Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
5-45 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT Step 11Set the real and mapped interfaces: Step 12For the Original Source Address, type the name of the inside network object (myInsideNetwork) or click the browse button to choose it. Step 13For the Original Destination Address, type the name of the Telnet/web server network object (TelnetWebServer) or click the browse button to choose it. Step 14For the Original Service, click the browse button to add a new service object for HTTP in the Browse Original Service dialog box. a.Add the new service object. b.Define the protocol and port, and click OK.
5-46 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT c.Choose the new service object by double-clicking it. Click OK to return to the NAT configuration. Step 15Set the NAT Type to Dynamic PAT (Hide): Step 16For the Translated Source Address, click the browse button to add a new network object for the PAT address in the Browse Translated Source Address dialog box. a.Add the new network object. b.Define the PAT address, and click OK.
5-47 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuration Examples for Twice NAT c.Choose the new network object by double-clicking it. Click OK to return to the NAT configuration. Step 17For the Translated Destination Address, type the name of the Original Destination Address (TelnetWebServer) or click the browse button to choose it. Because you do not want to translate the destination address, you need to configure identity NAT for it by specifying the same address for the Original and Translated destination addresses. Step 18Click OK to add the rule to the NAT table. Step 19Click Apply.
5-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Feature History for Twice NAT Feature History for Twice NAT Ta b l e 5 - 1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 5-1 Feature History for Twice NAT Feature NamePlatform Releases Feature Information Twice NAT 8.3(1) Twice NAT lets you identify both the source and destination address in a single rule. We modified the following screen: Configuration > Firewall > NAT Rules. Identity NAT configurable proxy ARP and route lookup8.4(2)/8.5(1) In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT. For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to 8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed. We modified the following screen: Configuration > Firewall > NAT Rules > Add/Edit NAT Rule PAT pool and round robin address assignment 8.4(2)/8.5(1) You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy. We modified the following screens: Configuration > Firewall > NAT Rules > Add/Edit NAT Rule.
5-49 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Feature History for Twice NAT Round robin PAT pool allocation uses the same IP address for existing hosts8.4(3) When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available. We did not modify any screens. This feature is not available in 8.5(1) or 8.6(1). Flat range of PAT ports for a PAT pool 8.4(3) If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool. If you have a lot of traffic that uses the lower port ranges, when using a PAT pool, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535. We modified the following screens: Configuration > Firewall > NAT Rules > Add/Edit NAT Rule. This feature is not available in 8.5(1) or 8.6(1). Extended PAT for a PAT pool 8.4(3) Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. We modified the following screens: Configuration > Firewall > NAT Rules > Add/Edit NAT Rule. This feature is not available in 8.5(1) or 8.6(1). Table 5-1 Feature History for Twice NAT (continued) Feature NamePlatform Releases Feature Information
5-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Feature History for Twice NAT Automatic NAT rules to translate a VPN peer’s local IP address back to the peer’s real IP address8.4(3) In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local IP address to access the inside network. However, you might want to translate the local IP address back to the peer’s real public IP address if, for example, your inside servers and network security is based on the peer’s real IP address. You can enable this feature on one interface per tunnel group. Object NAT rules are dynamically added and deleted when the VPN session is established or disconnected. You can view the rules using the show nat command. NoteBecause of routing issues, we do not recommend using this feature unless you know you need this feature; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations: Only supports Cisco IPsec and AnyConnect Client. Return traffic to the public IP addresses must be routed back to the ASA so the NAT policy and VPN policy can be applied. Does not support load-balancing (because of routing issues). Does not support roaming (public IP changing). ASDM does not support this command; enter the command using the Command Line Tool. NAT support for IPv6 9.0(1) NAT now supports IPv6 traffic, as well as translating between IPv4 and IPv6. Translating between IPv4 and IPv6 is not supported in transparent mode. We modified the following screen: Configuration > Firewall > NAT Rules. Table 5-1 Feature History for Twice NAT (continued) Feature NamePlatform Releases Feature Information
5-51 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Feature History for Twice NAT NAT support for reverse DNS lookups 9.0(1) NAT now supports translation of the DNS PTR record for reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule. Per-session PAT 9.0(1) The per-session PAT feature improves the scalability of PAT and, for clustering, allows each member unit to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. This reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state. Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds. For “hit-and-run” traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the connection rate supported by one address. Without the per-session feature, the maximum connection rate for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the connection rate for one address for an IP protocol is 65535/average-lifetime. By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that requires multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule. We introduced the following screen: Configuration > Firewall > Advanced > Per-Session NAT Rules. Table 5-1 Feature History for Twice NAT (continued) Feature NamePlatform Releases Feature Information
5-52 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Feature History for Twice NAT
CH A P T E R 6-1 Cisco ASA Series Firewall ASDM Configuration Guide 6 Configuring NAT (ASA 8.2 and Earlier) This chapter describes Network Address Translation, and includes the following sections: NAT Overview, page 6-1 Configuring NAT Control, page 6-16 Using Dynamic NAT, page 6-17 Using Static NAT, page 6-27 Using NAT Exemption, page 6-33 NAT Overview This section describes how NAT works on the ASA, and includes the following topics: Introduction to NAT, page 6-1 NAT in Routed Mode, page 6-2 NAT in Transparent Mode, page 6-3 NAT Control, page 6-4 NAT Types, page 6-6 Policy NAT, page 6-11 NAT and Same Security Level Interfaces, page 6-13 Order of NAT Rules Used to Match Real Addresses, page 6-14 Mapped Address Guidelines, page 6-14 DNS and NAT, page 6-14 Introduction to NAT Address translation substitutes the real address in a packet with a mapped address that is routable on the destination network. NAT is composed of two steps: the process by which a real address is translated into a mapped address, and the process to undo translation for returning traffic. The ASA translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or processing for the packet stops. See the “Security Levels” section on page 13-1 in the
6-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview general operations configuration guide for more information about security levels. See the “NAT Control” section on page 6-4 for more information about NAT control. NoteIn this document, all types of translation are referred to as NAT. When describing NAT, the terms inside and outside represent the security relationship between any two interfaces. The higher security level is inside and the lower security level is outside. For example, interface 1 is at 60 and interface 2 is at 50; therefore, interface 1 is “inside” and interface 2 is “outside.” Some of the benefits of NAT are as follows: You can use private addresses on your inside networks. Private addresses are not routable on the Internet. NAT hides the real addresses from other networks, so attackers cannot learn the real address of a host. You can resolve IP routing problems such as overlapping addresses. See Table 10-1 on page 10-4 for information about protocols that do not support NAT. NAT in Routed Mode Figure 6-1 shows a typical NAT example in routed mode, with a private network on the inside. When the inside host at 10.1.1.27 sends a packet to a web server, the real source address, 10.1.1.27, of the packet is changed to a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped address, 209.165.201.10, and the security appliance receives the packet. The security appliance then changes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27 before sending it to the host. Figure 6-1 NAT Example: Routed Mode Web Server www.cisco.com Outside Inside209.165.201.2 10.1.2.1 10.1.2.27130023 Translation 209.165.201.10 10.1.2.27 Originating Packet Undo Translation 209.165.201.1010.1.2.27 Responding PacketSecurity Appliance