Cisco ASA 5500 Series Configuration Guide using ASDM, 6.3
Configuring Network Object NAT (ASA 8.3 and Later)
Downloads: This chapterpdf (PDF - 1.39MB) The complete bookPDF (PDF - 22.37MB) | Feedback

Configuring Network Object NAT (ASA 8.3 and Later)

Table Of Contents

Configuring Network Object NAT (ASA 8.3 and Later)

Information About Network Object NAT

Licensing Requirements for Network Object NAT

Prerequisites for Network Object NAT

Guidelines and Limitations

Configuring Network Object NAT

Configuring Dynamic NAT

Configuring Dynamic PAT (Hide)

Configuring Static NAT or Static NAT with Port Translation

Configuring Identity NAT

Configuration Examples for Network Object NAT

Providing Access to an Inside Web Server (Static NAT)

NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)

Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)

Single Address for FTP, HTTP, and SMTP (Static NAT with Port Translation)

DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)

DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS Modification)

Feature History for Network Object NAT


Configuring Network Object NAT (ASA 8.3 and Later)


All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a network object, which can be a single IP address, a range of addresses, or a subnet. After you configure the network object, you can then identify the mapped address for that object.

This chapter describes how to configure network object NAT, and it includes the following sections:

Information About Network Object NAT

Licensing Requirements for Network Object NAT

Prerequisites for Network Object NAT

Guidelines and Limitations

Configuring Network Object NAT

Configuration Examples for Network Object NAT

Feature History for Network Object NAT


Note For detailed information about how NAT works, see Chapter 26 "Information About NAT (ASA 8.3 and Later)."


Information About Network Object NAT

When a packet enters the adaptive security appliance, both the source and destination IP addresses are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic.

Because the rules are never paired, you cannot specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y. Use twice NAT for that kind of functionality (twice NAT lets you identify the source and destination address in a single rule).

For detailed information about the differences between twice NAT and network object NAT, see the "How NAT is Implemented" section.

Network object NAT rules are added to section 2 of the NAT rules table. For more information about NAT ordering, see the "NAT Rule Order" section.

Licensing Requirements for Network Object NAT

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License.


Prerequisites for Network Object NAT

Depending on the configuration, you can configure the mapped address inline if desired or you can create a network object or network object group for the mapped address. Network object groups are particularly useful for creating a mapped address pool with discontinous IP address ranges or multiple hosts or subnets. To create a network object or group, see the "Configuring Network Objects and Groups" section.

For specific guidelines for objects and groups, see the configuration section for the NAT type you want to configure. See also the "Guidelines and Limitations" section.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall mode.

In transparent mode, you must specify the real and mapped interfaces; you cannot use --Any--.

In transparent mode, you cannot configure interface PAT, because the transparent mode interfaces do not have IP addresses. You also cannot use the management IP address as a mapped address.

IPv6 Guidelines

Does not support IPv6.

Additional Guidelines

You can only define a single NAT rule for a given object; if you want to configure multiple NAT rules, you need to create multiple objects that specify the same IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02, and so on.

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations.


Note If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses that overlap the addresses in the removed rule, then the new rule will not be used until all connections associated with the removed rule time out or are cleared using the clear xlate command. This safeguard ensures that the same address is not assigned to multiple hosts.


Objects and object groups used in NAT cannot be undefined; they must include IP addresses.

The mapped IP address pool cannot include:

The mapped interface IP address. If you specify --Any-- interface for the rule, then all interface IP addresses are disallowed. For interface PAT (routed mode only), use the interface name instead of the IP address.

(Transparent mode) The management IP address.

(Dynamic NAT) The standby interface IP address when VPN is enabled.

Existing VPN pool addresses.

Configuring Network Object NAT

This section describes how to configure network object NAT to create rules for dynamic NAT, dynamic PAT, static NAT, static NAT with port translation, and identity NAT. This section includes the following topics:

Configuring Dynamic NAT

Configuring Dynamic PAT (Hide)

Configuring Static NAT or Static NAT with Port Translation

Configuring Identity NAT

Configuring Dynamic NAT

This section describes how to configure a dynamic NAT rule using network object NAT. For more information, see the "Dynamic NAT" section.

Detailed Steps


Step 1 You can add NAT to a new or existing network object:

To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > Add Network Object NAT Rule.

