Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
4-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 9Click OK, and then Apply. Because static rules are bidirectional (allowing initiation to and from the real host), the NAT Rules table show two rows for each static rule, one for each direction. Configuring Identity NAT This section describes how to configure an identity NAT rule using network object NAT. For more information, see the “Identity NAT” section on page 3-12. Detailed Steps Step 1Add NAT to a new or existing network object: To add a new network object, choose Configuration > Firewall > NAT Rules, then click Add > Add Network Object NAT Rule. To add NAT to an existing network object, choose Configuration > Firewall > Objects > Network Objects/Groups, and then double-click a network object. For more information, see the “Configuring a Network Object” section on page 20-3 in the general operations configuration guide. The Add/Edit Network Object dialog box appears. Step 2For a new object, enter values for the following fields: a.Name—The object name. Use characters a to z, A to Z, 0 to 9, a period, a dash, a comma, or an underscore. The name must be 64 characters or less. b.Type—Network, Host, or Range.
4-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT c.IP Address—An IPv4 or IPv6 address. If you select Range as the object type, the IP Address field changes to allow you to enter a Start Address and an End address. d.Netmask/Prefix Length—Enter the subnet mask or prefix length. e.Description—(Optional) The description of the network object (up to 200 characters in length). Step 3If the NAT section is hidden, click NAT to expand the section. Step 4Check the Add Automatic Translation Rules check box. Step 5From the Type drop-down list, choose Static.
4-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Step 6In the Translated Addr. field, do one of the following: Type the same IP address that you used for the real address. Click the browse button, and choose a network object with a matching IP address definition from the Browse Translated Addr dialog box. Click the browse button, and create a new network object with a matching IP address definition from the Browse Translated Addr dialog box. Step 7(Optional) Click Advanced, and configure the following options in the Advanced NAT Settings dialog box. Disable Proxy ARP on egress interface—Disables proxy ARP for incoming packets to the mapped IP addresses. See the “Mapped Addresses and Routing” section on page 3-22 for more information. (Routed mode; interface(s) specified) Lookup route table to locate egress interface—Determines the egress interface using a route lookup instead of using the interface specified in the NAT command. See the “Determining the Egress Interface” section on page 3-24 for more information. (Required for Transparent Firewall Mode) Interface: –Source Interface—Specifies the real interface where this NAT rule applies. By default, the rule applies to all interfaces. –Destination Interface—Specifies the mapped interface where this NAT rule applies. By default, the rule applies to all interfaces. Do not configure any other options on this dialog box. When you are finished, click OK. You return to the Add/Edit Network Object dialog box. Step 8Click OK, and then Apply. Because static rules are bidirectional (allowing initiation to and from the real host), the NAT Rules table show two rows for each static rule, one for each direction.
4-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT Configuring Per-Session PAT Rules By default, all TCP PAT traffic and all UDP DNS traffic uses per-session PAT. To use multi-session PAT for traffic, you can configure per-session PAT rules: a permit rule uses per-session PAT, and a deny rule uses multi-session PAT. For more information about per-session vs. multi-session PAT, see the “Per-Session PAT vs. Multi-Session PAT (Version 9.0(1) and Later)” section on page 3-11. Defaults By default, the following rules are installed: Permit TCP from any (IPv4 and IPv6) to any (IPv4 and IPv6) Permit UDP from any (IPv4 and IPv6) to domain These rules do not appear in the rule table. NoteYou cannot remove these rules, and they always exist after any manually-created rules. Because rules are evaluated in order, you can override the default rules. For example, to completely negate these rules, you could add the following: Deny TCP from any (IPv4 and IPv6) to any (IPv4 and IPv6) Deny UDP from any (IPv4 and IPv6) to domain Detailed Steps Step 1Choose Configuration > Firewall > Advanced > Per-Session NAT Rules, and click Add > Add Per-Session NAT Rule. Step 2Click Permit or Deny.
4-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Monitoring Network Object NAT A permit rule uses per-session PAT; a deny rule uses multi-session PAT. Step 3Specify the Source Address either by typing an address or clicking the ... button to choose an object. Step 4Specify the Source Service, UDP or TCP. You can optionally specify a source port, although normally you only specify the destination port. Either type in UDP/port or TCP/port, or click the ... button to select a common value or object. Step 5Specify the Destination Address either by typing an address or clicking the ... button to choose an object. Step 6Specify the Destination Service, UDP or TCP; this must match the source service. You can optionally specify a destination port. Either type in UDP/port or TCP/port, or click the ... button to select a common value or object. Step 7Click OK. Step 8Click Apply. Monitoring Network Object NAT The Monitoring > Properties > Connection Graphs > Xlates pane lets you view the active Network Address Translations in a graphical format. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Fields Available Graphs—Lists the components you can graph. –Xlate Utilization—Displays the ASA NAT utilization. Graph Window Title—Shows the graph window name to which you want to add a graph type. To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title. Add—Click to move the selected entries in the Available Graphs list to the Selected Graphs list. Remove—Click to remove the selected entry from the Selected Graphs list. Show Graphs—Click to display a new or updated graph window.
4-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT The Monitoring > Properties > Connection Graphs > Perfmon pane lets you view the performance information in a graphical format. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Fields Available Graphs—Lists the components you can graph. –AAA Perfmon—Displays the ASA AAA performance information. –Inspection Perfmon—Displays the ASA inspection performance information. –Web Perfmon—Displays the ASA web performance information, including URL access and URL server requests. –Connections Perfmon—Displays the ASA connections performance information. –Xlate Perfmon—Displays the ASA NAT performance information. Graph Window Title—Shows the graph window name to which you want to add a graph type. To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title. Add—Click to move the selected entries in the Available Graphs list to the Selected Graphs list. Remove—Click to remove the selected statistic type from the Selected Graphs list. Show Graphs—Click to display a new or updated graph window. Configuration Examples for Network Object NAT This section includes the following configuration examples: Providing Access to an Inside Web Server (Static NAT), page 4-21 NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT), page 4-23 Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many), page 4-28 Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation), page 4-32 DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification), page 4-35 DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification), page 4-38 IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification), page 4-40
4-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Providing Access to an Inside Web Server (Static NAT) The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address. (See Figure 4-1). Figure 4-1 Static NAT for an Inside Web Server Step 1Create a network object for the internal web server: Step 2Define the web server address: Outside Inside10.1.2.1 209.165.201.1 Security Appliance myWebServ 10.1.2.27 209.165.201.1210.1.2.27209.165.201.10 248772 Undo Translation
4-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 3Configure static NAT for the object: Step 4Configure the real and mapped interfaces by clicking Advanced:
4-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 5Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply. NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT) The following example configures dynamic NAT for inside users on a private network when they access the outside. Also, when inside users connect to an outside web server, that web server address is translated to an address that appears to be on the inside network. (See Figure 4-2).
4-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Figure 4-2 Dynamic NAT for Inside, Static NAT for Outside Web Server Step 1Create a network object for the inside network: Step 2Define the addresses for the inside network: Outside Inside10.1.2.1 209.165.201.1 Security Appliance myInsNet 10.1.2.0/24 Web Server 209.165.201.12 209.165.201.1210.1.2.20 248773 Undo Translation 10.1.2.10209.165.201.20 Translation