Table Of Contents

nac through override-account-disable Commands

nac

nac-authentication-server-group

nac-default-acl

nac-reval-period

nac-sq-period

name

nameif

names

name-separator

nat

nat (vpn load-balancing)

nat-control

nat-rewrite

nbns-server (tunnel-group webvpn attributes mode)

nbns-server (webvpn mode)

neighbor

nem

network

network area

network-object

nt-auth-domain-controller

ntp authenticate

ntp authentication-key

ntp server

ntp trusted-key

num-packets

object-group

ocsp disable-nonce

ocsp url

ospf authentication

ospf authentication-key

ospf cost

ospf database-filter

ospf dead-interval

ospf hello-interval

ospf message-digest-key

ospf mtu-ignore

ospf network point-to-point non-broadcast

ospf priority

ospf retransmit-interval

ospf transmit-delay

outstanding

override-account-disable

nac through override-account-disable Commands

---

nac

To enable or disable Network Admission Control, use the nac command in group-policy configuration mode. To inherit the NAC setting from the default group policy, access the alternative group policy from which to inherit it, then use the no form of this command.

nac {enable | disable}

no nac [enable | disable]

Syntax Description

enable	Enables NAC, which requires posture validation for remote access. If the remote computer passes the validation checks, the ACS server downloads the access policy for the security appliance to enforce
disable	Disables NAC.

Defaults

The default setting is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
group-policy configuration	•	—	•	—	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

An Access Control Server must be present on the network.

Examples

The following example enables NAC for the group policy:

hostname(config-group-policy)# nac enable

hostname(config-group-policy)

The following example disables NAC for the group policy:

hostname(config-group-policy)# nac disable

hostname(config-group-policy)

The following example inherits the NAC setting from the default group policy:

hostname(config-group-policy)# no nac

hostname(config-group-policy)# 

Related Commands

Command	Description
aaa-server	Creates a record of the AAA server or group and sets the host-specific AAA server attributes.
debug eap	Enables logging of EAP events to debug NAC messaging.
debug eou	Enables logging of EAP over UDP (EAPoUDP) events to debug NAC messaging.
debug nac	Enables logging of NAC events.
nac-authentication-server-group	Identifies the group of authentication servers to be used for Network Admission Control Posture Validation

nac-authentication-server-group

To identify the group of authentication servers to be used for Network Admission Control posture validation, use the nac-authentication-server-group command in tunnel-group general-attributes configuration mode. To inherit the authentication server group from the default remote access group, access the alternative group policy from which to inherit it, then use the no form of this command.

nac-authentication-server-group server-group

no nac-authentication-server-group

Syntax Description

server-group

Name of the posture validation server group, as configured on the security appliance using the aaa-server host command. The name must match the server-tag variable specified in that command.

Defaults

This command has no arguments or keywords.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
tunnel-group general-attributes configuration	•	—	•	—	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

Configure at least one Access Control Server to support NAC. Use the aaa-server command to name the ACS group. Then use the nac-authentication-server-group command, using the same name for the server group.

Examples

The following example identifies acs-group1 as the authentication server group to be used for NAC posture validation:

hostname(config-group-policy)# nac-authentication-server-group acs-group1

hostname(config-group-policy)

The following example inherits the authentication server group from the default remote access group.

hostname(config-group-policy)# no nac-authentication-server-group

hostname(config-group-policy)

Related Commands

Command	Description
aaa-server	Creates a record of the AAA server or group and sets the host-specific AAA server attributes.
debug eap	Enables logging of EAP events to debug NAC messaging.
debug eou	Enables logging of EAP over UDP (EAPoUDP) events to debug NAC messaging.
debug nac	Enables logging of NAC events.
nac	Enables Network Admission Control on a group policy.

nac-default-acl

To specify the ACL to be used as the default ACL for Network Admission Control sessions that fail posture validation, use the nac-default-acl command in group-policy configuration mode.

nac-default-acl value acl-name

nac-default-acl none

To inherit the ACL from the default group policy, access the alternative group policy from which to inherit it, then use the no form of this command.

no nac-default-acl

Syntax Description

acl-name	Names the posture validation server group, as configured on the security appliance using the aaa-server host command. The name must match the server-tag variable specified in that command.
none	Disables inheritance of the ACL from the default group policy and does not apply an ACL to NAC sessions that fail posture validation.

Defaults

The default setting is none.

