Dynamic PAT
xlate per-session permit udp any4 any6 eq domain
xlate per-session permit udp any6 any4 eq domain
xlate per-session permit udp any6 any6 eq domain
You cannot remove these rules, and they always exist after any manually-created rules. Because rules
are evaluated in order, you can override the default rules. For example, to completely negate these rules,
you could add the following:
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
Procedure
Create a permit or deny per-session PAT rule. This rule is placed above the default rules, but below any
Step 1
other manually-created rules. Be sure to create your rules in the order you want them applied.
xlate per-session {permit | deny} {tcp | udp} source_ip [operator src_port]
destination_ip [operator dest_port]
Example
hostname(config)# xlate per-session deny tcp any4 209.165.201.3 eq 1720
For the source and destination IP addresses, you can configure the following:
host ip_address—Specifies an IPv4 or IPv6 host address.
•
ip_address mask—Specifies an IPv4 network address and subnet mask.
•
ipv6-address/prefix-length—Specifies an IPv6 network address and prefix.
•
any4 and any6—any4 specifies only IPv4 traffic; and any6 specifies any6 traffic.
•
The operator matches the port numbers used by the source or destination. The default is all ports. The
permitted operators are:
lt—less than
•
gt—greater than
•
eq—equal to
•
neq—not equal to
•
range—an inclusive range of values. When you use this operator, specify two port numbers, for
•
example, range 100 200.
Examples
The following example creates a deny rule for H.323 traffic, so that it uses multi-session PAT:
hostname(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720
hostname(config)# xlate per-session deny udp any4 209.165.201.7 range 1718 1719
Cisco ASA Series Firewall CLI Configuration Guide
9-26
Chapter 9
Network Address Translation (NAT)