-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
nac-authentication-server-group through num-packets Commands
nac-authentication-server-group (deprecated)
name (dynamic-filter blacklist or whitelist)
nbns-server (tunnel-group webvpn attributes mode)
nac-authentication-server-group through num-packets Commands
nac-authentication-server-group (deprecated)
To identify the group of authentication servers to be used for Network Admission Control posture validation, use the nac-authentication-server-group command in tunnel-group general-attributes configuration mode. To inherit the authentication server group from the default remote access group, access the alternative group policy from which to inherit it, then use the no form of this command.
nac-authentication-server-group server-group
no nac-authentication-server-group
Syntax Description
server-group
Name of the posture validation server group, as configured on the ASA using the aaa-server host command. The name must match the server-tag variable specified in that command.
Defaults
This command has no arguments or keywords.
Command Modes
The following table shows the modes in which you can enter the command:
tunnel-group general-attributes configuration
•
—
•
—
—
Command History
7.3(0)
This command was deprecated. The authentication-server-group command in nac-policy-nac-framework configuration mode replaced it.
7.2(1)
This command was introduced.
Usage Guidelines
Configure at least one Access Control Server to support NAC. Use the aaa-server command to name the ACS group. Then use the nac-authentication-server-group command, using the same name for the server group.
Examples
The following example identifies acs-group1 as the authentication server group to be used for NAC posture validation:
hostname(config-group-policy)# nac-authentication-server-group acs-group1hostname(config-group-policy)The following example inherits the authentication server group from the default remote access group.
hostname(config-group-policy)# no nac-authentication-server-grouphostname(config-group-policy)Related Commands
nac-policy
To create or access a Cisco Network Admission Control (NAC) policy, and specify its type, use the nac-policy command in global configuration mode. To remove the NAC policy from the configuration, use the no form of this command.
nac-policy nac-policy-name nac-framework
[no] nac-policy nac-policy-name nac-framework
Syntax Description
Defaults
This command has no default settings.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command once for each NAC Appliance to be assigned to a group policy. Then use the nac-settings command to assign the NAC policy to each applicable group policy. Upon the setup of an IPsec or Cisco AnyConnect VPN tunnel, the ASA applies the NAC policy associated with the group policy in use.
You cannot use the no nac-policy name command to remove a NAC policy if it is already assigned to one or more group policies.
Examples
The following command creates and accesses a NAC Framework policy named nac-framework1:
hostname(config)# nac-policy nac-framework1 nac-frameworkhostname(config-nac-policy-nac-framework)The following command removes the NAC Framework policy named nac-framework1:
hostname(config)# no nac-policy nac-framework1hostname(config-nac-policy-nac-framework)Related Commands
nac-settings
To assign a NAC policy to a group policy, use the nac-settings command in group-policy configuration mode, as follows:
nac-settings {value nac-policy-name | none}
[no] nac-settings {value nac-policy-name | none}
Syntax Description
Defaults
This command has no arguments or keywords.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Command History
Usage Guidelines
Use the nac-policy command to specify the name and type of the NAC policy, then use this command to assign it to a group policy.
The show running-config nac-policy command displays the name and configuration of each NAC policy.
The ASA automatically enables NAC for a group policy when you assign a NAC policy to it.
Examples
The following command removes the nac-policy-name from the group policy. The group policy inherits the nac-settings value from the default group policy:
hostname(config-group-policy)#no nac-settingshostname(config-group-policy)The following command removes the nac-policy-name from the group policy and disables the use of a NAC policy for this group policy. The group policy does not inherit the nac-settings value from the default group policy.
hostname(config-group-policy)# nac-settings nonehostname(config-group-policy)Related Commands
name
To associate a name with an IP address, use the name command in global configuration mode. To disable the use of the text names but not remove them from the configuration, use the no form of this command.
name ip_address name [description text]]
no name ip_address [name [description text]]
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.
You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.
The name command lets you identify a host by a text name and map text strings to IP addresses. The no name command allows you to disable the use of the text names but does not remove them from the configuration. Use the clear configure name command to clear the list of names from the configuration.
To disable displaying name values, use the no names command.
Both the name and names commands are saved in the configuration.
The name command does not support assigning a name to a network mask. For example, this command would be rejected:
hostname(config)# name 255.255.255.0 class-C-mask
Note
Examples
This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.
hostname(config)# nameshostname(config)# name 192.168.42.3 sa_insidehostname(config)# name 209.165.201.3 sa_outsidehostname(config-if)# ip address inside sa_inside 255.255.255.0hostname(config-if)# ip address outside sa_outside 255.255.255.224hostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224hostname(config)# no nameshostname(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224hostname(config)# nameshostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224Related Commands
name (dynamic-filter blacklist or whitelist)
To add a domain name to the Botnet Traffic Filter blacklist or whitelist, use the name command in dynamic-filter blacklist or whitelist configuration mode. To remove the name, use the no form of this command. The static database lets you augment the dynamic database with domain names or IP addresses that you want to whitelist or blacklist.
name domain_name
no name domain_name
Syntax Description
domain_name
Adds a name to the blacklist. You can enter this command multiple times for multiple entries. You can add up to 1000 blacklist entries.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Dynamic-filter blacklist or whitelist configuration
•
•
•
•
—
Command History
Usage Guidelines
After you enter the dynamic-filter whitelist or blacklist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as good names in a whitelist or bad names in a blacklist using the address and name commands.
You can enter this command multiple times for multiple entries. You can add up to 1000 blacklist and 1000 whitelist entries.
When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This action is a background process, and does not affect your ability to continue configuring the ASA).
If you do not have a domain name server configured for the ASA, or it is unavailable, then you can alternatively enable DNS packet inspection with Botnet Traffic Filter snooping (see the inspect dns dynamic-filter-snooping command). With DNS snooping, when an infected host sends a DNS request for a name on the static database, the ASA looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache. See the inspect dns dynamic-filter-snooping command for information about the DNS reverse lookup cache.
Entries in the DNS host cache have a time to live (TTL) value provided by the DNS server. The largest TTL value allowed is 1 day (24 hours); if the DNS server provides a larger TTL, it is truncated to 1 day maximum.
For the DNS host cache, after an entry times out, the ASA periodically requests a refresh for the entry.
Examples
The following example creates entries for the blacklist and whitelist:
hostname(config)# dynamic-filter blacklisthostname(config-llist)# name bad1.example.comhostname(config-llist)# name bad2.example.comhostname(config-llist)# address 10.1.1.1 255.255.255.0hostname(config-llist)# dynamic-filter whitelisthostname(config-llist)# name good.example.comhostname(config-llist)# name great.example.comhostname(config-llist)# name awesome.example.comhostname(config-llist)# address 10.1.1.2 255.255.255.255Related Commands
nameif
To provide a name for an interface, use the nameif command in interface configuration mode. To remove the name, use the no form of this command. The interface name is used in all configuration commands on the ASA instead of the interface type and ID (such as gigabitethernet0/1), and is therefore required before traffic can pass through the interface.
nameif name
no nameif
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
7.0(1)
This command was changed from a global configuration command to an interface configuration mode command.
