Last Updated on August 3, 2021 by Admin 3
You want to issue the following block of commands on a Cisco ASA:
ASA(config)#nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINT
You do not have CLI access to the ASA and must use ASDM instead.
Which of the following samples of the Add NAT Rule dialog box corresponds to the configuration needed to achieve your goal? (Select the best answer.)
- Option A
- Option B
- Option C
- Option D
The following sample of the Add NAT Rule dialog box corresponds to the Cisco Adaptive Security Appliance (ASA) configuration needed to achieve your goal using Cisco Adaptive Security Device Manager (ASDM):
In the exhibit shown above, the Match Criteria: Original Packet section of the Add NAT Rule dialog box contains fields that correspond to the interface and IP address information in a matching packet prior to translation. The Source Interface field specifies the real source interface, the Source Address field specifies the real source IP address, the Destination Interface field specifies the real destination interface, the Destination Address field specifies the real destination IP address, and the Service: field specifies the real protocol port numbers for the original packet. By contrast, the Action: Translated Packet section of the Add NAT Rule dialog box contains fields that correspond to the mapped interface and IP address information in a matching packet after translation. The Source NAT Type field specifies the type of Network Address Translation (NAT), the Source Address field specifies the mapped source IP address, the Destination Address: field specifies the mapped destination IP address, and the Service: field specifies the mapped protocol numbers for the translated packet.
The sample Add NAT Rule dialog box configures the ASA to map the real source IP address traffic from any network attached to the DMZ network to the IP address assigned to the INSIDE interface. In addition, the mapped destination IP address defined in the INSIDESQLEXT object is mapped to the real destination IP address defined in the INSIDESQLINT object. The following diagram depicts the translation of the addresses within matching packets where INSIDESQLEXT has an IP address of 192.168.15.2 and INSIDESQLINT has an IP address of 192.168.13.2:
You could use the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINT command from global configuration mode to configure the same dynamic NAT rule as shown in the sample. Add NAT Rule dialog box. When the nat command is issued from global configuration mode, it is referred to as the nat (global) command and it can be used to configure twice NAT on the ASA. Twice NAT enables you to specify a mapping for both the source address and destination address in a packet. The nat (global) command in this scenario can be used to create a dynamic NAT rule which translates traffic between the DMZ and INSIDE interfaces of the ASA. The abbreviated syntax to create a dynamic NAT rule with the nat (global) command is nat (real_interface,mapped_interface) source dynamic {real_object | any} {mapped_object | interface} destination static {mapped_object | interface} {real_object| any}.
The following sample of the Add NAT Rule dialog box corresponds to the nat (DMZ, INSIDE) source dynamic any interface destination static INSIDESQLINT INSIDESQLEXT command:
The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic any interface destination static INSIDESQLEXT INSIDESQLINT command:
The following sample of the Add NAT Rule dialog box corresponds to the nat (INSIDE, DMZ) source dynamic any interface destination static INSIDESQLINT INSIDESQLEXT command: