Object NAT Breakdown
Since all Object NATs are properties of objects they are
added at the object configuration level. This also makes the address or range
defined in the object the original source. It may be a little weird at first
when looking at an object NAT since you don’t explicitly define an original
source like you would have with pre 8.3 NAT.
Command
ASA(config-object-network)# nat
(original-interface,translated-interface) source
static|dynamic ip|object|interface [service
tcp|udp source-port translated-port] [dns] [unidirectional]
[inactive] [description text]
Interfaces
(original-interface,translated-interface)
(original-interface,translated-interface) - The “original-interface”
is the interface where the resource you are applying translation exists and the
“translated-interface” is the interface where you are making your resource
available. The ‘any’ keyword can be used when specifying the original or
translated interfaces.
Source Address
Translation
source static|dynamic
ip|object|interface
source – Specifies the following commands are parameters for
modifying the source address of a packet during translation.
static|dynamic – This simply notes if your doing a static or
dynamic translation.
ip|object|interface – Here is where you specify the IP
address, object, or interface you want your resource to use after translation.
If you specify ‘interface’ the translation will use the address assigned to the
translated interface denoted in first part of the command.
Port Translations
[service tcp|udp source-port
translated-port]
service – Only available when doing static NAT. When used this option gives you the ability to
translate only a specific port or port rage. Just remember that you can only
have one translation per object so if you need to do PAT for multiple
discontiguous ports on the same host you need to setup multiple objects with
the same host address.
tcp|udp – Used to specify a specific port or port range as
being either a TCP or UDP port.
source-port – The “source-port” is the port on the host you
want to make available.
translated-port – The “translated-port” is the port that
will be visible on the translated address. If the source port is 80 and the
translated port is 8080 then traffic hitting the translated address on port 8080
will be directed to the original address on port 80.
Optional Flags
[dns] [unidirectional] [inactive]
[description {text}]
dns – This flags the rule for DNS re-writes. Can only be
used on static 1 to 1 NAT.
unidirectional – NAT by nature is a two way process, but by
using this flag a translation can be forced only work in a single direction.
inactive – This flag will prevent a rule from being used
even though it is present.
description {text} – This flag lets us add a short
description to a rule.