Académique Documents
Professionnel Documents
Culture Documents
Search
Language: English
English
(Japanese)
Espaol (Spanish)
Portugus (Portuguese)
P (Russian)
(Chinese)
Contact Us
Help
Follow Us
Twitter
Google +
LinkedIn
Newsletter
Instagram
YouTube
Facebook
Directory
Network Infrastructure
WAN, Routing and Switching
LAN, Switching and Routing
Network Management
Remote Access
Optical Networking
Getting Started with LANs
IPv6 Integration and Transition
EEM Scripting
Other Subjects
Security
VPN
Security Management
Firewalling
Intrusion Prevention Systems/IDS
AAA, Identity and NAC
Physical Security
MARS
Email Security
Web Security
Other Subjects
Service Providers
Metro
MPLS
Voice Over IP
XR OS and Platforms
Video
Other Subjects
Collaboration, Voice and Video
IP Telephony
Video Over IP
Jabber Clients
Unified Communications Applications
TelePresence
Digital Media System
Contact Center
Conferencing
UC Migrations
Other Subjects
Wireless - Mobility
Security and Network Management
Wireless IP Voice and Video
Getting Started with Wireless
WLCCA
Other Subjects
Services
Cisco ServiceGrid
Connected Analytics
Smart Call Home
Smart Net Total Care
Operations Exchange
Mobile Applications
Cisco Proximity
Cisco Technical Support
Online Tools and Resources
Cisco Bug Discussions
Technical Documentation Ideas
Cisco CLI Analyzer
Support Community Help
Data Center
Application Centric Infrastructure
Application Networking
Intelligent Automation
Server Networking
Storage Networking
Unified Computing
Wide Area Application Services (WAAS)
Other Subjects
Small Business
Network Storage
Routers
Security
Surveillance
Switches
Voice and Conferencing
Wireless
Solutions and Architectures
Borderless Networks
Collaboration
Cisco User Groups
Seattle Cisco User Group (SEACUG)
Silicon Valley Cisco User Group (SVCUG)
Southern California Cisco User Group (SCCUG)
Cisco Certifications
Cisco.com Idea Center
Cisco Cafe
Expert Corner
Top Contributors
Leaderboards
Cisco Live! Events
Events
Community Corner
Awards & Recognition
Behind the Scenes
Feedback Forum
Cisco Certifications
Cisco Press Caf
Cisco On Demand
Support & Downloads
Community Resources
Security Alerts
Security Alerts
News
News
Video
Cisco Support YouTube
Cisco YouTube
Blogs
Technical Documentation
Cisco
Products
Products
Services
Services
Solutions
Solutions
Global Support Numbers
Network
Infrastructure
Security
VPN
Security Management
WAN, Routing and Switching
Firewalling
LAN, Switching and Routing
Intrusion Prevention
Network Management
Systems/IDS
Remote Access
AAA, Identity and NAC
Optical Networking
Physical Security
Getting Started with LANs
MARS
IPv6 Integration and Transition
Email Security
Wireless
- Mobility
EEM Scripting
Web Security
Services
Other Subjects
Other Subjects
Security and Network
Management
Wireless IP Voice and Video
Getting Started with Wireless
WLCCA
Mobile
Other Subjects
Applications
Cisco Proximity
Data
Center
Service
Providers
Metro
MPLS
Voice Over IP
XR OS and Platforms
Video
Collaboration,
Voice
Other Subjects
and
Video
IP Telephony
Video Over IP
Jabber Clients
Cisco ServiceGrid
Unified Communications Applications
Compliance Management and Configuration
TelePresence
Service
Digital Media System
Connected Analytics
Contact
Center
Customer Premises Equipment (CPE)
Support
Data Virtualization Software (CIS) Conferencing
Online
Tools and
UC Migrations
Partner Support Service
Other Subjects
Smart Call Home
Resources
Smart Care
Smart Net Total Care
Cisco Bug Discussions
Application Centric Infrastructure Operations Exchange
Technical Documentation Ideas
Application Networking
CiscoBusiness
CLI Analyzer
Small
Solutions
and
Intelligent Automation
Support Community Help
Server Networking
Architectures
Network Storage
Storage Networking
Routers
Unified Computing
Borderless Networks
Security
Cisco
User
Groups
Wide Area Application Services
Collaboration
Surveillance
(WAAS)
Cisco
Switches
Seattle
Cisco
User
Group
(SEACUG)
Other Subjects
Voice and
Silicon Valley Cisco User Group (SVCUG)
Certifications
Cisco.com Idea
Conferencing
Southern California Cisco User Group
Cisco
Wireless
(SCCUG)
Expert Corner
Center
Cafe
Top Contributors
Leaderboards
Cisco Live! Events
Cisco Technical Support
Events
Community Corner
Awards & Recognition
Home
Additional Communities
Cisco Ready
