Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 71

    Page 71 3-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Interfaces For section 2 rules, for example, you have the following IP addresses defined within network objects: 192.168.1.0/24 (static) 192.168.1.0/24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 (static) 172.16.1.0/24 (dynamic) (object def) 172.16.1.0/24 (dynamic) (object abc) The resultant ordering would be: 192.168.1.1/32 (static) 10.1.1.0/24 (static) 192.168.1.0/24 (static)... 
     
3-21
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Interfaces
For section 2 rules, for example, you have the following IP addresses defined within network objects:
192.168.1.0/24 (static)
192.168.1.0/24 (dynamic)
10.1.1.0/24 (static)
192.168.1.1/32 (static)
172.16.1.0/24 (dynamic) (object def)
172.16.1.0/24 (dynamic) (object abc)
The resultant ordering would be:
192.168.1.1/32 (static)
10.1.1.0/24 (static)
192.168.1.0/24 (static)...

    Page 72

    Page 72 3-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets Routing NAT Packets The ASA needs to be the destination for any packets sent to the mapped address. The ASA also needs to determine the egress interface for any packets it receives destined for mapped addresses. This section describes how the ASA handles accepting and delivering packets with NAT, and includes the following topics: Mapped Addresses and Routing, page... 
     
3-22
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  Routing NAT Packets
Routing NAT Packets
The ASA needs to be the destination for any packets sent to the mapped address. The ASA also needs to 
determine the egress interface for any packets it receives destined for mapped addresses. This section 
describes how the ASA handles accepting and delivering packets with NAT, and includes the following 
topics:
Mapped Addresses and Routing, page...

    Page 73

    Page 73 3-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. Note: You can also disable proxy ARP for regular static NAT if desired, in which case you... 
     
3-23
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  Routing NAT Packets
(8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You 
cannot configure this setting.
(8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other 
static NAT rules. You can disable proxy ARP if desired. Note: You can also disable proxy ARP for 
regular static NAT if desired, in which case you...

    Page 74

    Page 74 3-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets Figure 3-19 Proxy ARP and Virtual Telnet Transparent Mode Routing Requirements for Remote Networks When you use NAT in transparent mode,some types of traffic require static routes. See the “MAC Address vs. Route Lookups” section on page 6-6 for more information. Determining the Egress Interface When the ASA receives traffic for a mapped address, the ASA unstranslates... 
     
3-24
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  Routing NAT Packets
Figure 3-19 Proxy ARP and Virtual Telnet
Transparent Mode Routing Requirements for Remote Networks
When you use NAT in transparent mode,some types of traffic require static routes. See the “MAC 
Address vs. Route Lookups” section on page 6-6 for more information.
Determining the Egress Interface
When the ASA receives traffic for a mapped address, the ASA unstranslates...

    Page 75

    Page 75 3-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-20 Routed Mode Egress Interface Selection NAT for VPN NAT and Remote Access VPN, page 3-25 NAT and Site-to-Site VPN, page 3-27 NAT and VPN Management Access, page 3-29 Troubleshooting NAT and VPN, page 3-31 NAT and Remote Access VPN Figure 3-21 shows both an inside server (10.1.1.6) and a VPN client (209.165.201.10) accessing the Internet. Unless you configure split... 
     
3-25
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT for VPN
Figure 3-20 Routed Mode Egress Interface Selection
NAT for VPN
NAT and Remote Access VPN, page 3-25
NAT and Site-to-Site VPN, page 3-27
NAT and VPN Management Access, page 3-29
Troubleshooting NAT and VPN, page 3-31
NAT and Remote Access VPN
Figure 3-21 shows both an inside server (10.1.1.6) and a VPN client (209.165.201.10) accessing the 
Internet. Unless you configure split...

    Page 76

    Page 76 3-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-21 Interface PAT for Internet-Bound VPN Traffic (Intra-Interface) Figure 3-22 shows a VPN client that wants to access an inside mail server. Because the ASA expects traffic between the inside network and any outside network to match the interface PAT rule you set up for Internet access, traffic from the VPN client (10.3.3.10) to the SMTP server (10.1.1.6) will be... 
     
3-26
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT for VPN
Figure 3-21 Interface PAT for Internet-Bound VPN Traffic (Intra-Interface)
Figure 3-22 shows a VPN client that wants to access an inside mail server. Because the ASA expects 
traffic between the inside network and any outside network to match the interface PAT rule you set up 
for Internet access, traffic from the VPN client (10.3.3.10) to the SMTP server (10.1.1.6) will be...

    Page 77

    Page 77 3-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-22 Identity NAT for VPN Clients See the following sample NAT configuration for the above network: ! Enable hairpin for non-split-tunneled VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, & perform object interface PAT when going to Internet: object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside)... 
     
3-27
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT for VPN
Figure 3-22 Identity NAT for VPN Clients
See the following sample NAT configuration for the above network:
! Enable hairpin for non-split-tunneled VPN client traffic:
same-security-traffic permit intra-interface
! Identify local VPN network, & perform object interface PAT when going to Internet:
object network vpn_local
subnet 10.3.3.0 255.255.255.0
nat (outside,outside)...

    Page 78

    Page 78 3-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-23 Interface PAT and Identity NAT for Site-to-Site VPN Figure 3-24 shows a VPN client connected to ASA1 (Boulder), with a Telnet request for a server (10.2.2.78) accessible over a site-to-site tunnel between ASA1 and ASA2 (San Jose). Because this is a hairpin connection, you need to enable intra-interface communication, which is also required for... 
     
3-28
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT for VPN
Figure 3-23 Interface PAT and Identity NAT for Site-to-Site VPN
Figure 3-24 shows a VPN client connected to ASA1 (Boulder), with a Telnet request for a server 
(10.2.2.78) accessible over a site-to-site tunnel between ASA1 and ASA2 (San Jose). Because this is a 
hairpin connection, you need to enable intra-interface communication, which is also required for...

    Page 79

    Page 79 3-29 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface ! Identify inside San Jose network for use in twice NAT rule: object network sanjose_inside... 
     
3-29
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT for VPN
object network vpn_local
subnet 10.3.3.0 255.255.255.0
nat (outside,outside) dynamic interface
! Identify inside Boulder network, & perform object interface PAT when going to Internet:
object network boulder_inside
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
! Identify inside San Jose network for use in twice NAT rule:
object network sanjose_inside...

    Page 80

    Page 80 3-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-25 shows a VPN client Telnetting to the ASA inside interface. When you use a management-access interface, and you configure identity NAT according to the “NAT and Remote Access VPN” or “NAT and Site-to-Site VPN” section, you must configure NAT with the route lookup option. Without route lookup, the ASA sends traffic out the interface specified in the NAT command,... 
     
3-30
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT for VPN
Figure 3-25 shows a VPN client Telnetting to the ASA inside interface. When you use a 
management-access interface, and you configure identity NAT according to the “NAT and Remote 
Access VPN” or “NAT and Site-to-Site VPN” section, you must configure NAT with the route lookup 
option. Without route lookup, the ASA sends traffic out the interface specified in the NAT command,...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals