Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
4-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Round robin, especially when combined with extended PAT, can consume a large amount of memory. Because NAT pools are created for every mapped protocol/IP address/port range, round robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results in an even larger number of concurrent NAT pools. Detailed Steps Step 1Add NAT to a new or existing network object: To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > Add Network Object NAT Rule. To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object. For more information, see the “Configuring a Network Object” section on page 20-3 in the general operations configuration guide. The Add/Edit Network Object dialog box appears. Step 2For a new object, enter values for the following fields: a.Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less. b.Type—Host, Network, or Range. c.IP Address—An IPv4 or IPv6 address. If you select Range as the object type, the IP Address field changes to allow you to enter a Start Address and an End address. d.Netmask/Prefix Length—Enter the subnet mask or prefix length. e.Description—(Optional) The description of the network object (up to 200 characters in length). Step 3If the NAT section is hidden, click NAT to expand the section.
4-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4Check the Add Automatic Translation Rules check box. Step 5From the Type drop-down list, choose Dynamic. Choose Dynamic even if you are configuring dynamic PAT with a PAT pool. Step 6Configure either dynamic NAT, or dynamic PAT with a PAT pool: Dynamic NAT—To the right of the Translated Addr field, click the browse button and choose an existing network object or create a new object from the Browse Translated Addr dialog box. NoteThe object or group cannot contain a subnet. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. Dynamic PAT using a PAT pool—Enable a PAT pool:
4-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT a.Do not enter a value for the Translated Addr. field; leave it blank. b.Check the PAT Pool Translated Address check box, then click the browse button and choose an existing network object or create a new network object from the Browse Translated PAT Pool Address dialog box. NoteThe PAT pool object or group cannot contain a subnet. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. c.(Optional) Check the Round Robin check box to assign addresses/ports in a round-robin fashion. By default without round robin, all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns one address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on. d.(Optional, 8.4(3) and later, not including 8.5(1) or 8.6(1)) Check the Extend PAT uniqueness to per destination instead of per interface check box to use extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80. e.(Optional, 8.4(3) and later, not including 8.5(1) or 8.6(1)) Check the Translate TCP or UDP ports into flat range (1024-65535) check box to use the 1024 to 65535 port range as a single flat range when allocating ports. When choosing the mapped port number for a translation, the ASA uses the real source port number if it is available. However, without this option, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also check the Include range 1 to 1023 check box. Step 7(Optional, Routed Mode Only) To use the interface IP address as a backup method when the other mapped addresses are already allocated, check the Fall through to interface PAT (dest intf) check box, and choose the interface from the drop-down list. To use the IPv6 address of the interface, also check the Use IPv6 for interface PAT checkbox.
4-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 8(Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog box. Translate DNS replies for rule—Translates the IP address in DNS replies. Be sure DNS inspection is enabled (it is enabled by default). See the “DNS and NAT” section on page 3-31 for more information. (Required for Transparent Firewall Mode) Source Interface—Specifies the real interface where this NAT rule applies. By default, the rule applies to all interfaces. (Required for Transparent Firewall Mode) Destination Interface—Specifies the mapped interface where this NAT rule applies. By default, the rule applies to all interfaces. When you are finished, click OK. You return to the Add/Edit Network Object dialog box. Step 9Click OK, and then Apply. Configuring Dynamic PAT (Hide) This section describes how to configure network object NAT for dynamic PAT (hide). For dynamic PAT using a PAT pool, see the “Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool” section on page 4-4 instead of using this section. For more information, see the “Dynamic PAT” section on page 3-10. Detailed Steps Step 1Add NAT to a new or existing network object: To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > Add Network Object NAT Rule.
4-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object. For more information, see the “Configuring a Network Object” section on page 20-3 in the general operations configuration guide. The Add/Edit Network Object dialog box appears. Step 2For a new object, enter values for the following fields: a.Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less. b.Type—Host, Network, or Range. c.IP Address—An IPv4 or IPv6 address. If you select Range as the object type, the IP Address field changes to allow you to enter a Start Address and an End address. d.Netmask/Prefix Length—Enter the subnet mask or prefix length. e.Description—(Optional) The description of the network object (up to 200 characters in length). Step 3If the NAT section is hidden, click NAT to expand the section.
4-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4Check the Add Automatic Translation Rules check box. Step 5From the Type drop-down list, choose Dynamic PAT (Hide). NoteTo configure dynamic PAT using a PAT pool instead of a single address, see the “Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool” section on page 4-4. Step 6Specify a single mapped address. In the Translated Addr. field, specify the mapped IP address by doing one of the following: Type a host IP address. Type an interface name or click the browse button, and choose an interface from the Browse Translated Addr dialog box. If you specify an interface name, then you enable interface PAT, where the specified interface IP address is used as the mapped address. To use the IPv6 interface address, you must also check the Use IPv6 for interface PAT checkbox. With interface PAT, the NAT rule only applies to the specified mapped interface. (If you do not use interface PAT, then the rule applies to all interfaces by default.) See Step 7 to optionally also configure the real interface to be a specific interface instead of --Any--.
4-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT NoteYou cannot specify an interface in transparent mode. Click the browse button, and choose an existing host address from the Browse Translated Addr dialog box. Click the browse button, and create a new named object from the Browse Translated Addr dialog box. Step 7(Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog box. Translate DNS replies for rule—Translates the IP address in DNS replies. Be sure DNS inspection is enabled (it is enabled by default). See the “DNS and NAT” section on page 3-31 for more information. (Required for Transparent Firewall Mode) Source Interface—Specifies the real interface where this NAT rule applies. By default, the rule applies to all interfaces. (Required for Transparent Firewall Mode) Destination Interface—Specifies the mapped interface where this NAT rule applies. By default, the rule applies to all interfaces. When you are finished, click OK. You return to the Add/Edit Network Object dialog box. Step 8Click OK, and then Apply. Configuring Static NAT or Static NAT-with-Port-Translation This section describes how to configure a static NAT rule using network object NAT. For more information, see the “Static NAT” section on page 3-3. Detailed Steps Step 1Add NAT to a new or existing network object:
4-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > Add Network Object NAT Rule. To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object. For more information, see the “Configuring a Network Object” section on page 20-3 in the general operations configuration guide. The Add/Edit Network Object dialog box appears. Step 2For a new object, enter values for the following fields: a.Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less. b.Type—Network, Host, or Range. c.IP Address—An IPv4 or IPv6 address. If you select Range as the object type, the IP Address field changes to allow you to enter a Start Address and an End address. d.Netmask/Prefix Length—Enter the subnet mask or prefix length. e.Description—(Optional) The description of the network object (up to 200 characters in length). Step 3If the NAT section is hidden, click NAT to expand the section.
4-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 4Check the Add Automatic Translation Rules check box. Step 5From the Type drop-down list, choose Static. Step 6In the Translated Addr. field, do one of the following: Type an IP address. When you type an IP address, the netmask or range for the mapped network is the same as that of the real network. For example, if the real network is a host, then this address will be a host address. In the case of a range, then the mapped addresses include the same number of addresses as the real range. For example, if the real address is defined as a range from 10.1.1.1 through 10.1.1.6, and you specify 172.20.1.1 as the mapped address, then the mapped range will include 172.20.1.1 through 172.20.1.6. (For static NAT-with-port-translation only) Type an interface name or click the browse button, and choose an interface from the Browse Translated Addr dialog box. To use the IPv6 interface address, you must also check the Use IPv6 for interface PAT checkbox. Be sure to also configure a service on the Advanced NAT Settings dialog box (see Step 8). (You cannot specify an interface in transparent mode). Click the browse button, and choose an existing address from the Browse Translated Addr dialog box.
4-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Click the browse button, and create a new address from the Browse Translated Addr dialog box. Typically, you configure the same number of mapped addresses as real addresses for a one-to-one mapping. You can, however, have a mismatched number of addresses. For more information, see the “Static NAT” section on page 3-3. Step 7(Optional) For NAT46, check Use one-to-one address translation. For NAT 46, specify one-to-one to translate the first IPv4 address to the first IPv6 address, the second to the second, and so on. Without this option, the IPv4-embedded method is used. For a one-to-one translation, you must use this keyword. Step 8(Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog box. Translate DNS replies for rule—Translates the IP address in DNS replies. Be sure DNS inspection is enabled (it is enabled by default). See the “DNS and NAT” section on page 3-31 for more information. Disable Proxy ARP on egress interface—Disables proxy ARP for incoming packets to the mapped IP addresses. See the “Mapped Addresses and Routing” section on page 3-22 for more information. (Required for Transparent Firewall Mode) Interface: –Source Interface—Specifies the real interface where this NAT rule applies. By default, the rule applies to all interfaces. –Destination Interface—Specifies the mapped interface where this NAT rule applies. By default, the rule applies to all interfaces. Service: –Protocol—Configures static NAT-with-port-translation. Choose tcp or udp. –Real Port—You can type either a port number or a well-known port name (such as “ftp”). –Mapped Port—You can type either a port number or a well-known port name (such as “ftp”). When you are finished, click OK. You return to the Add/Edit Network Object dialog box.