Community Corner
Data Center
Mobile Applications
Network Infrastructure
Wireless - Mobility
Service Providers
Collaboration, Voice and Video
Small Business Support Community
Security
Solutions and Architectures
Services
Top Contributors
Cisco User Groups
On Demand
Online Tools and Resources
Private
/
Security
Cisco Threat Awareness Service
Sourcefire
VPN
Firewalling
Intrusion Prevention Systems/IDS
AAA, Identity and NAC
Physical Security
Security Management
MARS
Email Security
Web Security
Other Security Subjects
/
Firewalling
Language: English
English
(Japanese)
Espaol (Spanish)
Portugus (Portuguese)
P (Russian)
(Chinese)
Contact Us
Help
Follow Us
Twitter
Google +
LinkedIn
Newsletter
Instagram
YouTube
Facebook
Static NAT/PAT
Pre-8.3 NAT
8.3 NAT
host 10.1.2.27
object network obj-192.168.100.100
host 192.168.100.100
object network obj-10.76.5.0
subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100
destination static obj-10.76.5.0 obj-10.76.5.0
Pre-8.3 NAT
Regular Dynamic PAT
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 10.1.1.0 255.255.255.0
global (outside) 1
192.168.100.100
8.3 NAT
object network obj-192.168.1.0
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (dmz,outside) dynamic 192.168.100.100
nat (inside) 1 0 0
global (outside) 1 interface
Outside NAT
global (inside) 1 10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0 outside
static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
Twice NAT with both source IP, Dest IP and Source port, Dest port
change.
On the inside:
On the outside:
(in) (out)
10.1.1.1-------ASA---- --xlate-------> 10.2.2.2
Original Ports: 10000 - 10010
Translated ports: 20000 - 20010
Rating
Comments
Collapse all
Hi,
I have Cisco ASA 5505 running 9.2(4).
how to setup UDP port forwarding ranging from 36,000 to 59,999 ?
please advise. thank you.
See More
Log in or register to post comments
Hi Rizwan,
Try the below syntax.
object service udp-port
service udp source range 36000 59999
Object network realip
host 192.168.x.x
Object network mapip
Host 182.x.x.x
nat (inside,outside) source static realip mapip service udp-port udp-port
Also apply the acl to allow the traffic.
See More
Log in or register to post comments
Hi Gaddu,
Thank you for the reply. can you please advise on ACL so i can test them all and will update you on this?
Bundle of thanks.
Real IP: 192.168.1.207
WAN IP: 182.152.34.98
I have tried above command but i used mapped IP as WAN IP and got following error. ( i have PPPoE with single WAN IP)
ERROR: Address 182.152.34.98 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
See More
Log in or register to post comments
Hi Rizwan,
Try this nat statement becauseyou are trying open ports on interface.
nat (inside,outside) source static realip interfaceservice udp-port udp-port
Acl:
access-list ouside permit udp any host 192.168.1.207 range 36000 59999
Thanks
Guddu
See More
Log in or register to post comments
good stuff. confusing at best but does someone have an example nat (inside) 0 nonat?
thx
See More
Log in or register to post comments
Thanks in advance,
Eren
See More
Log in or register to post comments
How would I convert an ACL based natting that takes the incoming packet and translates it to the inside IP of the ASA so the inside server will
respond when it uses a different default route?
access-list Outside-Web-Nat permit icmp any host x.x.x.x
access-list Outside-Web-Nat permit tcp any host x.x.x.x eq 443
global (inside) 2 interface
nat (outside) 2 access-list Outside-Web-Nat outside
static (inside,outside) x.x.x.x 10.192.63.9 netmask 255.255.255.255
See More
Log in or register to post comments
Hi There,
You will get a quicker response if you post it in Dicussions section fyi (
https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions)
As far as your query is concerned:
Access-list based NAT in pre-8.3 is now Double-nat in 8.3 and later. (Policy based NAT)
I would do the following:
object net any
subnet 0.0.0.0 0.0.0.0
object net Web-Server-Trans
host x.x.x.x
object net Web-Server-Orig
host 10.192.63.9
nat (outside,inside) source dynamic any interface dest static Web-Server-Trans Web-Server-Orig
As far as allowing when to nat (tcp 443, icmp), put that in outside interface access-list
Let me know if this works fine for you.