Because NAC is disabled by default, VPN traffic traversing the security appliance is not subject to the NAC Default ACL until NAC is enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
group-policy configuration	•	—	•	—	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Examples

The following example identifies acl-1 as the ACL to be applied when posture validation fails:

hostname(config-group-policy)# nac-default-acl value acl-1

hostname(config-group-policy)

The following example inherits the ACL from the default group policy.

hostname(config-group-policy)# no nac-default-acl

hostname(config-group-policy)

The following example disables inheritance of the ACL from the default group policy and does not apply an ACL to NAC sessions that fail posture validation:

hostname(config-group-policy)# nac-default-acl none

hostname(config-group-policy)

Related Commands

Command	Description
debug eap	Enables logging of EAP events to debug NAC messaging.
debug eou	Enables logging of EAP over UDP (EAPoUDP) events to debug NAC messaging.
debug nac	Enables logging of NAC events.
nac	Enables Network Admission Control on a group policy.

nac-reval-period

To specify the interval between each successful posture validation in a Network Admission Control session, use the nac-reval-period command in group-policy configuration mode. To inherit the value of the Revalidation Timer from the default group policy, access the alternative group policy from which to inherit it, then use the no form of this command.

nac-reval-period seconds

no nac-reval-period [seconds]

Syntax Description

seconds

Number of seconds between each successful posture validation. The range is 300 to 86400.

Defaults

The default value is 36000.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
group-policy configuration	•	—	•	—	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

The security appliance starts the Revalidation Timer after each successful posture validation. The expiration of this timer triggers the next unconditional posture validation. The security appliance maintains posture validation during revalidation. The default group policy becomes effective if the Access Control Server is unavailable during posture validation or revalidation.

Examples

The following example changes the revalidation timer to 86400 seconds:

hostname(config-group-policy)# nac-reval-period 86400

hostname(config-group-policy)

The following example inherits the value of the revalidation timer from the default group policy:

hostname(config-group-policy)# no nac-reval-period

hostname(config-group-policy)

Related Commands

Command	Description
debug eap	Enables logging of EAP events to debug NAC messaging.
debug eou	Enables logging of EAP over UDP (EAPoUDP) events to debug NAC messaging.
debug nac	Enables logging of NAC events.
nac	Enables Network Admission Control on a group policy.

nac-sq-period

To specify the interval between each successful posture validation in a Network Admission Control session and the next query for changes in the host posture, use the nac-sq-period command in group-policy configuration mode. To inherit the value of the status query timer from the default group policy, access the alternative group policy from which to inherit it, then use the no form of this command.

nac-sq-period seconds

no nac-sq-period [seconds]

Syntax Description

seconds

Number of seconds between each successful posture validation. The range is 300 to 1800.

Defaults

The default value is 300.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
group-policy configuration	•	—	•	—	—

Command History

Release	Modification
7.2(1)	This command was introduced.

Usage Guidelines

The security appliance starts the status query timer after each successful posture validation and status query response. The expiration of this timer triggers a query for changes in the host posture, referred to as a status query.

Examples

The following example changes the value of the status query timer to 1800 seconds:

hostname(config-group-policy)# nac-sq-period 1800

hostname(config-group-policy)

The following example inherits the value of the status query timer from the default group policy:

hostname(config-group-policy)# no nac-sq-period

hostname(config-group-policy)

Related Commands

Command	Description
debug eap	Enables logging of EAP events to debug NAC messaging.
debug eou	Enables logging of EAP over UDP (EAPoUDP) events to debug NAC messaging.
debug nac	Enables logging of NAC events.
nac	Enables Network Admission Control on a group policy.
nac-reval-period	Specifies the interval between each successful posture validation in a Network Admission Control session

name

To associate a name with an IP address, use the name command in global configuration mode. To disable the use of the text names but not remove them from the configuration, use the no form of this command.

name ip_address name [description text]]

no name ip_address [name [description text]]

Syntax Description

description	(Optional) Specifies a description for the ip address name.
ip_address	Specifies an IP address of the host that is named.
name	Specifies the name assigned to the IP address. Use characters a to z, A to Z, 0 to 9, a dash, and an underscore. The name must be 63 characters or less. Also, the name cannot start with a number.
text	Specifies the text for the description.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexissting.
7.0(4)	This command was enhanced to include an optional description.

Usage Guidelines

To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.

You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.

The name command lets you identify a host by a text name and map text strings to IP addresses. The no name command allows you to disable the use of the text names but does not remove them from the configuration. Use the clear configure name command to clear the list of names from the configuration.

To disable displaying name values, use the no names command.

Both the name and names commands are saved in the configuration.

The name command does not support assigning a name to a network mask. For example, this command would be rejected:

hostname(config)# name 255.255.255.0 class-C-mask

---

Note None of the commands in which a mask is required can process a name as an accepted network mask.

