Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
6-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview NAT in Transparent Mode Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform NAT for their networks. For example, a transparent firewall ASA is useful between two VRFs so you can establish BGP neighbor relations between the VRFs and the global table. However, NAT per VRF might not be supported. In this case, using NAT in transparent mode is essential. NAT in transparent mode has the following requirements and limitations: When the mapped addresses are not on the same network as the transparent firewall, then on the upstream router, you need to add a static route for the mapped addresses that points to the downstream router (through the ASA). When you have VoIP or DNS traffic with NAT and inspection enabled, to successfully translate the IP address inside VoIP and DNS packets, the ASA needs to perform a route lookup. Unless the host is on a directly-connected network, then you need to add a static route on the ASA for the real host address that is embedded in the packet. The alias command is not supported. Because the transparent firewall does not have any interface IP addresses, you cannot use interface PAT. ARP inspection is not supported. Moreover, if for some reason a host on one side of the firewall sends an ARP request to a host on the other side of the firewall, and the initiating host real address is mapped to a different address on the same subnet, then the real address remains visible in the ARP request. Figure 6-2 shows a typical NAT scenario in transparent mode, with the same network on the inside and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the upstream router does not have to perform NAT. When the inside host at 10.1.1.27 sends a packet to a web server, the real source address of the packet, 10.1.1.27, is changed to a mapped address, 209.165.201.10. When the server responds, it sends the response to the mapped address, 209.165.201.10, and the ASA receives the packet because the upstream router includes this mapped network in a static route directed through the ASA. The ASA then undoes the translation of the mapped address, 209.165.201.10 back to the real address, 10.1.1.1.27. Because the real address is directly-connected, the ASA sends it directly to the host.
6-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figure 6-2 NAT Example: Transparent Mode NAT Control NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address, as shown in Figure 6-3. Figure 6-3 NAT Control and Outbound Traffic Management IP 10.1.2.2 www.example.com 10.1.2.1 Host 10.1.2.27 Internet Source Addr Translation209.165.201.10 10.1.2.27 Static route on router to 209.165.201.0/27 through security appliance 191243 Security appliance 10.1.1.1 NAT No NAT209.165.201.1 Inside Outside 10.1.2.1Security Appliance 132212
6-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule, as shown in Figure 6-4. Figure 6-4 NAT Control and Same Security Traffic Similarly, if you enable outside dynamic NAT or PAT, then all outside traffic must match a NAT rule when it accesses an inside interface (see Figure 6-5). Figure 6-5 NAT Control and Inbound Traffic Static NAT does not cause these restrictions. By default, NAT control is disabled; therefore, you do not need to perform NAT on any networks unless you want to do so. If you upgraded from an earlier version of software, however, NAT control might be enabled on your system. Even with NAT control disabled, you need to perform NAT on any addresses for which you configure dynamic NAT. See the “Dynamic NAT Implementation” section on page 6-17 for more information about how dynamic NAT is applied. If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption or identity NAT rule on those addresses. (See the “Using NAT Exemption” section on page 6-33 for more information). To configure NAT control, see the “Configuring NAT Control” section on page 6-16. NoteIn multiple context mode, the packet classifier might rely on the NAT configuration to assign packets to contexts if you do not enable unique MAC addresses for shared interfaces. See the “How the ASA Classifies Packets” section on page 8-3 in the general operations configuration guide for more information about the relationship between the classifier and NAT. 10.1.1.1 Dyn. NAT No NAT209.165.201.1 Level 50 Level 50 or Outside 10.1.2.1Security Appliance 10.1.1.1 10.1.1.1 No NAT Level 50 Level 50 Security Appliance 132215 209.165.202.129No NAT 209.165.202.129 Outside Inside Security Appliance 209.165.202.129 209.165.200.240Dyn. NAT 10.1.1.50 Outside Inside Security Appliance No NAT 132213
6-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview NAT Types This section describes the available NAT types, and includes the following topics: Dynamic NAT, page 6-6 PAT, page 6-8 Static NAT, page 6-9 Static PAT, page 6-9 Bypassing NAT When NAT Control is Enabled, page 6-10 You can implement address translation as dynamic NAT, Port Address Translation, static NAT, static PAT, or as a mix of these types. You can also configure rules to bypass NAT; for example, to enable NAT control when you do not want to perform NAT. Dynamic NAT Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool may include fewer addresses than the real group. When a host you want to translate accesses the destination network, the ASA assigns the host an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out. Users on the destination network, therefore, cannot initiate a reliable connection to a host that uses dynamic NAT, although the connection is allowed by an ACL, and the ASA rejects any attempt to connect to a real host address directly. See the “Static NAT” or “Static PAT” section for information on how to obtain reliable access to hosts. NoteIn some cases, a translation is added for a connection, although the session is denied by the ASA. This condition occurs with an outbound ACL, a management-only interface, or a backup interface in which the translation times out normally. Figure 6-6 shows a remote host attempting to connect to the real address. The connection is denied, because the ASA only allows returning connections to the mapped address.
6-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figure 6-6 Remote Host Attempts to Connect to the Real Address Figure 6-7 shows a remote host attempting to initiate a connection to a mapped address. This address is not currently in the translation table; therefore, the ASA drops the packet. Figure 6-7 Remote Host Attempts to Initiate a Connection to a Mapped Address NoteFor the duration of the translation, a remote host can initiate a connection to the translated host if an ACL allows it. Because the address is unpredictable, a connection to the host is unlikely. Nevertheless, in this case, you can rely on the security of the ACL. Web Server www.example.com Outside Inside209.165.201.2 10.1.2.1 10.1.2.27 Translation 209.165.201.10 10.1.2.27 10.1.2.27Security Appliance 132216 Web Server www.example.com Outside Inside209.165.201.2 10.1.2.1 10.1.2.27 Security Appliance209.165.201.10 132217
6-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Dynamic NAT has these disadvantages: If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected. Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address. You have to use a large number of routable addresses in the mapped pool; if the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses. The advantage of dynamic NAT is that some protocols cannot use PAT. PAT does not work with the following: IP protocols that do not have a port to overload, such as GRE version 0. Some multimedia applications that have a data stream on one port, the control path on another port, and are not open standard. See the “When to Use Application Protocol Inspection” section on page 10-2 for more information about NAT and PAT support. PAT PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. Each connection requires a separate translation, because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026. After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an ACL). Not only can you not predict the real or mapped port number of the host, but the ASA does not create a translation at all unless the translated host is the initiator. See the following “Static NAT” or “Static PAT” sections for reliable access to hosts. PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the ASA interface IP address as the PAT address. PAT does not work with some multimedia applications that have a data stream that is different from the control path. See the “When to Use Application Protocol Inspection” section on page 10-2 for more information about NAT and PAT support. NoteFor the duration of the translation, a remote host can initiate a connection to the translated host if an ACL allows it. Because the port address (both real and mapped) is unpredictable, a connection to the host is unlikely. Nevertheless, in this case, you can rely on the security of the ACL. However, policy PAT does not support time-based ACLs.
6-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Static NAT Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation. Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to initiate traffic to a translated host (if an ACL exists that allows it). The main difference between dynamic NAT and a range of addresses for static NAT is that static NAT allows a remote host to initiate a connection to a translated host (if an ACL exists that allows it), while dynamic NAT does not. You also need an equal number of mapped addresses as real addresses with static NAT. Static PAT Static PAT is the same as static NAT, except that it lets you specify the protocol (TCP or UDP) and port for the real and mapped addresses. This feature lets you identify the same mapped address across many different static statements, provided the port is different for each statement. You cannot use the same mapped address for multiple static NAT statements. For applications that require inspection for secondary channels (for example, FTP and VoIP), the ASA automatically translates the secondary ports.
6-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP, but these are all actually different servers on the real network, you can specify static PAT statements for each server that uses the same mapped IP address, but different ports (see Figure 6-8). Figure 6-8 Static PAT You can also use static PAT to translate a well-known port to a non-standard port or vice versa. For example, if inside web servers use port 8080, you can allow outside users to connect to port 80, and then undo translation to the original port 8080. Similarly, to provide extra security, you can tell web users to connect to non-standard port 6785, and then undo translation to port 80. Bypassing NAT When NAT Control is Enabled If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts or you can disable NAT control. You might want to bypass NAT, for example, if you are using an application that does not support NAT. See the “When to Use Application Protocol Inspection” section on page 10-2 for information about inspection engines that do not support NAT. You can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility with inspection engines. However, each method offers slightly different capabilities, as follows: Identity NAT—When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on Host Outside Inside Undo Translation 10.1.2.27 209.165.201.3:21 Undo Translation 10.1.2.28 209.165.201.3:80 Undo Translation 10.1.2.29 209.165.201.3:25 FTP server 10.1.2.27 HTTP server 10.1.2.28SMTP server 10.1.2.29 130031
6-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your ACLs. For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface ACL allows it). Use static identity NAT or NAT exemption for this functionality. Static identity NAT—Static identity NAT lets you specify the interface on which you want to allow the real addresses to appear, so you can use identity NAT when you access interface A, and use regular translation when you access interface B. Static identity NAT also lets you use policy NAT, which identifies the real and destination addresses when determining the real addresses to translate (see the “Policy NAT” section on page 6-11 for more information about policy NAT). For example, you can use static identity NAT for an inside address when it accesses the outside interface and the destination is server A, but use a normal translation when accessing the outside server B. NAT exemption—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the ACL. NAT exemption also does not let you configure connection limits such as maximum TCP connections. Policy NAT Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses. You can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, and not the destination. For example, with policy NAT, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B. For applications that require application inspection for secondary channels (for example, FTP and VoIP), the policy specified in the policy NAT rule should include the secondary ports. When the ports cannot be predicted, the policy should specify only the IP addresses for the secondary channel. With this configuration, the security appliance translates the secondary ports. Figure 6-9 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130. Consequently, the host appears to be on the same network as the servers, which can help with routing.
6-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figure 6-9 Policy NAT with Different Destination Addresses Figure 6-10 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the real address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the real address is translated to 209.165.202.130. Figure 6-10 Policy NAT with Different Destination Ports Server 1 209.165.201.11Server 2 209.165.200.225 DMZ Inside 10.1.2.2710.1.2.0/24 130039 209.165.201.0/27209.165.200.224/27 Translation 209.165.202.129 10.1.2.27Translation 209.165.202.130 10.1.2.27 Packet Dest. Address: 209.165.201.11Packet Dest. Address: 209.165.200.225 Server 1 209.165.201.11Server 2 209.165.200.225 DMZ Inside 10.1.2.2710.1.2.0/24 130039 209.165.201.0/27209.165.200.224/27 Translation 209.165.202.129 10.1.2.27Translation 209.165.202.130 10.1.2.27 Packet Dest. Address: 209.165.201.11Packet Dest. Address: 209.165.200.225