Usage Guidelines
For subinterfaces, you must assign a VLAN with the vlan command before you enter the nameif command.
You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.
Examples
The following example configures the names for two interfaces to be "inside" and "outside:"
hostname(config)# interface gigabitethernet0/1hostname(config-if)# nameif insidehostname(config-if)# security-level 100hostname(config-if)# ip address 10.1.1.1 255.255.255.0hostname(config-if)# no shutdownhostname(config-if)# interface gigabitethernet0/0hostname(config-if)# nameif outsidehostname(config-if)# security-level 0hostname(config-if)# ip address 10.1.2.1 255.255.255.0hostname(config-if)# no shutdownRelated Commands
names
To enable the association of a name with an IP address, use the names command in global configuration mode. You can associate only one name with an IP address. To disable displaying name values, use the no names command.
names
no names
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.
You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.
To disable displaying name values, use the no names command.
Both the name and names commands are saved in the configuration.
Examples
This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.
hostname(config)# nameshostname(config)# name 192.168.42.3 sa_insidehostname(config)# name 209.165.201.3 sa_outsidehostname(config-if)# ip address inside sa_inside 255.255.255.0hostname(config-if)# ip address outside sa_outside 255.255.255.224hostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224hostname(config)# no nameshostname(config)# show ip addressSystem IP Addresses:inside ip address 192.168.42.3 mask 255.255.255.0outside ip address 209.165.201.3 mask 255.255.255.224hostname(config)# nameshostname(config)# show ip addressSystem IP Addresses:inside ip address sa_inside mask 255.255.255.0outside ip address sa_outside mask 255.255.255.224Related Commands
name-separator
To specify a character as a delimiter between the e-mail and VPN username and password, use the name-separator command in the applicable e-mail proxy mode. To revert to the default, ":", use the no version of this command.
name-separator [symbol]
no name-separator
Syntax Description
symbol
(Optional) The character that separates the e-mail and VPN usernames and passwords. Choices are "@," (at) "|" (pipe), ":"(colon), "#" (hash), "," (comma), and ";" (semi-colon).
Defaults
The default is ":" (colon).
Command Modes
The following table shows the modes in which you can enter the command:
Pop3s
•
—
•
—
—
Imap4s
•
—
•
—
—
Smtps
•
—
•
—
—
Command History
Usage Guidelines
The name separator must be different from the server separator.
Examples
The following example shows how to set a hash (#) as the name separator for POP3S:
hostname(config)#pop3shostname(config-pop3s)# name-separator #Related Commands
name-server
To identify one or more DNS servers, use the name-server command in dns server-group configuration mode. To remove a server or servers, use the no form of this command. The ASA uses DNS to resolve server names in your SSL VPN configuration or certificate configuration (see "Usage Guidelines" for a list of supported commands). Other features that define server names (such as AAA) do not support DNS resolution. You must enter the IP address or manually resolve the name to an IP address by using the name command.
name-server ip_address [ip_address2] [...] [ip_address6]
no name-server ip_address [ip_address2] [...] [ip_address6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
dns server-group configuration
•
•
•
•
—
Command History
Usage Guidelines
To enable DNS lookup, configure the domain-name command in dns server-group configuration mode. If you do not enable DNS lookup, the DNS servers are not used.
SSL VPN commands that support DNS resolution include the following:
•
•
•
•
•
Certificate commands that support DNS resolution include the following:
•
•
You can manually enter names and IP addresses using the name command.
Examples
The following example adds three DNS servers to the group "dnsgroup1":
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# name-server 10.1.1.1 10.2.3.4 192.168.5.5The ASA saves the configuration as separate commands, as follows:
name-server 10.1.1.1name-server 10.2.3.4name-server 192.168.5.5To add two additional servers, you can enter them as one command:
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# name-server 10.5.1.1 10.8.3.8To verify the dns server group configuration, enter the show running-config dns command in global configuration mode:
hostname(config)# show running-config dnsname-server 10.1.1.1name-server 10.2.3.4name-server 192.168.5.5name-server 10.5.1.1name-server 10.8.3.8...Or you can enter them as two separate commands:
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# name-server 10.5.1.1hostname(config)# name-server 10.8.3.8To delete multiple servers you can enter them as multiple commands or as one command, as follows:
hostname(config)# dns server-group dnsgroup1hostname(config-dns-server-group)# no name-server 10.5.1.1 10.8.3.8Related Commands
nat (global)
To configure twice NAT for IPv4, IPv6, or between IPv4 and IPv6 (NAT64), use the nat command in global configuration mode. To remove the twice NAT configuration, use the no form of this command.
For static NAT:
nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}]
source static {real_obj | any} {mapped_obj | interface [ipv6] | any}}
[destination static {mapped_obj | interface [ipv6]} {real_obj | any}]
[service {real_src_mapped_dest_svc_obj | any} mapped_src_real_dest_svc_obj] [net-to-net] [dns] [unidirectional | [no-proxy-arp] [route-lookup]] [inactive] [description desc]no nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}]
source static {real_obj | any} {mapped_obj | interface [ipv6] | any}}
[destination static {mapped_obj | interface [ipv6]} {real_obj | any}]
[service {real_src_mapped_dest_svc_obj | any} mapped_src_real_dest_svc_obj] [net-to-net] [dns] [unidirectional | [no-proxy-arp] [route-lookup]] [inactive] [description desc]For dynamic NAT:
nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}]
source dynamic {real_obj | any}
{[mapped_obj] [pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]]] [interface [ipv6]]}
[destination static {mapped_obj | interface [ipv6]} {real_obj | any}]
[service {mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc]no nat [(real_ifc,mapped_ifc)] [line | {after-auto [line]}]
source dynamic {real_obj | any}
{[mapped_obj] [pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]]] [interface [ipv6]]}
[destination static {mapped_obj | interface [ipv6]} {real_obj | any}]
[service {mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc]or
no nat {line | after-auto line}
Syntax Description
(real_ifc,mapped_ifc)
(Optional) Specifies the real and mapped interfaces. If you do not specify the real and mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of the interfaces. In transparent mode, you must specify the real and mapped interfaces; you cannot use any.
Because twice NAT can translate both the source and destination addresses, these interfaces are better understood to be the source and destination interfaces.
after-auto
Inserts the rule at the end of section 3 of the NAT table, after the network object NAT rules. By default, twice NAT rules are added to section 1. You can insert a rule anywhere in section 3 using the line argument.
any
(Optional) Specifies a wildcard value. The main uses for any are:
•
•
•
For static NAT, although any is also available for the real source port/mapped destination port, or for the source or destination real address (without any as the mapped address), these uses might result in unpredictable behavior.
Note
description desc
(Optional) Provides a description up to 200 characters.
destination
(Optional) Configures translation for the destination address. Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the CLI configuration guide.
dns
(Optional) Translates DNS replies. Be sure DNS inspection is enabled (inspect dns) (it is enabled by default). You cannot configure the dns keyword if you configure a destination address. See the CLI configuration guide for more information.
dynamic
Configures dynamic NAT or PAT for the source addresses. The destination translation is always static.
extended
(Optional) Enables extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
flat [include-reserve]
(Optional) Enables use of the entire 1024 to 65535 port range when allocating ports. When choosing the mapped port number for a translation, the ASA uses the real source port number if it is available. However, without this option, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword.
inactive
(Optional) To make this rule inactive without having to remove the command, use the inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.
interface [ipv6]
(Optional) Uses the interface IP address as the mapped address. If you specify ipv6, then the IPv6 address of the interface is used.
For the dynamic NAT source mapped address, if you specify a mapped object or group followed by the interface keyword, then the IP address of the mapped interface is only used if all other mapped addresses are already allocated.
For dynamic PAT, you can specify interface alone for the source mapped address.
For static NAT with port translation (source or destination), be sure to also configure the service keyword.
For this option, you must configure a specific interface for the mapped_ifc.
This option is not available in transparent mode.
line
(Optional) Inserts a rule anywhere in section 1 of the NAT table. By default, the NAT rule is added to the end of section 1 (see the CLI configuration guide for more information). If you want to add the rule into section 3 instead (after the network object NAT rules), then use the after-auto line option.
mapped_dest_svc_obj
(Optional) For dynamic NAT/PAT, specifies the mapped destination port (the destination translation is always static). See the service keyword for more information.
mapped_object
Identifies the mapped network object or object group (object network or object-group network).
For dynamic NAT, you typically configure a larger group of addresses to be mapped to a smaller group.
Note
You can share this mapped IP address across different dynamic NAT rules, if desired.
You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include only one type of address.For dynamic PAT, configure a group of addresses to be mapped to a single address. You can either translate the real addresses to a single mapped address of your choosing, or you can translate them to the mapped interface address. If you want to use the interface address, do not configure a network object for the mapped address; instead use the interface keyword.
For static NAT, the mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see the CLI configuration guide.
mapped_src_real_dest_svc_obj
(Optional) For static NAT, specifies the either the mapped source port, the real destination port, or both together. See the service keyword for more information.
net-to-net
(Optional) For static NAT 46, specify net-to-net to translate the first IPv4 address to the first IPv6 address, the second to the second, and so on. Without this option, the IPv4-embedded method is used. For a one-to-one translation, you must use this keyword.
no-proxy-arp
(Optional) For static NAT, disables proxy ARP for incoming packets to the mapped IP addresses.
pat-pool mapped_obj
(Optional) Enables a PAT pool of addresses; all addresses in the object are used as PAT addresses. You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include only one type of address.
real_dest_svc_obj
(Optional) For dynamic NAT/PAT, specifies the real destination port (the destination translation is always static). See the service keyword for more information.
real_ifc
(Optional) Specifies the name of the interface where packets may originate. For source option. For the source option, the origin_ifc is the real interface. For the destination option, the real_ifc is the mapped interface.
real_object
Identifies the real network object or object group (object network or object-group network). You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include only one type of address.
real_src_mapped_dest_svc_obj
(Optional) For static NAT, specifies the either the real source port, the mapped destination port, or both together. See the service keyword for more information.
round-robin
(Optional) Enables round-robin address allocation for a PAT pool. By default, all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on.
route-lookup
(Optional) For identity NAT in routed mode, determines the egress interface using a route lookup instead of using the interface specified in the NAT command. If you do not specify interfaces in the NAT command, a route lookup is used by default.
service
(Optional) Specifies the port translation.
•
•
For source port translation, the objects must specify the source service. The order of the service objects in the command in this case is service real_port mapped_port. For destination port translation, the objects must specify the destination service. The order of the service objects in this case is service mapped_port real_port. In the rare case where you specify both the source and destination ports in the object, the first service object contains the real source port/mapped destination port; the second service object contains the mapped source port/real destination port. See the "Usage Guidelines" section for more information about "source" and "destination" terminology.
For identity port translation, simply use the same service object for both the real and mapped ports (source and/or destination ports, depending on your configuration). The "not equal" (neq) operator is not supported.
NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP).
source
Configures translation for the source address.
static
Configures static NAT or static NAT with port translation.
unidirectional
(Optional) For static NAT, makes the translarion unidirection from the source to the destination; the destination addresses cannot initiate traffic to the source addresses. This option might be useful for testing purposes.
Defaults
•
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
Usage Guidelines
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y, for example.
Note
The destination address is optional. If you specify the destination address, you can either map it to itself (identity NAT), or you can map it to a different address. The destination mapping is always a static mapping.
Twice NAT also lets you use service objects for static NAT with port translation; network object NAT only accepts inline definition.
For detailed information about the differences between twice NAT and network object NAT, see the CLI configuration guide.
Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3. For more information about NAT ordering, see the CLI configuration guide.
Mapped Address Guidelines
The mapped IP address pool cannot include:
•
•
•
•
Prerequisites
•
•
Objects and object groups used in NAT cannot be undefined; they must include IP addresses.
Clearing Translation Sessions
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
PAT Pool Guidelines
•
•
•
Extended PAT for a PAT Pool Guidelines
•
•
•
•
Round robin for a PAT Pool Guidelines
•
•
NAT and IPv6
You can use NAT to translate between IPv6 networks, and also to translate between IPv4 and IPv6 networks (routed mode only). We recommend the following best practices:
•
•
•
Examples
The following example includes a host on the 10.1.2.0/24 network that accesses two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129:port. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130:port.
hostname(config)# object network myInsideNetworkhostname(config-network-object)# subnet 10.1.2.0 255.255.255.0hostname(config)# object network DMZnetwork1hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224hostname(config)# object network PATaddress1hostname(config-network-object)# host 209.165.202.129hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress1 destination static DMZnetwork1 DMZnetwork1
hostname(config)# object network DMZnetwork2hostname(config-network-object)# subnet 209.165.200.224 255.255.255.224hostname(config)# object network PATaddress2hostname(config-network-object)# host 209.165.202.130hostname(config)# nat (inside,dmz) source dynamic myInsideNetwork PATaddress2 destination static DMZnetwork2 DMZnetwork2
The following example shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port. When the host accesses the same server for web services, the real address is translated to 209.165.202.130:port.