---

Examples

This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.

hostname(config)# names

hostname(config)# name 192.168.42.3 sa_inside

hostname(config)# name 209.165.201.3 sa_outside

hostname(config-if)# ip address inside sa_inside 255.255.255.0

hostname(config-if)# ip address outside sa_outside 255.255.255.224

hostname(config)# show ip address

System IP Addresses:

inside ip address sa_inside mask 255.255.255.0

outside ip address sa_outside mask 255.255.255.224

hostname(config)# no names

hostname(config)# show ip address

System IP Addresses:

inside ip address 192.168.42.3 mask 255.255.255.0

outside ip address 209.165.201.3 mask 255.255.255.224

hostname(config)# names

hostname(config)# show ip address

System IP Addresses:

inside ip address sa_inside mask 255.255.255.0

outside ip address sa_outside mask 255.255.255.224

Related Commands

Command	Description
clear configure name	Clears the list of names from the configuration.
names	Enables the association of a name with an IP address.
show running-config name	Displays the names associated with an IP address.

nameif

To provide a name for an interface, use the nameif command in interface configuration mode. To remove the name, use the no form of this command. The interface name is used in all configuration commands on the security appliance instead of the interface type and ID (such as gigabitethernet0/1), and is therefore required before traffic can pass through the interface.

nameif name

no nameif

Syntax Description

name	Sets a name up to 48 characters in length. The name is not case-sensitive.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Interface configuration	•	•	•	•	—

Command History

Release	Modification
7.0(1)	This command was changed from a global configuration command to an interface configuration mode command.

Usage Guidelines

For subinterfaces, you must assign a VLAN with the vlan command before you enter the nameif command.

You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.

Examples

The following example configures the names for two interfaces to be "inside" and "outside:"

hostname(config)# interface gigabitethernet0/1

hostname(config-if)# nameif inside

hostname(config-if)# security-level 100

hostname(config-if)# ip address 10.1.1.1 255.255.255.0

hostname(config-if)# no shutdown

hostname(config-if)# interface gigabitethernet0/0

hostname(config-if)# nameif outside

hostname(config-if)# security-level 0

hostname(config-if)# ip address 10.1.2.1 255.255.255.0

hostname(config-if)# no shutdown

Related Commands

Command	Description
clear xlate	Resets all translations for existing connections, causing the connections to be reset.
interface	Configures an interface and enters interface configuration mode.
security-level	Sets the security level for the interface.
vlan	Assigns a VLAN ID to a subinterface.

names

To enable IP address to the name conversions that you can configured with the name command, use the names command in global configuration mode. To disable address to name conversion, use the no form of this command.

names

no names

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	•	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

The names command is used to enable the association of a name with an IP address that you configured with the name command. The order in which you enter the name or names commands is irrelevant.

Examples

The following example shows how to enable the association of a name with an IP address:

hostname(config)# names

Related Commands

Command	Description
clear configure name	Clears the list of names from the configuration.
name	Associates a name with an IP address.
show running-config name	Displays a list of names associated with IP addresses.
show running-config names	Displays the IP address-to-name conversions.

name-separator

To specify a character as a delimiter between the e-mail and VPN username and password, use the name-separator command in the applicable e-mail proxy mode. To revert to the default, ":", use the no version of this command.

name-separator [symbol]

no name-separator

Syntax Description

symbol

(Optional) The character that separates the e-mail and VPN usernames and passwords. Choices are "@," (at) "|" (pipe), ":"(colon), "#" (hash), "," (comma), and ";" (semi-colon).

Defaults

The default is ":" (colon).

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Pop3s	•	—	•	—	—
Imap4s	•	—	•	—	—
Smtps	•	—	•	—	—

Command History

Release	Modification
7.0(1)	This command was introduced.

Usage Guidelines

The name separator must be different from the server separator.

Examples

The following example shows how to set a hash (#) as the name separator for POP3S:

hostname(config)# pop3s

hostname(config-pop3s)# name-separator #

Related Commands

Command	Description
server-separator	Separates the e-mail and server names.

nat

To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.

For regular dynamic NAT:

nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]

no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]

For policy dynamic NAT and NAT exemption:

nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]

no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]

