Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
5-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 5Choose Dynamic PAT (Hide) from the Match Criteria: Translated Packet > Source NAT Type drop-down list. This setting only applies to the source address; the destination translation is always static. NoteTo configure dynamic PAT using a PAT pool, choose Dynamic instead of Dynamic PAT (Hide), see the “Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool” section on page 5-4. Step 6Identify the translated packet addresses, either IPv4 or IPv6; namely, the packet addresses as they appear on the destination interface network (the mapped source address and the real destination address). You can translate between IPv4 and IPv6 if desired. See the following figure for an example of the original packet vs. the translated packet.
5-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT a.For the Match Criteria: Translated Packet > Source Address, click the browse button and choose an existing network object or interface or create a new object from the Browse Translated Source Address dialog box. If you want to use the IPv6 address of the interface, check the Use IPv6 for interface PAT check box. b.For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Translated Destination Address dialog box. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. For identity NAT for the destination address, simply use the same object or group for both the real and mapped addresses. If you want to translate the destination address, then the static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see the “Static NAT” section on page 3-3. See the “Guidelines and Limitations” section on page 5-2 for information about disallowed mapped IP addresses. For static interface NAT with port translation only, choose an interface from the Browse dialog box. Be sure to also configure a service translation (see Step 7). For this option, you must configure a specific interface for the Source Interface in Step 2. See the “Static Interface NAT with Port Translation” section on page 3-6 for more information. Step 7(Optional) Identify the translated packet port (the real destination port). For the Match Criteria: Translated Packet > Service, click the browse button and choose an existing TCP or UDP service object from the Browse Translated Service dialog box. Real: 192.168.1.1 Mapped: 10.1.1.1 Real: 10.1.2.2 Mapped: 192.168.2.2NAT Source Destination OutsideInside 10.1.2.2 ---> 10.1.1.1192.168.2.2 ---> 192.168.1.1 Original Packet Translated Packet
5-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT You can also create a new service object from the Browse Translated Service dialog box and use this object as the mapped destination port. Dynamic PAT does not support additional port translation. However, because the destination translation is always static, you can perform port translation for the destination port. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The “not equal” (!=) operator is not supported. Step 8(Optional) Configure NAT options in the Options area. a.Enable rule —Enables this NAT rule. The rule is enabled by default. b.(For a source-only rule) Translate DNS replies that match this rule—Rewrites the DNS A record in DNS replies. Be sure DNS inspection is enabled (it is enabled by default). You cannot configure DNS modification if you configure a destination address. See the “DNS and NAT” section on page 3-31 for more information. c.Description—Adds a description about the rule up to 200 characters in length.
5-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 9Click OK. Configuring Static NAT or Static NAT-with-Port-Translation This section describes how to configure a static NAT rule using twice NAT. For more information about static NAT, see the “Static NAT” section on page 3-3. Detailed Steps To configure static NAT, perform the following steps: Step 1Choose Configuration > Firewall > NAT Rules, and then click Add. If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules. The Add NAT Rule dialog box appears.
5-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 2Set the source and destination interfaces. By default in routed mode, both interfaces are set to --Any--. In transparent firewall mode, you must set specific interfaces. a.From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface. b.From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface. Step 3Identify the original packet addresses, either IPv4 or IPv6; namely, the packet addresses as they appear on the source interface network (the real source address and the mapped destination address). See the following figure for an example of the original packet vs. the translated packet.
