Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
5-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 2Set the source and destination interfaces. By default in routed mode, both interfaces are set to --Any--. In transparent firewall mode, you must set specific interfaces. a.From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface. b.From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface. Step 3Identify the original packet addresses, either IPv4 or IPv6; namely, the packet addresses as they appear on the source interface network (the real source address and the mapped destination address). See the following figure for an example of the original packet vs. the translated packet where you perform identity NAT on the inside host but translate the outside host.
5-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT a.For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Source Address dialog box. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. The default is any; only use this option when also setting the mapped address to any. b.(Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Destination Address dialog box. Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the “Main Differences Between Network Object NAT and Twice NAT” section on page 3-15. Step 4(Optional) Identify the original packet source or destination port (the real source port or the mapped destination port). For the Match Criteria: Original Packet > Service, click the browse button and choose an existing TCP or UDP service object or create a new object from the Browse Original Service dialog box. A service object can contain both a source and destination port. You should specify either the source or the destination port for both service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. In the rare case where you specify both the source and destination ports in the object, the original packet service object contains the real source port/mapped destination port; the translated packet service object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The “not equal” (!=) operator is not supported. Real: 192.168.1.1 Mapped: 10.1.1.1 10.1.2.2 IdentityNAT OutsideInside 10.1.2.2 ---> 10.1.1.110.1.2.2 ---> 192.168.1.1 Original Packet Translated Packet Source Destination
5-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 5Choose Static from the Match Criteria: Translated Packet > Source NAT Type drop-down list. Static is the default setting. This setting only applies to the source address; the destination translation is always static. Step 6Identify the translated packet addresses; namely, the packet addresses as they appear on the destination interface network (the mapped source address and the real destination address). See the following figure for an example of the original packet vs. the translated packet where you perform identity NAT on the inside host but translate the outside host. a.For the Match Criteria: Translated Packet > Source Address, click the browse button and choose the same network object or group from the Browse Translated Source Address dialog box that you chose for the real source address. Use any if you specified any for the real address. b.For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose an existing network object, group, or interface or create a new object or group from the Browse Translated Destination Address dialog box. Real: 192.168.1.1 Mapped: 10.1.1.1 10.1.2.2 IdentityNAT OutsideInside 10.1.2.2 ---> 10.1.1.110.1.2.2 ---> 192.168.1.1 Original Packet Translated Packet Source Destination
5-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT For identity NAT for the destination address, simply use the same object or group for both the real and mapped addresses. If you want to translate the destination address, then the static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see the “Static NAT” section on page 3-3. See the “Guidelines and Limitations” section on page 5-2 for information about disallowed mapped IP addresses. For static interface NAT with port translation only, choose an interface. If you specify an interface, be sure to also configure a a service translation. For more information, see the “Static Interface NAT with Port Translation” section on page 3-6. Step 7(Optional) Identify the translated packet source or destination port (the mapped source port or the real destination port). For the Match Criteria: Translated Packet > Service, click the browse button and choose an existing TCP or UDP service object or create a new object from the Browse Translated Service dialog box. A service object can contain both a source and destination port. You should specify either the source or the destination port for both service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. In the rare case where you specify both the source and destination ports in the object, the original packet service object contains the real source port/mapped destination port; the translated packet service object contains the mapped source port/real destination port. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The “not equal” (!=) operator is not supported. Step 8(Optional) Configure NAT options in the Options area.