hostname(config)# object network myInsideNetworkhostname(config-network-object)# subnet 10.1.2.0 255.255.255.0hostname(config)# object network TelnetWebServerhostname(config-network-object)# host 209.165.201.11hostname(config)# object network PATaddress1hostname(config-network-object)# host 209.165.202.129hostname(config)# object service TelnetObjhostname(config-network-object)# service tcp destination eq telnethostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress1 destination static TelnetWebServer TelnetWebServer service TelnetObj TelnetObj
hostname(config)# object network PATaddress2hostname(config-network-object)# host 209.165.202.130hostname(config)# object service HTTPObjhostname(config-network-object)# service tcp destination eq httphostname(config)# nat (inside,outside) source dynamic myInsideNetwork PATaddress2 destination static TelnetWebServer TelnetWebServer service HTTPObj HTTPObj
The following example shows the use of static interface NAT with port translation. Hosts on the outside access an FTP server on the inside by connecting to the outside interface IP address with destination port 65000 through 65004. The traffic is untranslated to the internal FTP server at 192.168.10.100:6500 through :65004. Note that you specify the source port range in the service object (and not the destination port) because you want to translate the source address and port as identified in the command; the destination port is "any." Because static NAT is bidirectional, "source" and "destination" refers primarily to the command keywords; the actual source and destination address and port in a packet depends on which host sent the packet. In this example, connections are originated from outside to inside, so the "source" address and port of the FTP server is actually the destination address and port in the originating packet.
hostname(config)# object service FTP_PASV_PORT_RANGE
hostname(config-service-obvject)# service tcp source range 65000 65004
hostname(config)# object network HOST_FTP_SERVER
hostname(config-network-obvject)# host 192.168.10.100
hostname(config)# nat (inside,outside) source static HOST_FTP_SERVER interface service FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE
The following example configures dynamic NAT for an IPv6 inside network 2001:DB8:AAAA::/96 when accessing servers on the IPv4 209.165.201.1/27 network as well as servers on the 203.0.113.0/24 network:
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 2001:DB8:AAAA::/96
hostname(config)# object network MAPPED_1
hostname(config-network-object)# range 209.165.200.225 209.165.200.254
hostname(config)# object network MAPPED_2
hostname(config-network-object)# range 209.165.202.129 209.165.200.158
hostname(config)# object network SERVERS_1
hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224
hostname(config)# object network SERVERS_2
hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination static SERVERS_1 SERVERS_1
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2
The following example configures interface PAT for inside network 192.168.1.0/24 when accessing outside IPv6 Telnet server 2001:DB8::23, and Dynamic PAT using a PAT pool when accessing any server on the 2001:DB8:AAAA::/96 network.
hostname(config)# object network INSIDE_NW
hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0
hostname(config)# object network PAT_POOL
hostname(config-network-object)# range 2001:DB8:AAAA::1 2001:DB8:AAAA::200
hostname(config)# object network TELNET_SVR
hostname(config-network-object)# host 2001:DB8::23
hostname(config)# object service TELNET
hostname(config-service-object)# service tcp destination eq 23
hostname(config)# object network SERVERS
hostname(config-network-object)# subnet 2001:DB8:AAAA::/96
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW interface ipv6 destination static TELNET_SVR TELNET_SVR service TELNET TELNET
hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool PAT_POOL destination static SERVERS SERVERS
Related Commands
nat (object)
To configure NAT for a network object, use the nat command in object network configuration mode. To remove the NAT configuration, use the no form of this command.
For dynamic NAT and PAT:
nat [(real_ifc,mapped_ifc)] dynamic
{mapped_inline_host_ip [interface [ipv6]] | [mapped_obj] [pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]]] [interface [ipv6]]} [dns]no nat [(real_ifc,mapped_ifc)] dynamic
{mapped_inline_host_ip [interface [ipv6]] | [mapped_obj] [pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]]] [interface [ipv6]]} [dns]For static NAT and static NAT with port translation:
nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface [ipv6]} [net-to-net] [dns | service {tcp | udp} real_port mapped_port] [no-proxy-arp] [route-lookup]
no nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface [ipv6]} [net-to-net] [dns | service {tcp | udp} real_port mapped_port] [no-proxy-arp] [route-lookup]
Syntax Description
(real_ifc,mapped_ifc)
(Optional) For static NAT, specifies the real and mapped interfaces. If you do not specify the real and mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of the interfaces. Be sure to include the parentheses in your command. In transparent mode, you must specify the real and mapped interfaces; you cannot use any.
dns
(Optional) Translates DNS replies. Be sure DNS inspection (inspect dns) is enabled (it is enabled by default). This option is not available if you specify the service keyword (for static NAT). For more information, see the CLI configuration guide.
dynamic
Configures dynamic NAT or PAT.
extended
(Optional) Enables extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.
flat [include-reserve]
(Optional) Enables use of the entire 1024 to 65535 port range when allocating ports. When choosing the mapped port number for a translation, the ASA uses the real source port number if it is available. However, without this option, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword.
interface [ipv6]
(Optional) For dynamic NAT, if you specify a mapped IP address, object, or group followed by the interface keyword, then the IP address of the mapped interface is only used if all of the other mapped addresses are already allocated.
For dynamic PAT, if you specify the interface keyword instead of a mapped IP address, object, or group, then you use the interface IP address for the mapped IP address. You must use this keyword when you want to use the interface IP address; you cannot enter it inline or as an object.
If you specify ipv6, then the IPv6 address of the interface is used.
For static NAT with port translation, you can specify the interface keyword if you also configure the service keyword.
For this option, you must configure a specific interface for the mapped_ifc.
You cannot specify interface in transparent mode.
mapped_inline_host_ip
Specifies the mapped address as an inline value. If you specify dynamic, then using a host IP address configures dynamic PAT.
mapped_inline_ip
For static NAT, specifies the mapped IP address as an inline value. The netmask or range for the mapped network is the same as that of the real network. For example, if the real network is a host, then this address will be a host address. In the case of a range, then the mapped addresses include the same number of addresses as the real range. For example, if the real address is defined as a range from 10.1.1.1 through 10.1.1.6, and you specify 172.20.1.1 as the mapped address, then the mapped range will include 172.20.1.1 through 172.20.1.6.
mapped_obj
Specifies the mapped IP address(es) as a network object (object network) or object group (object-group network). You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include only one type of address.
For dynamic NAT, the object or group cannot contain a subnet. You can share this mapped object across different dynamic NAT rules, if desired. See the "Mapped Address Guidelines" section for information about disallowed mapped IP addresses.