5-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT a.For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Source Address dialog box. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. The default is any, but do not use this option except for identity NAT. See the “Configuring Identity NAT” section on page 5-24 for more information. b.(Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Destination Address dialog box. Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the “Main Differences Between Network Object NAT and Twice NAT” section on page 3-15. Step 4(Optional) Identify the original packet source or destination port (the real source port or the mapped destination port). For the Match Criteria: Original Packet > Service, click the browse button and choose an existing TCP or UDP service object or create a new object from the Browse Original Service dialog box. A service object can contain both a source and destination port. You should specify either the source or the destination port for both the real and mapped service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. In the rare case where you specify both the source and destination ports in the object, the original packet service object contains the real source port/mapped destination port; the translated packet service object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The “not equal” (!=) operator is not supported. Real: 192.168.1.1 Mapped: 10.1.1.1 Real: 10.1.2.2 Mapped: 192.168.2.2NAT Source Destination OutsideInside 10.1.2.2 ---> 10.1.1.1192.168.2.2 ---> 192.168.1.1 Original Packet Translated Packet
5-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 5Choose Static from the Match Criteria: Translated Packet > Source NAT Type drop-down list. Static is the default setting. This setting only applies to the source address; the destination translation is always static. Step 6Identify the translated packet addresses, either IPv4 or IPv6; namely, the packet addresses as they appear on the destination interface network (the mapped source address and the real destination address). You can translate between IPv4 and IPv6 if desired. See the following figure for an example of the original packet vs. the translated packet. a.For the Match Criteria: Translated Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Translated Source Address dialog box. Real: 192.168.1.1 Mapped: 10.1.1.1 Real: 10.1.2.2 Mapped: 192.168.2.2NAT Source Destination OutsideInside 10.1.2.2 ---> 10.1.1.1192.168.2.2 ---> 192.168.1.1 Original Packet Translated Packet
5-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT For static NAT, the mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For static interface NAT with port translation, you can specify the interface instead of a network object/group for the mapped address. If you want to use the IPv6 address of the interface, check the Use IPv6 for interface PAT check box. For more information, see the “Static Interface NAT with Port Translation” section on page 3-6. See the “Guidelines and Limitations” section on page 5-2 for information about disallowed mapped IP addresses. b.For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose an existing network object, group, or interface or create a new object or group from the Browse Translated Destination Address dialog box. For static NAT, the mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For static interface NAT with port translation, you can specify the interface instead of a network object/group for the mapped address. For more information, see the “Static Interface NAT with Port Translation” section on page 3-6. See the “Guidelines and Limitations” section on page 5-2 for information about disallowed mapped IP addresses. Step 7(Optional) Identify the translated packet source or destination port (the mapped source port or the real destination port). For the Match Criteria: Translated Packet > Service, click the browse button and choose an existing TCP or UDP service object or create a new object from the Browse Translated Service dialog box. A service object can contain both a source and destination port. You should specify either the source or the destination port for both real and mapped service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. In the rare case where you specify both the source and destination ports in the object, the original packet service object contains the real source port/mapped destination port; the translated packet service object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The “not equal” (!=) operator is not supported.
5-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 8(Optional) For NAT46, check the Use one-to-one address translation check box. For NAT46, specify one-to-one to translate the first IPv4 address to the first IPv6 address, the second to the second, and so on. Without this option, the IPv4-embedded method is used. For a one-to-one translation, you must use this keyword. Step 9(Optional) Configure NAT options in the Options area. a.Enable rule —Enables this NAT rule. The rule is enabled by default. b.(For a source-only rule) Translate DNS replies that match this rule—Rewrites the DNS A record in DNS replies. Be sure DNS inspection is enabled (it is enabled by default). You cannot configure DNS modification if you configure a destination address. See the “DNS and NAT” section on page 3-31 for more information. c.Disable Proxy ARP on egress interface—Disables proxy ARP for incoming packets to the mapped IP addresses. See the “Mapped Addresses and Routing” section on page 3-22 for more information. d.Direction—To make the rule unidirectional, choose Unidirectional. The default is Both. Making the rule unidirectional prevents traffic from initiating connections to the real addresses. e.Description—Adds a description about the rule up to 200 characters in length.
5-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 10Click OK. Configuring Identity NAT This section describes how to configure an identity NAT rule using twice NAT. For more information about identity NAT, see the “Identity NAT” section on page 3-12. Detailed Steps To configure identity NAT, perform the following steps: Step 1Choose Configuration > Firewall > NAT Rules, and then click Add. If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules. The Add NAT Rule dialog box appears.