5-29 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Monitoring Twice NAT a.Enable rule —Enables this NAT rule. The rule is enabled by default. b.Disable Proxy ARP on egress interface—Disables proxy ARP for incoming packets to the mapped IP addresses. See the “Mapped Addresses and Routing” section on page 3-22 for more information. c.(Routed mode; interface(s) specified) Lookup route table to locate egress interface—Determines the egress interface using a route lookup instead of using the interface specified in the NAT command. See the “Determining the Egress Interface” section on page 3-24 for more information. d.Direction—To make the rule unidirectional, choose Unidirectional. The default is Both. Making the rule unidirectional prevents traffic from initiating connections to the real addresses. You might want to use this setting for testing purposes. e.Description—Adds a description about the rule up to 200 characters in length. NoteAlthough the “Translate DNS replies that match this rule” check box is available if you do not configure a destination address, this option is not applicable to identity NAT because you are translating the address to itself, so the DNS reply does not need modification. See the “DNS and NAT” section on page 3-31 for more information. Step 9Click OK. Configuring Per-Session PAT Rules By default, all TCP PAT traffic and all UDP DNS traffic uses per-session PAT. To use multi-session PAT for traffic, you can configure per-session PAT rules: a permit rule uses per-session PAT, and a deny rule uses multi-session PAT. For more information about per-session vs. multi-session PAT, see the “Per-Session PAT vs. Multi-Session PAT (Version 9.0(1) and Later)” section on page 3-11. Detailed Steps To configure a per-session PAT rule, see the “Configuring Per-Session PAT Rules” section on page 4-18. Monitoring Twice NAT The Monitoring > Properties > Connection Graphs > Xlates pane lets you view the active Network Address Translations in a graphical format. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time.
5-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Fields Available Graphs—Lists the components you can graph. –Xlate Utilization—Displays the ASA NAT utilization. Graph Window Title—Shows the graph window name to which you want to add a graph type. To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title. Add—Click to move the selected entries in the Available Graphs list to the Selected Graphs list. Remove—Click to remove the selected entry from the Selected Graphs list. Show Graphs—Click to display a new or updated graph window. The Monitoring > Properties > Connection Graphs > Perfmon pane lets you view the performance information in a graphical format. You can choose up to four types of statistics to show in one graph window. You can open multiple graph windows at the same time. Fields Available Graphs—Lists the components you can graph. –AAA Perfmon—Displays the ASA AAA performance information. –Inspection Perfmon—Displays the ASA inspection performance information. –Web Perfmon—Displays the ASA web performance information, including URL access and URL server requests. –Connections Perfmon—Displays the ASA connections performance information. –Xlate Perfmon—Displays the ASA NAT performance information. Graph Window Title—Shows the graph window name to which you want to add a graph type. To use an existing window title, select one from the drop-down list. To display graphs in a new window, enter a new window title. Add—Click to move the selected entries in the Available Graphs list to the Selected Graphs list. Remove—Click to remove the selected statistic type from the Selected Graphs list. Show Graphs—Click to display a new or updated graph window. Configuration Examples for Twice NAT This section includes the following configuration examples: Different Translation Depending on the Destination (Dynamic PAT), page 5-30 Different Translation Depending on the Destination Address and Port (Dynamic PAT), page 5-39 Different Translation Depending on the Destination (Dynamic PAT) Figure 5-1 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129:port. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130:port.
5-31 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Figure 5-1 Twice NAT with Different Destination Addresses Step 1Add a NAT rule for traffic from the inside network to DMZ network 1: By default, the NAT rule is added to the end of section 1. If you want to add a NAT rule to section 3, after the network object NAT rules, choose Add NAT Rule After Network Object NAT Rules. The Add NAT Rule dialog box appears. Server 1 209.165.201.11Server 2 209.165.200.225 DMZ Inside 10.1.2.2710.1.2.0/24 130039 209.165.201.0/27209.165.200.224/27 Translation 209.165.202.129 10.1.2.27Translation 209.165.202.130 10.1.2.27 Packet Dest. Address: 209.165.201.11Packet Dest. Address: 209.165.200.225
5-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 2Set the source and destination interfaces: Step 3For the Original Source Address, click the browse button to add a new network object for the inside network in the Browse Original Source Address dialog box. a.Add the new network object. b.Define the inside network addresses, and click OK.
5-33 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT c.Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. Step 4For the Original Destination Address, click the browse button to add a new network object for DMZ network 1 in the Browse Original Destination Address dialog box. a.Add the new network object. b.Define the DMZ network 1 addresses, and click OK. c.Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. Step 5Set the NAT Type to Dynamic PAT (Hide):
5-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 6For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box. a.Add the new network object. b.Define the PAT address, and click OK. c.Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. Step 7For the Translated Destination Address, type the name of the Original Destination Address (DMZnetwork1) or click the browse button to choose it. Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the Original and Translated destination addresses.