Figure 27-1 Adding a Network Object NAT Rule

To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object.

For more information, see the "Configuring a Network Object" section.


Note You can only define a single NAT rule for a given object. See the "Additional Guidelines" section.


The Add/Edit Network Object dialog box appears.

Step 2 For a new object, enter values for the following fields:

a. Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less.

b. Type—Host, Network, or Range.

c. IP Address—An IPv4 address. IPv6 is not supported. If you select Range as the object type, the IP Address field changes to allow you to enter a Start Address and an End address.

d. Netmask—Enter the subnet mask.

e. Description—(Optional) The description of the network object (up to 200 characters in length).

Figure 27-2 Defining the Object Addresses

Step 3 If the NAT section is hidden, click NAT to expand the section.

Step 4 Check the Add Automatic Translation Rules check box.

Step 5 From the Type drop-down list, choose Dynamic.

Figure 27-3 Enabling NAT

Step 6 In the Translated Addr field, click the browse button and choose an existing network object from the Browse Translated Addr dialog box.


Note The object or group cannot contain a subnet.
You can share this mapped object across different dynamic NAT rules, if desired.


Figure 27-4 Browse Dialog Box

See the "Guidelines and Limitations" section for information about disallowed mapped IP addresses.

You can also create a new named object from the Browse Translated Addr dialog box and use this object as the mapped address:

a. Add the new network object.

Figure 27-5 Adding a New Network Object for the NAT Pool

b. Define the NAT pool addresses, and click OK.

Figure 27-6 Defining the NAT Pool Addresses


Note Although not disallowed, you will typically not configure NAT for this network object that you are using for the mapped addresses; you can leave the NAT section unconfigured.


c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 27-7 Choosing the New Network Object

Step 7 (Optional) To use the interface IP address as a backup method when the other mapped addresses are already allocated, check the Fall through to interface PAT (dest intf) check box, and choose the interface from the drop-down list.

Step 8 (Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog box. When you are finished, click OK.

Figure 27-8 Configuring Advanced NAT Settings

To translate the IP address in DNS replies, check the Translate DNS replies for rule check box.

Be sure DNS inspection is enabled (it is enabled by default). See the "DNS and NAT" section for more information.

To specify the real and/or mapped interfaces where this NAT rule should apply, under Interface, choose the source and destination interfaces.

By default, the rule applies to all interfaces.

You return to the Add/Edit Network Object dialog box.

Step 9 Click OK, and then Apply.


Configuring Dynamic PAT (Hide)

This section describes how to configure a dynamic PAT (hide) rule using network object NAT. For more information, see the "Dynamic PAT" section.

Detailed Steps


Step 1 You can add NAT to a new or existing network object:

To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > Add Network Object NAT Rule.

Figure 27-9 Adding a Network Object NAT Rule

To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object.

For more information, see the "Configuring a Network Object" section.


Note You can only define a single NAT rule for a given object. See the "Additional Guidelines" section.


The Add/Edit Network Object dialog box appears.

Step 2 For a new object, enter values for the following fields:

a. Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less.

b. Type—Host, Network, or Range.

c. IP Address—An IPv4 address. IPv6 is not supported. If you select Range as the object type, the IP Address field changes to allow you to enter a Start Address and an End address.

d. Netmask—Enter the subnet mask.

e. Description—(Optional) The description of the network object (up to 200 characters in length).

Figure 27-10 Defining the Object Addresses

Step 3 If the NAT section is hidden, click NAT to expand the section.

Step 4 Check the Add Automatic Translation Rules check box.

Step 5 From the Type drop-down list, choose Dynamic PAT (Hide).

Figure 27-11 Configuring Dynamic PAT

Step 6 In the Translated Addr field, specify the mapped IP address.


Note You can share this mapped IP address across different dynamic PAT rules, if desired.


Do one of the following:

Type a host IP address.

Type an interface name or click the browse button , and choose an interface from the Browse Translated Addr dialog box.

Figure 27-12 Browse Dialog Box

If you specify an interface name, then you enable interface PAT, where the specified interface IP address is used as the mapped address. With interface PAT, the NAT rule only applies to the specified mapped interface. (If you do not use interface PAT, then the rule applies to all interfaces by default.) See Step 8 to optionally also configure the real interface to be a specific interface instead of --Any--.


Note You cannot specify an interface in transparent mode.


Click the browse button , and choose an existing host address from the Browse Translated Addr dialog box. You can also create a new named object from the Browse Translated Addr dialog box and use this object as the mapped address.

Figure 27-13 Browse Dialog Box

See the "Guidelines and Limitations" section for information about disallowed mapped IP addresses.

Step 7 (Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog box. When you are finished, click OK.

Figure 27-14 Configuring Advanced NAT Settings

To translate the IP address in DNS replies, check the Translate DNS replies for rule check box.

Be sure DNS inspection is enabled (it is enabled by default). See the "DNS and NAT" section for more information.

To specify the real and/or mapped interfaces where this NAT rule should apply, under Interface, choose the source and destination interfaces.

By default, the rule applies to all interfaces.

You return to the Add/Edit Network Object dialog box.

Step 8 Click OK, and then Apply.


Configuring Static NAT or Static NAT with Port Translation

This section describes how to configure a static NAT rule using network object NAT. For more information, see the "Static NAT" section.

Detailed Steps


Step 1 You can add NAT to a new or existing network object:

To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > Add Network Object NAT Rule.

Figure 27-15 Adding a Network Object NAT Rule

To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object.

For more information, see the "Configuring a Network Object" section.


Note You can only define a single NAT rule for a given object. See the "Additional Guidelines" section.


The Add/Edit Network Object dialog box appears.

Step 2 For a new object, enter values for the following fields:

a. Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less.

b. Type—Network, Host, or Range.

c. IP Address—An IPv4 address. IPv6 is not supported. If you select Range as the object type, the IP Address field changes to allow you to enter a Start Address and an End address.

d. Netmask—Enter the subnet mask.

e. Description—(Optional) The description of the network object (up to 200 characters in length).

Figure 27-16 Defining the Object Addresses

Step 3 If the NAT section is hidden, click NAT to expand the section.

Step 4 Check the Add Automatic Translation Rules check box.

Step 5 From the Type drop-down list, choose Static.

Figure 27-17 Configuring NAT

Step 6 In the Translated Addr field, do one of the following:

Type an IP address.

When you type an IP address, the netmask or range for the mapped network is the same as that of the real network. For example, if the real network is a host, then this address will be a host address. In the case of a range, then the mapped addresses include the same number of addresses as the real range. For example, if the real address is defined as a range from 10.1.1.1 through 10.1.1.6, and you specify 172.20.1.1 as the mapped address, then the mapped range will include 172.20.1.1 through 172.20.1.6.

(For static NAT with port translation only) Type an interface name or click the browse button , and choose an interface from the Browse Translated Addr dialog box.

Figure 27-18 Browse Dialog Box

Be sure to also configure a service on the Advanced NAT Settings dialog box (see Step 7). (You cannot specify an interface in transparent mode).

Click the browse button , and choose an existing address from the Browse Translated Addr dialog box. You can also create a new named object from the Browse Translated Addr dialog box and use this object as the mapped address.

Figure 27-19 Browse Dialog Box

See the "Guidelines and Limitations" section for information about disallowed mapped IP addresses.

Typically, you configure the same number of mapped addresses as real addresses for a one-to-one mapping. You can, however, have a mismatched number of addresses. For more information, see the "Static NAT" section.

Step 7 (Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog box. When you are finished, click OK.

Figure 27-20 Configuring Advanced NAT Settings

To translate the IP address in DNS replies, check the Translate DNS replies for rule check box.

Be sure DNS inspection is enabled (it is enabled by default). See the "DNS and NAT" section for more information. This option is not available if you also translate TCP or UDP ports (static NAT with port translation).

To specify the real and/or mapped interfaces where this NAT rule should apply, under Interface, choose the source and destination interfaces.

By default, the rule applies to all interfaces.

To configure static NAT with port translation, under Service, choose the protocol type from the Protocol drop-down list (tcp or udp), and then type values for the Original Port and Translated Port.

You can type either a port number or a well-known port name (such as "ftp").

You return to the Add/Edit Network Object dialog box.

Step 8 Click OK, and then Apply.

Because static rules are bidirectional (allowing initiation to and from the real host), the NAT Rules table show two rows for each static rule, one for each direction (see Figure 27-21).

Figure 27-21 Bidirectional Rules in the NAT Rules Table


Configuring Identity NAT

This section describes how to configure an identity NAT rule using network object NAT. For more information, see the "Identity NAT" section.