For static NAT, typically you configure the same number of mapped addresses as real addresses for a one-to-one mapping. You can, however, have a mismatched number of addresses. For more information, see the CLI configuration guide.
mapped_port
(Optional) Specifies the mapped TCP or UDP port. You can specify ports by either a literal name or a number in the range of 0 to 65535.
net-to-net
(Optional) For NAT 46, specify net-to-net to translate the first IPv4 address to the first IPv6 address, the second to the second, and so on. Without this option, the IPv4-embedded method is used. For a one-to-one translation, you must use this keyword.
no-proxy-arp
(Optional) For static NAT, disables proxy ARP for incoming packets to the mapped IP addresses.
pat-pool mapped_obj
(Optional) Enables a PAT pool of addresses; all addresses in the object are used as PAT addresses. You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include only one type of address.
real_port
(Optional) For static NAT, specifies the real TCP or UDP port. You can specify ports by either a literal name or a number in the range of 0 to 65535.
round-robin
(Optional) Enables round-robin address allocation for a PAT pool. By default, all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on.
route-lookup
(Optional) For identity NAT in routed mode, determines the egress interface using a route lookup instead of using the interface specified in the NAT command. If you do not specify interfaces in the NAT command, a route lookup is used by default.
service {tcp | udp}
(Optional) For static NAT with port translation, specifies the protocol for port translation. Only TCP and UDP are supported.
static
Configures static NAT or static NAT with port translation.
Defaults
•
•
•
Command Modes
The following table shows the modes in which you can enter the command:
Object network configuration
•
•
•
•
—
Command History
Usage Guidelines
When a packet enters the ASA, both the source and destination IP addresses are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic.
Because the rules are never paired, you cannot specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y. Use twice NAT for that kind of functionality (twice NAT lets you identify the source and destination address in a single rule).
For detailed information about the differences between twice NAT and network object NAT, see the CLI configuration guide.
Network object NAT rules are added to section 2 of the NAT rules table. For more information about NAT ordering, see the CLI configuration guide.
Depending on the configuration, you can configure the mapped address inline if desired or you can create a network object or network object group for the mapped address (the object network or object-group network command). Network object groups are particularly useful for creating a mapped address pool with discontinous IP address ranges or multiple hosts or subnets. You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include only one type of address.
Objects and object groups used in NAT cannot be undefined; they must include IP addresses.
You can only define a single NAT rule for a given object; if you want to configure multiple NAT rules, you need to create multiple objects that specify the same IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02, and so on.
Mapped Address Guidelines
The mapped IP address pool cannot include:
•
•
•
•
Clearing Translation Sessions
If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.
PAT Pool Guidelines
•
•
•
Extended PAT for a PAT Pool Guidelines
•
•
•
•
Round robin for a PAT Pool Guidelines
•
•
•
NAT and IPv6
You can use NAT to translate between IPv6 networks, and also to translate between IPv4 and IPv6 networks (routed mode only). We recommend the following best practices:
•
•
•
Examples
Dynamic NAT Examples
The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of outside addresses 2.2.2.1-2.2.2.10:
hostname(config)# object network my-range-objhostname(config-network-object)# range 2.2.2.1 2.2.2.10hostname(config)# object network my-inside-nethostname(config-network-object)# subnet 192.168.2.0 255.255.255.0hostname(config-network-object)# nat (inside,outside) dynamic my-range-objThe following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside interface address.
hostname(config)# object network nat-range1hostname(config-network-object)# range 10.10.10.10 10.10.10.20hostname(config-network-object)# object network pat-ip1hostname(config-network-object)# host 10.10.10.21hostname(config-network-object)# object-group network nat-pat-grphostname(config-network-object)# network-object object nat-range1hostname(config-network-object)# network-object object pat-ip1hostname(config-network-object)# object network my_net_obj5hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interfaceThe following example configures dynamic NAT with dynamic PAT backup to translate IPv6 hosts to IPv4. Hosts on inside network 2001:DB8::/96 are mapped first to the IPv4_NAT_RANGE pool (209.165.201.1 to 209.165.201.30). After all addresses in the IPv4_NAT_RANGE pool are allocated, dynamic PAT is performed using the IPv4_PAT address (209.165.201.31). In the event that the PAT translations are also used up, dynamic PAT is performed using the outside interface address.
hostname(config)# object network IPv4_NAT_RANGEhostname(config-network-object)# range 209.165.201.1 209.165.201.30hostname(config-network-object)# object network IPv4_PAThostname(config-network-object)# host 209.165.201.31hostname(config-network-object)# object-group network IPv4_GROUPhostname(config-network-object)# network-object object IPv4_NAT_RANGEhostname(config-network-object)# network-object object IPv4_PAThostname(config-network-object)# object network my_net_obj5hostname(config-network-object)# subnet 2001:DB8::/96hostname(config-network-object)# nat (inside,outside) dynamic IPv4_GROUP interfaceDynamic PAT Example
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 2.2.2.2:
hostname(config)# object network my-inside-nethostname(config-network-object)# subnet 192.168.2.0 255.255.255.0hostname(config-network-object)# nat (inside,outside) dynamic 2.2.2.2The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
hostname(config)# object network my-inside-nethostname(config-network-object)# subnet 192.168.2.0 255.255.255.0hostname(config-network-object)# nat (inside,outside) dynamic interfaceThe following example configures dynamic PAT with a PAT pool to translate the inside IPv6 network to an outside IPv4 network:
hostname(config)# object network IPv4_POOL
hostname(config-network-object)# range 203.0.113.1 203.0.113.254
hostname(config)# object network IPv6_INSIDE
hostname(config-network-object)# subnet 2001:DB8::/96hostname(config-network-object)# nat (inside,outside) dynamic pat-pool IPv4_POOLStatic NAT Examples
The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.
hostname(config)# object network my-host-obj1hostname(config-network-object)# host 1.1.1.1hostname(config-network-object)# nat (inside,outside) static 2.2.2.2 dnsThe following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.
hostname(config)# object network my-mapped-objhostname(config-network-object)# host 2.2.2.2hostname(config-network-object)# object network my-host-obj1hostname(config-network-object)# host 1.1.1.1hostname(config-network-object)# nat (inside,outside) static my-mapped-objThe following example configures static NAT with port translation for 1.1.1.1 at TCP port 21 to the outside interface at port 2121.
hostname(config)# object network my-ftp-serverhostname(config-network-object)# host 1.1.1.1hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121The following example maps an inside IPv4 network to an outside IPv6 network.
hostname(config)# object network inside_v4_v6hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0hostname(config-network-object)# nat (inside,outside) static 2001:DB8::/96The following example maps an inside IPv6 network to an outside IPv6 network.
hostname(config)# object network inside_v6hostname(config-network-object)# subnet 2001:DB8:AAAA::/96hostname(config-network-object)# nat (inside,outside) static 2001:DB8:BBBB::/96Identity NAT Examples
The following example maps a host address to itself using an inline mapped address:
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
The following example maps a host address to itself using a network object:
hostname(config)# object network my-host-obj1-identity
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-host-obj1-identity
Related Commands
nat (vpn load-balancing)
To set the IP address to which NAT translates the IP address of this device, use the nat command in VPN load-balancing configuration mode. To disable this NAT translation, use the no form of this command.
nat ip-address
no nat [ip-adddress]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
VPN load-balancing configuration
•
—
•
—
—
Command History
Usage Guidelines
You must first use the vpn load-balancing command to enter VPN load-balancing mode.
In the no nat form of the command, if you specify the optional ip-address value, the IP address must match the existing NAT IP address in the running configuration.