Regards,
Praveen
See More
Log in or register to post comments
Hi It's nice,
That means this is the way we have to configure NAT for 8.3 and above???//Pre-8.3 commands will not accept for the same???Hope I am
correct??
Thanks
See More
Log in or register to post comments
See More
Log in or register to post comments
Hi Darshan Shah,
Please post this question on the Discussion area of the CSC and not in a document
Hi Petr,
As in the previous reply above, I would suggest that you also post this question on the Discussions section rather than in this Document.
https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions
- Jouni
See More
Log in or register to post comments
Hi Petr,
You only have two NAT rules:
1) nat (inside) 0 access-list inside_nat0_outbound_1
Which says: Do not NAT traffic matching access-list inside_nat0_outbound_1 - which is:
access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
This translates into the following NAT rule:
object network ServerReal
subnet 192.168.1.0 255.255.255.0
object network RemoteSite
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) source static ServerReal ServerReal destination static RemoteSite RemoteSite
See More
Log in or register to post comments
The statement says that there is a Web-Server at 10.1.1.6 on the "inside" and it is statically being translated to 192.168.100.100 on the "outside"
See More
Log in or register to post comments
In this case the outside user is supposed to initiate the request to the inside web-server, not vice versa.
Still that work ?
See More
Log in or register to post comments
This is a bi-directional nat statement. So yes, outside user can initiate a connection request to 192.168.100.100 which will then get untranslated
to 10.1.1.6 on the inside interface.
PS: We need to allow access to real ip address in the access-list on the outside interface i.e. "permit <protocol> any host 10.1.1.6")
See More
Log in or register to post comments
See More
Log in or register to post comments
Hi Vijay,
The ICMP ID can be used to associate inside Requests with Responses across PAT translations.
Sincerely,
David.
See More
Log in or register to post comments
See More
Log in or register to post comments
Part 1 - Router#
ip access-list extended NATUSERS
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 1.1.2.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 1.1.3.0 0.0.0.255 2.2.2.0 0.0.0.255
nat (inside,outside) source dynamic Src-123 Src-Trans destination static Dest-2.2.2.0 Dest-2.2.2.0
Million thanks.
Regards,
Don
See More
Log in or register to post comments
To scale the performance of firewalls and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic
Director) White Paper.
Hi Thomas,
Would you be able to open a separate post for your query ?
Thanks and Regards,
Vibhor Amrodia
See More
Log in or register to post comments
Now my questions:
the object
object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0
is defined but not used anywhere in the subsequent statements of the same section for 8.3 version and later. In the 8.3 rules I'm missing how
the address of the outside interface will be used to do PAT and how the NAT statement is restricted to the network 10.0.0.0/8.
Is it really necessary to define it or do any of the subsequent statements miss to use it? And if it not necessary how does the post-8.3 rules
accomplish the nat goal of pre-8.3 written on the left column?
Could somebody help here please?
Thanks, Alex
See More
Log in or register to post comments
1
2
next
Actions
This Document
Posted May 12, 2010 at 9:06 AM
Updated March 21, 2014 at 1:29 PM
By Magnus Mortensen
Stats:
Comments: 51
Overall Rating: 5
Views:
332923 Contributors:
Shares:
20
32
Related Content
Show
- Any -
Discussion
WAN redundancy using PBR with 2 PPPoE dialer interface
victoriusmarcapilado
6 days 6 hours ago
21 views
Discussion
Cisco RV320 IPSec VPN Tunnel NAT
pplc123@aol.com
1 week 6 days ago
12 views
Discussion
Video Conferencing and Browsing traffic over Internet
vimal vikraman
3 weeks 2 days ago
0 views
Discussion
NAT on router series 4300 (Cisco router 4331)
jankoboltar
3 weeks 3 days ago
0 views
Discussion
Policing and NAT
Faisal Mehmood
1 month 1 week ago
0 views
Information For
Small Business
Midsize Business
Executives
Home
Service Provider
Industries
Contacts
Contact Cisco
News & Alerts
Newsroom
Blogs
Field Notices
Security Advisories
Technology Trends
Cloud
IPv6
Mobility
Open Network Environment
Trustworthy Systems
Support
Downloads
Documentation
Communities
Developer Network
Learning Network
Support Community
Video Portal
About Cisco
Investor Relations
Corporate Social Responsibility
Environmental Sustainability
Tomorrow Starts Here
Career Opportunities
Programs
Cisco Designated VIP Program
Cisco Powerered
Financing Options
Terms & Conditions
Privacy Statement
Cookie Policy
Trademarks of Cisco Systems, Inc.