Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 51

    Page 51 CH A P T E R 3-1 Cisco ASA Series Firewall ASDM Configuration Guide 3 Information About NAT (ASA 8.3 and Later) This chapter provides an overview of how Network Address Translation (NAT) works on the ASA. This chapter includes the following sections: Why Use NAT?, page 3-1 NAT Terminology, page 3-2 NAT Types, page 3-3 NAT in Routed and Transparent Mode, page 3-12 NAT and IPv6, page 3-15 How NAT is Implemented, page 3-15 NAT Rule Order, page 3-20 Routing NAT Packets, page 3-22 NAT for VPN, page... 
    CH A P T E R
 
3-1
Cisco ASA Series Firewall ASDM Configuration Guide
 
3
Information About NAT (ASA 8.3 and Later)
This chapter provides an overview of how Network Address Translation (NAT) works on the ASA. This 
chapter includes the following sections:
Why Use NAT?, page 3-1
NAT Terminology, page 3-2
NAT Types, page 3-3
NAT in Routed and Transparent Mode, page 3-12
NAT and IPv6, page 3-15
How NAT is Implemented, page 3-15 
NAT Rule Order, page 3-20
Routing NAT Packets, page 3-22
NAT for VPN, page...

    Page 52

    Page 52 3-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Terminology One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet. In this way, NAT conserves public addresses because it can be configured to... 
     
3-2
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Terminology
One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT 
replaces a private IP address with a public IP address, translating the private addresses in the internal 
private network into legal, routable addresses that can be used on the public Internet. In this way, NAT 
conserves public addresses because it can be configured to...

    Page 53

    Page 53 3-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types NAT Types NAT Types Overview, page 3-3 Static NAT, page 3-3 Dynamic NAT, page 3-8 Dynamic PAT, page 3-10 Identity NAT, page 3-12 NAT Types Overview You can implement NAT using the following methods: Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation. See the “Static NAT” section on page 3-3. Dynamic NAT—A group of real... 
     
3-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Types
NAT Types
NAT Types Overview, page 3-3
Static NAT, page 3-3
Dynamic NAT, page 3-8
Dynamic PAT, page 3-10
Identity NAT, page 3-12
NAT Types Overview
You can implement NAT using the following methods:
Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional 
traffic initiation. See the “Static NAT” section on page 3-3.
Dynamic NAT—A group of real...

    Page 54

    Page 54 3-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-1 shows a typical static NAT scenario. The translation is always active so both real and remote hosts can initiate connections. Figure 3-1 Static NAT NoteYou can disable bidirectionality if desired. Information About Static NAT with Port Translation Static NAT with port translation lets you specify a real and mapped protocol (TCP or UDP) and port. This section... 
     
3-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Types
Figure 3-1 shows a typical static NAT scenario. The translation is always active so both real and remote 
hosts can initiate connections.
Figure 3-1 Static NAT
NoteYou can disable bidirectionality if desired.
Information About Static NAT with Port Translation
Static NAT with port translation lets you specify a real and mapped protocol (TCP or UDP) and port. 
This section...

    Page 55

    Page 55 3-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types NoteFor applications that require application inspection for secondary channels (for example, FTP and VoIP), the ASA automatically translates the secondary ports. Static NAT with Identity Port Translation The following static NAT with port translation example provides a single address for remote users to access FTP, HTTP, and SMTP. These servers are actually different devices... 
     
3-5
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Types
NoteFor applications that require application inspection for secondary channels (for example, FTP and VoIP), 
the ASA automatically translates the secondary ports.
Static NAT with Identity Port Translation
The following static NAT with port translation example provides a single address for remote users to 
access FTP, HTTP, and SMTP. These servers are actually different devices...

    Page 56

    Page 56 3-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Static Interface NAT with Port Translation You can configure static NAT to map a real address to an interface address/port combination. For example, if you want to redirect Telnet access for the ASA outside interface to an inside host, then you can map the inside host IP address/port 23 to the ASA interface address/port 23. (Note that although Telnet to the ASA is not allowed... 
     
3-6
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Types
Static Interface NAT with Port Translation
You can configure static NAT to map a real address to an interface address/port combination. For 
example, if you want to redirect Telnet access for the ASA outside interface to an inside host, then you 
can map the inside host IP address/port 23 to the ASA interface address/port 23. (Note that although 
Telnet to the ASA is not allowed...

    Page 57

    Page 57 3-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types For example, you have a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traffic to the correct web server (see Figure 3-5). (See the “Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)” section on page 4-29 for details on how to configure this example.) Figure 3-5 One-to-Many Static NAT Information About Other Mapping... 
     
3-7
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Types
For example, you have a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traffic 
to the correct web server (see Figure 3-5). (See the “Inside Load Balancer with Multiple Mapped 
Addresses (Static NAT, One-to-Many)” section on page 4-29 for details on how to configure this 
example.)
Figure 3-5 One-to-Many Static NAT
Information About Other Mapping...

    Page 58

    Page 58 3-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-6 shows a typical few-to-many static NAT scenario. Figure 3-6 Few-to-Many Static NAT For a many-to-few or many-to-one configuration, where you have more real addresses than mapped addresses, you run out of mapped addresses before you run out of real addresses. Only the mappings between the lowest real IP addresses and the mapped pool result in bidirectional... 
     
3-8
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Types
Figure 3-6 shows a typical few-to-many static NAT scenario.
Figure 3-6 Few-to-Many Static NAT
For a many-to-few or many-to-one configuration, where you have more real addresses than mapped 
addresses, you run out of mapped addresses before you run out of real addresses. Only the mappings 
between the lowest real IP addresses and the mapped pool result in bidirectional...

    Page 59

    Page 59 3-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Information About Dynamic NAT Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool typically includes fewer addresses than the real group. When a host you want to translate accesses the destination network, the ASA assigns the host an IP address from the mapped pool. The translation is... 
     
3-9
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Types
Information About Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the 
destination network. The mapped pool typically includes fewer addresses than the real group. When a 
host you want to translate accesses the destination network, the ASA assigns the host an IP address from 
the mapped pool. The translation is...

    Page 60

    Page 60 3-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types NoteFor the duration of the translation, a remote host can initiate a connection to the translated host if an access rule allows it. Because the address is unpredictable, a connection to the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule. Dynamic NAT Disadvantages and Advantages Dynamic NAT has these disadvantages: If the mapped... 
     
3-10
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Types
NoteFor the duration of the translation, a remote host can initiate a connection to the translated host if an 
access rule allows it. Because the address is unpredictable, a connection to the host is unlikely. 
Nevertheless, in this case you can rely on the security of the access rule.
Dynamic NAT Disadvantages and Advantages
Dynamic NAT has these disadvantages:
If the mapped...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals