapped destination static Server1 Server1 service REAL_SRC_SVC MAPPED_SRC_SVC |
Configures static NAT. See the following guidelines:
– Real—Specify a network object or group. – Mapped—Specify a different network object or group. For static interface NAT with port translation only, you can specify the interface keyword (routed mode only). If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword (in this case, the service objects should include only the source port). For this option, you must configure a specific interface for the mapped_ifc. See Static Interface NAT with Port Translation for more information. – Mapped—Specify a network object or group, or for static interface NAT with port translation only, specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword (in this case, the service objects should include only the destination port). For this option, you must configure a specific interface for the real_ifc. – Real—Specify a network object or group. For identity NAT, simply use the same object or group for both the real and mapped addresses. |
|
|
The following example shows the use of static interface NAT with port translation. Hosts on the outside access an FTP server on the inside by connecting to the outside interface IP address with destination port 65000 through 65004. The traffic is untranslated to the internal FTP server at 192.168.10.100:6500 through :65004. Note that you specify the source port range in the service object (and not the destination port) because you want to translate the source address and port as identified in the command; the destination port is “any.” Because static NAT is bidirectional, “source” and “destination” refers primarily to the command keywords; the actual source and destination address and port in a packet depends on which host sent the packet. In this example, connections are originated from outside to inside, so the “source” address and port of the FTP server is actually the destination address and port in the originating packet.
hostname(config)# object service FTP_PASV_PORT_RANGE
hostname(config-service-object)# service tcp source range 65000 65004
hostname(config)# object network HOST_FTP_SERVER
hostname(config-network-object)# host 192.168.10.100
hostname(config)# nat (inside,outside) source static HOST_FTP_SERVER interface service FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE
The following example shows a static translation of one IPv6 network to another IPv6 when accessing an IPv6 network, and the dynamic PAT translation to an IPv4 PAT pool when accessing the IPv4 network:
hostname(config)# nat (inside,outside) source static INSIDE_NW MAPPED_IPv6_NW destination static OUTSIDE_IPv6_NW OUTSIDE_IPv6_NW
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool MAPPED_IPv4_POOL destination static OUTSIDE_IPv4_NW OUTSIDE_IPv4_NW
This section describes how to configure an identity NAT rule using twice NAT. For more information about identity NAT, see Identity NAT.
|
|
|
---|---|---|
See Adding Network Objects for Real and Mapped Addresses. If you want to perform identity NAT for all addresses, you can skip creating an object for the the source real addresses and instead use the keywords any any in the nat command. If you want to configure destination static interface NAT with port translation only, you can skip adding an object for the destination mapped addresses, and instead specify the interface keyword in the nat command. |
||
See (Optional) Adding Service Objects for Real and Mapped Ports. |
||
nat [ ( real_ifc , mapped_ifc ) ] [ line | { after-object [ line ]}] source static { nw_obj nw_obj | any any } [ destination static { mapped_obj | interface [ ipv6 ]} real_obj ] [ service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj ] [ no-proxy-arp ] [ route-lookup ] [ inactive ] [ description desc ] hostname(config)# nat (inside,outside) source static MyInsNet MyInsNet destination static Server1 Server1 |
Configures identity NAT. See the following guidelines:
– Mapped—Specify a network object or group, or for static interface NAT with port translation only, specify the interface keyword (routed mode only).If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword (in this case, the service objects should include only the destination port). For this option, you must configure a specific interface for the real_ifc. See Static Interface NAT with Port Translation for more information. – Real—Specify a network object or group. For identity NAT, simply use the same object or group for both the real and mapped addresses.
|
|
|
By default, all TCP PAT traffic and all UDP DNS traffic uses per-session PAT. To use multi-session PAT for traffic, you can configure per-session PAT rules: a permit rule uses per-session PAT, and a deny rule uses multi-session PAT. For more information about per-session vs. multi-session PAT, see Per-Session PAT vs. Multi-Session PAT.
To configure a per-session PAT rule, see Configuring Per-Session PAT Rules.
To monitor twice NAT, enter one of the following commands:
This section includes the following configuration examples:
Figure 6-1 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129: port. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130: port.
Figure 6-1 Twice NAT with Different Destination Addresses
Step 1 Add a network object for the inside network:
Step 2 Add a network object for the DMZ network 1:
Step 3 Add a network object for the PAT address:
Step 4 Configure the first twice NAT rule:
hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination static DMZnetwork1 DMZnetwork1
Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the real and mapped destination addresses.
By default, the NAT rule is added to the end of section 1 of the NAT table, See Configuring Dynamic PAT (Hide) for more information about specifying the section and line number for the NAT rule.
Step 5 Add a network object for the DMZ network 2:
Step 6 Add a network object for the PAT address:
Step 7 Configure the second twice NAT rule:
hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress2 destination static DMZnetwork2 DMZnetwork2
Figure 6-2 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129: port. When the host accesses the same server for web services, the real address is translated to 209.165.202.130: port.
Figure 6-2 Twice NAT with Different Destination Ports
Step 1 Add a network object for the inside network:
Step 2 Add a network object for the Telnet/Web server:
Step 3 Add a network object for the PAT address when using Telnet:
Step 4 Add a service object for Telnet:
Step 5 Configure the first twice NAT rule:
hostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress1 destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj
Because you do not want to translate the destination address or port, you need to configure identity NAT for them by specifying the same address for the real and mapped destination addresses, and the same port for the real and mapped service.
By default, the NAT rule is added to the end of section 1 of the NAT table, See Configuring Dynamic PAT (Hide) for more information about specifying the section and line number for the NAT rule.
Step 6 Add a network object for the PAT address when using HTTP:
Step 7 Add a service object for HTTP:
Step 8 Configure the second twice NAT rule:
hostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress2 destination static TelnetWebServer TelnetWebServer service HTTPObj HTTPObj
Table 6-1 lists each feature change and the platform release in which it was implemented.