Examples
The following is an example of a VPN load-balancing command sequence that includes a nat command that sets the NAT-translated address to 192.168.10.10:
hostname(config)# interface GigabitEthernet 0/1hostname(config-if)# ip address 209.165.202.159 255.255.255.0hostname(config)# nameif testhostname(config)# interface GigabitEthernet 0/2hostname(config-if)# ip address 209.165.201.30 255.255.255.0hostname(config)# nameif foohostname(config)# vpn load-balancinghostname(config-load-balancing)# nat 192.168.10.10hostname(config-load-balancing)# priority 9hostname(config-load-balancing)# interface lbpublic testhostname(config-load-balancing)# interface lbprivate foohostname(config-load-balancing)# cluster ip address 209.165.202.224hostname(config-load-balancing)# cluster port 9023hostname(config-load-balancing)# participatehostname(config-load-balancing)# participateRelated Commands
nat-assigned-to-public-ip
To automatically translate a VPN peer's local IP address back to the peer's real IP address, use the nat-assigned-to-public-ip command in tunnel-group general-attributes configuration mode. To disable the NAT rules, use the no form of this command.
nat-assigned-to-public-ip interface
no nat-assigned-to-public-ip interface
Syntax Description
Command Default
This command is disabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general-attributes configuration
•
•
•
—
—
Command History
Usage Guidelines
In rare situations, you might want to use a VPN peer's real IP address on the inside network instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local IP address to access the inside network. However, you might want to translate the local IP address back to the peer's real public IP address if, for example, your inside servers and network security is based on the peer's real IP address.
You can enable this feature on one interface per tunnel group. Object NAT rules are dynamically added and deleted when the VPN session is established or disconnected. You can view the rules using the show nat command.
Data Flow
The following steps describe the packet flow through the ASA when this feature is enabled:
1.
The outer source/destination consists of the peer public IP address/ASA IP address. The encrypted inner source/destination consists of the VPN-assigned IP address/inside server address.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Limitations
Because of routing issues, we do not recommend using this feature unless you know you need this feature; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations:
•
•
•
•
•
Examples
The following example enables NAT to the public IP for the "vpnclient" tunnel group:
hostname# ip local pool client 10.1.226.4-10.1.226.254hostname# tunnel-group vpnclient type remote-accesshostname# tunnel-group vpnclient general-attributeshostname(config-tunnel-general)# address-pool clienthostname(config-tunnel-general)# nat-assigned-to-public-ip insideThe following is sample output from the show nat detail command showing an automatic NAT rule from peer 209.165.201.10 with assigned IP 10.1.226.174:
hostname# show nat detailAuto NAT Policies (Section 2)1 (outside) to (inside) source static _vpn_nat_10.1.226.174 209.165.201.10translate_hits = 0, untranslate_hits = 0Source - Origin: 10.1.226.174/32, Translated: 209.165.201.10/32Related Commands
nat-rewrite
To enable NAT rewrite for IP addressess embedded in the A-record of a DNS response, use the nat-rewrite command in parameters configuration mode. To disable this feature, use the no form of this command.
nat-rewrite
no nat-rewrite
Syntax Description
This command has no arguments or keywords.
Defaults
NAT rewrite is enabled by default. This feature can be enabled when inspect dns is configured even if a policy-map type inspect dns is not defined. To disable, no nat-rewrite must explicitly be stated in the policy map configuration. If inspect dns is not configured, NAT rewrite is not performed.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
This feature performs NAT translation of A-type Resource Record (RR) in a DNS response.
Examples
The following example shows how to enable NAT rewrite in a DNS inspection policy map:
hostname(config)# policy-map type inspect dns preset_dns_maphostname(config-pmap)# parametershostname(config-pmap-p)# nat-rewriteRelated Commands
nbns-server (tunnel-group webvpn attributes mode)
To configure an NBNS server, use the nbns-server command in tunnel-group webvpn configuration mode. To remove the NBNS server from the configuration, use the no form of this command.
The ASA queries NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems.
nbns-server {ipaddr | hostname} [master] [timeout timeout] [retry retries]
no nbns-server
Syntax Description
Defaults
No NBNS server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
Moved from webvpn mode to tunnel-group webvpn configuration mode.
Usage Guidelines
In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group webvpn-attributes configuration mode.
Maximum of 3 server entries. The first server you configure is the primary server, and the others are backups, for redundancy.
Use the no option to remove the matching entry from the configuration.
Examples
The following example shows how to configure the tunnel-group "test" with an NBNS server that is a master browser with an IP address of 10.10.10.19, a timeout value of 10 seconds, and 8 retries. It also shows how to configure an NBNS WINS server with an IP address of 10.10.10.24, a timeout value of 15 seconds, and 8 retries.
hostname(config)#tunnel-group test type webvpnhostname(config)#tunnel-group test webvpn-attributeshostname(config-tunnel-webvpn)# nbns-server 10.10.10.19 master timeout 10 retry 8hostname(config-tunnel-webvpn)# nbns-server 10.10.10.24 timeout 15 retry 8hostname(config-tunnel-webvpn)#Related Commands
nbns-server (webvpn mode)
To configure an NBNS server, use the nbns-server command in tunnel-group webvpn configuration mode. To remove the NBNS server from the configuration, use the no form of this command.
The ASA queries NBNS servers to map NetBIOS names to IP addresses. WebVPN requires NetBIOS to access or share files on remote systems.
nbns-server {ipaddr | hostname} [master] [timeout timeout] [retry retries]
no nbns-server
Syntax Description
Defaults
No NBNS server is configured by default.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group webvpn configuration
•
—
•
—
—
Command History
7.0(1)
This command was introduced.
7.1(1)
Moved from webvpn mode to tunnel-group webvpn configuration mode.
Usage Guidelines
This command is deprecated in webvpn configuration mode. The nbns-server command in tunnel-group webvpn-attributes configuration mode replaces it. In Release 7.1(1), if you enter this command in webvpn configuration mode, it is transformed to the same command in tunnel-group webvpn-attributes mode.
Maximum of 3 server entries. The first server you configure is the primary server, and the others are backups, for redundancy.
Use the no option to remove the matching entry from the configuration.
Examples
The following example shows how to configure an NBNS server that is a master browser with an IP address of 10.10.10.19, a timeout value of 10 seconds, and 8 retries. It also shows how to configure an NBNS WINS server with an IP address of 10.10.10.24, a timeout value of 15 seconds, and 8 retries.
hostname(config)#webvpnhostname(config-webvpn)# nbns-server 10.10.10.19 master timeout 10 retry 8hostname(config-webvpn)# nbns-server 10.10.10.24 timeout 15 retry 8neighbor
To define a static neighbor on a point-to-point, non-broadcast network, use the neighbor command in router configuration mode. To remove the statically defined neighbor from the configuration, use the no form of this command.
neighbor ip_address [interface name]
no neighbor ip_address [interface name]
Syntax Description
interface name
(Optional) Specifies the interface name, as specified by the nameif command, through which the neighbor can be reached.
ip_address
Specifies the IP address of the neighbor router.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
•
—
Command History
Usage Guidelines
The neighbor command is used to advertise OSPF routes over VPN tunnels. One neighbor entry must be included for each known non-broadcast network neighbor. The neighbor address must be on the primary address of the interface.