Detailed Steps


Step 1 You can add NAT to a new or existing network object:

To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > Add Network Object NAT Rule.

Figure 27-22 Adding a Network Object NAT Rule

To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object.

For more information, see the "Configuring a Network Object" section.


Note You can only define a single NAT rule for a given object. See the "Additional Guidelines" section.


The Add/Edit Network Object dialog box appears.

Step 2 For a new object, enter values for the following fields:

a. Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less.

b. Type—Network, Host, or Range.

c. IP Address—An IPv4 address. IPv6 is not supported. If you select Range as the object type, the IP Address field changes to allow you to enter a Start Address and an End address.

d. Netmask—Enter the subnet mask.

e. Description—(Optional) The description of the network object (up to 200 characters in length).

Figure 27-23 Defining the Object Addresses

Step 3 If the NAT section is hidden, click NAT to expand the section.

Step 4 Check the Add Automatic Translation Rules check box.

Step 5 From the Type drop-down list, choose Static.

Figure 27-24 Configuring NAT

Step 6 In the Translated Addr field, do one of the following:

Type the same IP address that you used for the real address.

Click the browse button , and choose a network object with a matching IP address definition from the Browse Translated Addr dialog box. You can also create a new named object from the Browse Translated Addr dialog box and use this object as the mapped address.

Figure 27-25 Browse Dialog Box

Step 7 (Optional) To specify the real and/or mapped interfaces where this NAT rule should apply, click Advanced, and under Interface, choose the source and destination interfaces. By default, the rule applies to all interfaces.

Do not configure any other options on this dialog box.

Click OK to return to the Add/Edit Network Object dialog box.

Figure 27-26 Configuring Interfaces

Step 8 Click OK, and then Apply.

Because static rules are bidirectional (allowing initiation to and from the real host), the NAT Rules table show two rows for each static rule, one for each direction (see Figure 27-21).

Figure 27-27 Bidirectional Rules in the NAT Rules Table


Configuration Examples for Network Object NAT

This section includes the following configuration examples:

Providing Access to an Inside Web Server (Static NAT)

NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)

Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)

Single Address for FTP, HTTP, and SMTP (Static NAT with Port Translation)

DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)

DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS Modification)

Providing Access to an Inside Web Server (Static NAT)

The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. (See Figure 27-28).

Figure 27-28 Static NAT for an Inside Web Server


Step 1 Create a network object for the internal web server:

Figure 27-29 Adding a Network Object

Step 2 Define the web server address:

Figure 27-30 Defining the Web Server Address

Step 3 Configure static NAT for the object:

Figure 27-31 Configuring NAT

Step 4 Configure the real and mapped interfaces by clicking Advanced:

Figure 27-32 Configuring Interfaces

Step 5 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.


NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)

The following example configures dynamic NAT for inside users on a private network when they access the outside. Also, when inside users connect to an outside web server, that web server address is translated to an address that appears to be on the inside network. (See Figure 27-33).

Figure 27-33 Dynamic NAT for Inside, Static NAT for Outside Web Server


Step 1 Create a network object for the inside network:

Figure 27-34 Adding a Network Object

Step 2 Define the addresses for the inside network:

Figure 27-35 Defining the Inside Network Addresses

Step 3 Enable dynamic NAT for the inside network:

Figure 27-36 Enabling NAT

Step 4 For the Translated Addr field, add a new network object for the dynamic NAT pool to which you want to translate the inside addresses by clicking the browse button .

a. Add the new network object.

Figure 27-37 Adding a New Network Object for the NAT Pool

b. Define the NAT pool addresses, and click OK.

Figure 27-38 Defining the NAT Pool Addresses

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 27-39 Choosing the New Network Object

Step 5 Configure the real and mapped interfaces by clicking Advanced:

Figure 27-40 Configuring Interfaces

Step 6 Click OK to return to the Edit Network Object dialog box, click then click OK again to return to the NAT Rules table.

Step 7 Create a network object for the outside web server:

Figure 27-41 Adding a Network Object

Step 8 Define the web server address:

Figure 27-42 Defining the Web Server Address

Step 9 Configure static NAT for the web server:

Figure 27-43 Configuring NAT

Step 10 Configure the real and mapped interfaces by clicking Advanced:

Figure 27-44 Configuring Interfaces

Step 11 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.


Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)

The following example shows an inside load balancer that is translated to multiple IP addresses. When an outside host accesses one of the mapped IP addresses, it is untranslated to the single load balancer address. Depending on the URL requested, it redirects traffic to the correct web server. (See Figure 27-45).

Figure 27-45 Static NAT with One-to-Many for an Inside Load Balancer


Step 1 Create a network object for the load balancer:

Figure 27-46 Adding a Network Object

Step 2 Define the load balancer address:

Figure 27-47 Defining the Load Balancer Address

Step 3 Configure static NAT for the load balancer:

Figure 27-48 Configuring NAT

Step 4 For the Translated Addr field, add a new network object for the static NAT group of addresses to which you want to translate the load balancer address by clicking the browse button .

a. Add the new network object.

Figure 27-49 Adding a New Network Object for the Static NAT Group

b. Define the static NAT group of addresses, and click OK.

Figure 27-50 Defining the Static NAT Group of Addresses

c. Choose the new network object by double-clicking it. Click OK to return to the NAT configuration.

Figure 27-51 Choosing the New Network Object

Step 5 Configure the real and mapped interfaces by clicking Advanced:

Figure 27-52 Configuring Interfaces

Step 6 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.


Single Address for FTP, HTTP, and SMTP (Static NAT with Port Translation)

The following static NAT with port translation example provides a single address for remote users to access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for each server, you can specify static NAT with port translation rules that use the same mapped IP address, but different ports. (See Figure 27-53.)

Figure 27-53 Static NAT with Port Translation


Step 1 Create a network object for the FTP server address:

Figure 27-54 Adding a Network Object

Step 2 Define the FTP server address, and configure static NAT for the FTP server:

Figure 27-55 Defining the FTP Server Address and Configuring Static NAT

Step 3 Click Advanced to configure the real and mapped interfaces and port translation for FTP.

Figure 27-56 Setting the Interfaces and Port

Step 4 Create a network object for the HTTP server address:

Figure 27-57 Adding a Network Object

Step 5 Define the HTTP server address, and configure static NAT for the HTTP server:

Figure 27-58 Defining the HTTP Server Address and Configuring Static NAT

Step 6 Click Advanced to configure the real and mapped interfaces and port translation for HTTP.

Figure 27-59 Setting the Interfaces and Port

Step 7 Create a network object for the SMTP server address:

Figure 27-60 Adding a Network Object

Step 8 Define the SMTP server address, and configure static NAT for the SMTP server:

Figure 27-61 Defining the SMTP Server Address and Configuring Static NAT

Step 9 Click Advanced to configure the real and mapped interfaces and port translation for SMTP.

Figure 27-62 Setting the Interfaces and Port

Step 10 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.


DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification)

For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the adaptive security appliance to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. (See Figure 27-63.) In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address.

When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The adaptive security appliance refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly.

Figure 27-63 DNS Reply Modification


Step 1 Create a network object for the FTP server address:

Figure 27-64 Adding a Network Object

Step 2 Define the FTP server address, and configure static NAT:

Figure 27-65 Defining the FTP Server Address and Configuring Static NAT

Step 3 Click Advanced to configure the real and mapped interfaces and DNS modification.

Figure 27-66 Setting the Interfaces and DNS

Step 4 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.


DNS Server and Web Server on Mapped Interface, Web Server is Translated (Static NAT with DNS Modification)

Figure 27-67 shows a web server and DNS server on the outside. The adaptive security appliance has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation.

Figure 27-67 DNS Reply Modification Using Outside NAT


Step 1 Create a network object for the FTP server address:

Figure 27-68 Adding a Network Object

Step 2 Define the FTP server address, and configure static NAT:

Figure 27-69 Defining the FTP Server Address and Configuring Static NAT

Step 3 Click Advanced to configure the real and mapped interfaces and DNS modification.

Figure 27-70 Setting the Interfaces and DNS

Step 4 Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.


Feature History for Network Object NAT

Table 27-1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.

Table 27-1 Feature History for Network Object NAT 

Feature Name
Platform Releases
Feature Information

Network Object NAT

8.3(1)

Configures NAT for a network object IP address(es).

The following screens were introduced or modified:
Configuration > Firewall > NAT Rules
Configuration > Firewall > Objects > Network Objects/Groups