Syntax Description

access-list access_list_name	Identifies the local addresses and destination addresses using an extended access list, also known as policy NAT. Create the access list using the access-list command. You can optionally specify the local and destination ports in the access list using the eq operator. If the NAT ID is 0, then the access list specifies addresses that are exempt from NAT. NAT exemption is not the same as policy NAT; you cannot specify the port addresses, for example. Note Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists.
dns	(Optional) Rewrites the A record, or address record, in DNS replies that match this command. For DNS replies traversing from a mapped interface to any other interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped interface, the A record is rewritten from the real value to the mapped value. If your NAT statement includes the address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the global address and one needs the local address.The translated host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with the static command.
emb_limit	(Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections. Limiting the number of embryonic connections protects you from a DoS attack. The security appliance uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.
real_ifc	Specifies the name of the interface connected to the real IP address network.
real_ip	Specifies the real address that you want to translate. You can use 0.0.0.0 (or the abbreviation 0) to specify all addresses.
mask	(Optional) Specifies the subnet mask for the real addresses. If you do not enter a mask, then the default mask for the IP address class is used.
nat_id	Specifies an integer for the NAT ID. For regular NAT, this integer is between 1 and 2147483647. For policy NAT (nat id access-list), this integer is between 1 and 65535. Identity NAT (nat 0) and NAT exemption (nat 0 access-list) use the NAT ID of 0. This ID is referenced by the global command to associate a global pool with the real_ip.
norandomseq	(Optional) Disables TCP ISN randomization protection. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session. TCP initial sequence number randomization can be disabled if required. For example: •If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic. •If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum. •You use a WAAS device that requires the security appliance not to randomize the sequence numbers of connections.
outside	(Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.
tcp tcp_max_conns	Specifies the maximum number of simultaneous TCP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)
udp udp_max_conns	(Optional) Specifies the maximum number of simultaneous UDP connections for the entire subnet. The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)

Defaults

The default value for tcp_max_conns, emb_limit, and udp_max_conns is 0 (unlimited), which is the maximum available.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode	Firewall Mode		Security Context
	Routed	Transparent	Single	Multiple
				Context	System
Global configuration	•	—	•	•	—

Command History

Release	Modification
Preexisting	This command was preexisting.

Usage Guidelines

For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.

The security appliance translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control using the nat-control command. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops. NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired.

Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the security appliance assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out (see the timeout xlate command). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (or PAT, even if the connection is allowed by an access list), and the security appliance rejects any attempt to connect to a real host address directly. See the static command for reliable access to hosts.

Dynamic NAT has these disadvantages:

•If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected.

Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.

•You have to use a large number of routable addresses in the mapped pool; if the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses.

The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work with some applications that have a data stream on one port and the control path on another and are not open standard, such as some multimedia applications.

PAT translates multiple real addresses to a single mapped IP address. Specifically, the security appliance translates the real address and source port (real socket) to the mapped address and a unique port (mapped socket). If the source port is TCP/UDP, the source address is translated using PAT to one in the same range. Ranges include: 1-511, 512-1023, and 1024-65535. Each connection requires a separate translation, because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable.

PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the security appliance interface IP address as the PAT address. PAT does not work with some multimedia applications that have a data stream that is different from the control path.

---

Note For the duration of the translation, a remote host can initiate a connection to the translated host if an access list allows it. Because the address (both real and mapped) is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list.

---

If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT. You can use the static command to bypass NAT, or one of the following options:

•Identity NAT (nat 0 command)—When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists.

For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.

•NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list.

Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports. Regular NAT can only consider the real addresses. For example, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B.

When you specify the ports in policy NAT for applications that require application inspection for secondary channels (FTP, VoIP, etc.), the security appliance automatically translates the secondary ports.

---

Note All types of NAT support policy NAT except for NAT exemption. NAT exemption uses an access list to identify the real addresses, but differs from policy NAT in that the ports are not considered. You can accomplish the same result as NAT exemption using static identity NAT, which does support policy NAT.

---

You can alternatively set connection limits (but not embryonic connection limits) using the Modular Policy Framework. See the set connection commands for more information. You can only set embryonic connection limits using NAT. If you configure these settings for the same traffic using both methods, then the security appliance uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the security appliance disables TCP sequence randomization.

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.

Examples

For example, to translate the 10.1.1.0/24 network on the inside interface, enter the following command:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0

hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30

To identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0

hostname(config)# global (outside) 1 209.165.201.5

hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20

To translate the lower security dmz network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:

hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns

hostname(config)# global (inside) 1 10.1.1.45

To identify a single real address with two different destination addresses using policy NAT, enter the following commands:

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 
255.255.255.224

hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 
255.255.255.224

hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000

hostname(config)# global (outside) 1 209.165.202.129

hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000

hostname(config)# global (outside) 2 209.165.202.130

To identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:

hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 80

hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 23

hostname(config)# nat (inside) 1 access-list WEB

hostname(config)# global (outside) 1 209.165.202.129

hostname(config)# nat (inside) 2 access-list TELNET

hostname(config)# global (outside) 2 209.165.202.130

Related Commands

Command	Description
access-list deny-flow-max	Specifies the maximum number of concurrent deny flows that can be created.
clear configure nat	Removes the NAT configuration.
global	Creates entries from a pool of global addresses.
interface	Creates and configures an interface.
show running-config nat	Displays a pool of global IP addresses that are associated with the network.