The interface option needs to be specified when the neighbor is not on the same network as any of the directly connected interfaces of the system. Additionally, a static route must be created to reach the neighbor.
Examples
The following example defines a neighbor router with an address of 192.168.1.1:
hostname(config-router)# neighbor 192.168.1.1Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
neighbor (EIGRP)
To define an EIGRP neighbor router with which to exchange routing information, use the neighbor command in router configuration mode. To remove a neighbor entry, use the no form of this command.
neighbor ip_address interface name
no neighbor ip_address interface name
Syntax Description
interface name
The interface name, as specified by the nameif command, through which the neighbor can be reached.
ip_address
IP address of the neighbor router.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
You can use multiple neighbor statements to establish peering sessions with specific EIGRP neighbors. The interface through which EIGRP exchanges routing updates must be specified in the neighbor statement. The interfaces through which two EIGRP neighbors exchange routing updates must be configured with IP addresses from the same network.
Note
EIGRP hello messages are sent as unicast messages to neighbors defined using the neighbor command.
Examples
The following example configures EIGRP peering sessions with the 192.168.1.1 and 192.168.2.2 neighbors:
hostname(config)# router eigrp 100hostname(config-router)# network 192.168.0.0hostname(config-router)# neighbor 192.168.1.1 interface outsidehostname(config-router)# neighbor 192.168.2.2 interface branch_officeRelated Commands
debug eigrp neighbors
Displays debug information for EIGRP neighbor messages.
show eigrp neighbors
Displays the EIGRP neighbor table.
nem
To enable network extension mode for hardware clients, use the nem enable command in group-policy configuration mode. To disable NEM, use the nem disable command. To remove the NEM attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy.
nem {enable | disable}
no nem
Syntax Description
Defaults
Network extension mode is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policyconfiguration
•
—
•
—
—
Usage Guidelines
Network Extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPsec encapsulates all traffic from the private network behind the hardware client to networks behind the ASA. PAT does not apply. Therefore, devices behind the ASA have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.
Command History
Examples
The following example shows how to set NEM for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)# nem enablenetwork
To specify a list of networks for the RIP routing process, use the network command in router configuration mode. To remove a network definition, use the no form of this command.
network ip_addr
no network ip_addr
Syntax Description
ip_addr
The IP address of a directly connected network. The interface connected to the specified network will participate in the RIP routing process.
Defaults
No networks are specified.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
•
—
Command History
Usage Guidelines
The network number specified must not contain any subnet information. There is no limit to the number of network commands you can use on the router. RIP routing updates will be sent and received only through interfaces on the specified networks. Also, if the network of an interface is not specified, the interface will not be advertised in any RIP update.
Examples
The following example defines RIP as the routing protocol to be used on all interfaces connected to networks 10.0.0.0 and 192.168.7.0:
hostname(config)# router riphostname(config-router)# network 10.0.0.0hostname(config-router)# network 192.168.7.0Related Commands
router rip
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
network (EIGRP)
To specify a list of networks for the EIGRP routing process, use the network command in router configuration mode. To remove a network definition, use the no form of this command.
network ip_addr [mask]
no network ip_addr [mask]
Syntax Description
Defaults
No networks are specified.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
The network command starts EIGRP on all interfaces with at least one IP address in the specified network. It inserts the connected subnet from the specified network in the EIGRP topology table.
The ASA then establishes neighbors through the matched interfaces. There is no limit to the number of network commands that can be configured on the ASA.
Examples
The following example defines EIGRP as the routing protocol to be used on all interfaces connected to networks 10.0.0.0 and 192.168.7.0:
hostname(config)# router eigrp 100hostname(config-router)# network 10.0.0.0 255.0.0.0hostname(config-router)# network 192.168.7.0 255.255.255.0Related Commands
show eigrp interfaces
Displays information about interfaces configured for EIGRP.
show eigrp topology
Displays the EIGRP topology table.
network-acl
To specify a firewall ACL name that you configured previously using the access-list command, use the network-acl command in dynamic-access-policy-record configuration mode. To remove an existing network ACL, use the no form of this command. To remove all network ACL, use the command without arguments.
network-acl name
no network-acl [name]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Dynamic-access-policy-record configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command multiple time to assign multiple firewall ACLs to the DAP record.
The ASA verifies each of the ACLs you specify to make sure they contain only permit rules or only deny rules for the access-list entries. If any of the specified ACLs contain mixed permit and deny rules, then the ASA rejects the command.
The following example shows how to apply a network ACL called Finance Restrictions to the DAP record named Finance.
hostname(config)#dynamic-access-policy-record Financehostname(config-dynamic-access-policy-record)#network-acl Finance Restrictionshostname(config-dynamic-access-policy-record)#Related Commands
network area
To define the interfaces on which OSPF runs and to define the area ID for those interfaces, use the network area command in router configuration mode. To disable OSPF routing for interfaces defined with the address/netmask pair, use the no form of this command.
network addr mask area area_id
no network addr mask area area_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Router configuration
•
—
•
—
—
Command History
Usage Guidelines
For OSPF to operate on the interface, the address of the interface must be covered by the network area command. If the network area command does not cover the IP address of the interface, it will not enable OSPF over that interface.
There is no limit to the number of network area commands you can use on the ASA.
Examples
The following example enables OSPF on the 192.168.1.1 interface and assigns it to area 2:
hostname(config-router)# network 192.168.1.1 255.255.255.0 area 2Related Commands
router ospf
Enters router configuration mode.
show running-config router
Displays the commands in the global router configuration.
network-object
To add a host object, a network object, or a subnet object to a network object group, use the network-object command in object-group network configuration mode. To remove network objects, use the no form of this command.
network-object {host ip_address | ip_address mask | object name}
no network-object {host ip_address | ip_address mask | object name}
Syntax Description
host ip_address
Specifies a host IP address.
ip_address mask
Specifies the network address and subnet mask.
object name
Specifies a network object (object network command).
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Object-group network configuration
•
•
•
•
—
Command History
8.3(1)
The object argument was added to support network objects (object network command).
Usage Guidelines
The network-object command is used with the object-group command to define a host object, a network object, or a subnet object.
Examples
The following example shows how to use the network-object command to create a new host object in a network object group:
hostname(config)# object-group network sjj_eng_ftp_servershostname(config-network-object-group)# network-object host sjj.eng.ftphostname(config-network-object-group)# network-object host 172.16.56.195hostname(config-network-object-group)# network-object 192.168.1.0 255.255.255.224hostname(config-network-object-group)# group-object sjc_eng_ftp_servershostname(config)#Related Commands
nop
To define an action when the No Operation IP option occurs in a packet with IP Options inspection, use the nop command in parameters configuration mode. To disable this feature, use the no form of this command.
nop action {allow | clear}
no nop action {allow | clear}
Syntax Description
allow
Instructs the ASA to allow a packet containing the No Operation IP option to pass.
clear
Instructs the ASA to clear the No Operation IP option from a packet and then allow the packet to pass.
Defaults
By default, IP Options inspection, drops packets containing the No Operation IP option.
Command Modes
The following table shows the modes in which you can enter the command:
Parameters configuration
•
•
•
•
—
Command History
Usage Guidelines
This command can be configured in an IP Options inspection policy map.
You can configure IP Options inspection to control which IP packets with specific IP options are allowed through the ASA. Configuring this inspection instructs the ASA to allow a packet to pass or to clear the specified IP options and then allow the packet to pass.
The Options field in the IP header can contain zero, one, or more options, which makes the total length of the field variable. However, the IP header must be a multiple of 32 bits. If the number of bits of all options is not a multiple of 32 bits, the No Operation (NOP) or IP Option 1 is used as "internal padding" to align the options on a 32-bit boundary.
Examples
The following example shows how to set up an action for IP Options inspection in a policy map:
hostname(config)# policy-map type inspect ip-options ip-options_maphostname(config-pmap)# parametershostname(config-pmap-p)# eool action allowhostname(config-pmap-p)# nop action allowhostname(config-pmap-p)# router-alert action allowRelated Commands
nt-auth-domain-controller
To specify the name of the NT Primary Domain Controller for this server, use the nt-auth-domain-controller command in aaa-server host configuration mode. To remove this specification, use the no form of this command.
nt-auth-domain-controller string
no nt-auth-domain-controller
Syntax Description
string
Specifies the name, up to 16 characters long, of the Primary Domain Controller for this server.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Aaa-server host configuration
•
•
•
•
—
Command History
Usage Guidelines
This command is valid only for NT Authentication AAA servers. You must have first used the aaa-server host command to enter host configuration mode. The name in the string variable must match the NT entry on the server itself.
Examples
The following example configures the name of the NT Primary Domain Controller for this server as "primary1":
hostname(config)#aaa-server svrgrp1 protocol nthostname(configaaa-sesrver-group)#aaa-server svrgrp1 host 1.2.3.4hostname(config-aaa-server-host)#nt-auth-domain-controller primary1hostname(config-aaa-server-host)#Related Commands
ntp authenticate
To enable authentication with an NTP server, use the ntp authenticate command in global configuration mode. To disable NTP authentication, use the no form of this command.
ntp authenticate
no ntp authenticate
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
If you enable authentication, the ASA only communicates with an NTP server if it uses the correct trusted key in the packets (see the ntp trusted-key command). The ASA also uses an authentication key to synchronize with the NTP server (see the ntp authentication-key command).
Examples
The following example configures the ASA to synchronize only to systems that provide authentication key 42 in their NTP packets:
hostname(config)# ntp authenticatehostname(config)# ntp authentication-key 42 md5 aNiceKeyhostname(config)# ntp trusted-key 42Related Commands
ntp authentication-key
To set a key to authenticate with an NTP server, use the ntp authentication-key command in global configuration mode. To remove the key, use the no form of this command.
ntp authentication-key key_id md5 key
no ntp authentication-key key_id [md5 [0 | 8] key]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
To use NTP authentication, also configure the ntp authenticate command.
Examples
The following example enables authentications, identifies trusted key IDs 1 and 2, and sets authentication keys for each trusted key ID:
hostname(config)# ntp authenticatehostname(config)# ntp trusted-key 1hostname(config)# ntp trusted-key 2hostname(config)# ntp authentication-key 1 md5 aNiceKeyhostname(config)# ntp authentication-key 2 md5 aNiceKey2Related Commands
ntp server
To identify an NTP server to set the time on the ASA, use the ntp server command in global configuration mode. To remove the server, use the no form of this command.
ntp server ip_address [key key_id] [source interface_name] [prefer]
no ntp server ip_address [key key_id] [source interface_name] [prefer]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
You can identify multiple servers; the ASA uses the most accurate server. In multiple context mode, set the NTP server in the system configuration only.
Examples
The following example identifies two NTP servers and enables authentication for the key IDs 1 and 2:
hostname(config)# ntp server 10.1.1.1 key 1 preferhostname(config)# ntp server 10.2.1.1 key 2hostname(config)# ntp authenticatehostname(config)# ntp trusted-key 1hostname(config)# ntp trusted-key 2hostname(config)# ntp authentication-key 1 md5 aNiceKeyhostname(config)# ntp authentication-key 2 md5 aNiceKey2Related Commands
ntp trusted-key
To specify an authentication key ID to be a trusted key, which is required for authentication with an NTP server, use the ntp trusted-key command in global configuration mode. To remove the trusted key, use the no form of this command. You can enter multiple trusted keys for use with multiple servers.
ntp trusted-key key_id
no ntp trusted-key key_id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
•
Command History
Usage Guidelines
To use NTP authentication, also configure the ntp authenticate command. To synchronize with a server, set the authentication key for the key ID using the ntp authentication-key command.
Examples
The following example enables authentications, identifies trusted key IDs 1 and 2, and sets authentication keys for each trusted key ID:
hostname(config)# ntp authenticatehostname(config)# ntp trusted-key 1hostname(config)# ntp trusted-key 2hostname(config)# ntp authentication-key 1 md5 aNiceKeyhostname(config)# ntp authentication-key 2 md5 aNiceKey2Related Commands
num-packets
To specify the number of request packets sent during an SLA operation, use the num-packets command in sla monitor protocol configuration mode. To restore the default value, use the no form of this command.
num-packets number
no num-packets number
Syntax Description
Defaults
The default number of packets sent for echo types is 1.
Command Modes
The following table shows the modes in which you can enter the command:
sla monitor protocol configuration
•
—
•
—
—
Command History
Usage Guidelines
Increase the default number of packets sent to prevent incorrect reachability information due to packet loss.
Examples
The following example configures an SLA operation with an ID of 123 that uses an ICMP echo request/response time probe operation. It sets the payload size of the echo request packets to 48 bytes and the number of echo requests sent during an SLA operation to 5.
hostname(config)# sla monitor 123hostname(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outsidehostname(config-sla-monitor-echo)# num-packets 5hostname(config-sla-monitor-echo)# request-data-size 48hostname(config-sla-monitor-echo)# timeout 4000hostname(config-sla-monitor-echo)# threshold 2500hostname(config-sla-monitor-echo)# frequency 10hostname(config)# sla monitor schedule 123 life forever start-time nowhostname(config)# track 1 rtr 123 reachabilityRelated Commands
