Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
6-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview For policy static NAT, both translated and remote hosts can originate traffic. For traffic originated on the translated network, the NAT rule specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the rule identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using this translation. Figure 6-11 shows a remote host connecting to a translated host. The translated host has a policy static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect to the translated host. Figure 6-11 Policy Static NAT with Destination Address Translation NotePolicy NAT does not support SQL*Net, but it is supported by regular NAT. See the “When to Use Application Protocol Inspection” section on page 10-2 for information about NAT support for other protocols. NAT and Same Security Level Interfaces NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired. However, if you configure dynamic NAT when NAT control is enabled, then NAT is required. See the “NAT Control” section on page 6-4 for more information. Also, when you specify a group of IP address(es) for dynamic NAT or PAT on a same security interface, then you must perform NAT on that group of addresses when they access any lower or same security level interface (even when NAT control is not enabled). Traffic identified for static NAT is not affected. NoteThe ASA does not support VoIP inspection engines when you configure NAT on same security interfaces. These inspection engines include Skinny, SIP, and H.323. See the “When to Use Application Protocol Inspection” section on page 10-2 for supported inspection engines. 209.165.201.11 209.165.200.225 DMZ InsideNo Translation 10.1.2.27 10.1.2.2710.1.2.0/27 209.165.201.0/27209.165.200.224/27 Undo Translation 209.165.202.128 130037
6-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Order of NAT Rules Used to Match Real Addresses The ASA matches real addresses to NAT rules in the following order: 1.NAT exemption—In order, until the first match. 2.Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT is included in this category. 3.Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed. 4.Regular dynamic NAT—Best match. Regular identity NAT is included in this category. The order of the NAT rules does not matter; the NAT rule that best matches the real address is used. For example, you can create a general rule to translate all addresses (0.0.0.0) on an interface. If you want to translate a subset of your network (10.1.1.1) to a different address, then you can create a rule to translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for 10.1.1.1 is used because it matches the real address best. We do not recommend using overlapping rules; they use more memory and can slow the performance of the ASA. Mapped Address Guidelines When you translate the real address to a mapped address, you can use the following mapped addresses: Addresses on the same network as the mapped interface. If you use addresses on the same network as the mapped interface (through which traffic exits the ASA), the ASA uses proxy ARP to answer any requests for mapped addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing, because the ASA does not have to be the gateway for any additional networks. However, this approach does put a limit on the number of available addresses used for translations. For PAT, you can even use the IP address of the mapped interface. Addresses on a unique network. If you need more addresses than are available on the mapped interface network, you can identify addresses on a different subnet. The ASA uses proxy ARP to answer any requests for mapped addresses, and thus intercepts traffic destined for a real address. If you use OSPF, and you advertise routes on the mapped interface, then the ASA advertises the mapped addresses. If the mapped interface is passive (not advertising routes) or you are using static routing, then you need to add a static route on the upstream router that sends traffic destined for the mapped addresses to the ASA. DNS and NAT You might need to configure the ASA to modify DNS replies by replacing the address in the reply with an address that matches the NAT configuration. You can configure DNS modification when you configure each translation. For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network (see Figure 6-12). In this case, you want to enable DNS reply modification on this static statement so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address.
6-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly. Figure 6-12 DNS Reply Modification NoteIf a user on a different network (for example, DMZ) also requests the IP address for ftp.cisco.com from the outside DNS server, then the IP address in the DNS reply is also modified for this user, even though the user is not on the Inside interface referenced by the static rule. DNS Server Outside Inside User 130021 1 2 3 4 5 DNS Reply Modification 209.165.201.1010.1.3.14 DNS Reply 209.165.201.10 DNS Reply 10.1.3.14 DNS Query ftp.cisco.com? FTP Request 10.1.3.14 Security Appliance ftp.cisco.com 10.1.3.14 Static Translation on Outside to: 209.165.201.10
6-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Configuring NAT Control Figure 6-13 shows a web server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation. Figure 6-13 DNS Reply Modification Using Outside NAT Configuring NAT Control NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule. See the “NAT Control” section on page 6-4 for more information. To enable NAT control, in the Configuration > Firewall > NAT Rules pane, check the Enable traffic through the firewall without address translation check box. ftp.cisco.com 209.165.201.10 DNS Server Outside Inside User 10.1.2.27 Static Translation on Inside to: 10.1.2.56 130022 1 2 7 6 5 4 3 DNS Query ftp.cisco.com? DNS Reply 209.165.201.10 DNS Reply Modification 209.165.201.1010.1.2.56 DNS Reply 10.1.2.56 FTP Request 209.165.201.10 Dest Addr. Translation 209.165.201.10 10.1.2.56 FTP Request 10.1.2.56 Security Appliance
6-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Using Dynamic NAT This section describes how to configure dynamic NAT, including dynamic NAT and PAT, dynamic policy NAT and PAT, and identity NAT. Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses. You can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, and not the destination. See the “Policy NAT” section on page 6-11 for more information. This section includes the following topics: Dynamic NAT Implementation, page 6-17 Managing Global Pools, page 6-22 Configuring Dynamic NAT, PAT, or Identity NAT, page 6-23 Configuring Dynamic Policy NAT or PAT, page 6-25 Dynamic NAT Implementation This section describes how dynamic NAT is implemented, and includes the following topics: Real Addresses and Global Pools Paired Using a Pool ID, page 6-18 NAT Rules on Different Interfaces with the Same Global Pools, page 6-18 Global Pools on Different Interfaces with the Same Pool ID, page 6-18 Multiple NAT Rules with Different Global Pools on the Same Interface, page 6-19 Multiple Addresses in the Same Global Pool, page 6-20 Outside NAT, page 6-21 Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces, page 6-22
6-18
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 6 Configuring NAT (ASA 8.2 and Earlier)
Using Dynamic NAT
Real Addresses and Global Pools Paired Using a Pool ID
In a dynamic NAT rule, you specify real addresses and then pair them with a global pool of addresses to
which the real addresses are mapped when they exit another interface (in the case of PAT, this is one
address, and in the case of identity NAT, this is the same as the real address). Each global pool is assigned
a pool ID.
NAT Rules on Different Interfaces with the Same Global Pools
You can create a NAT rule for each interface using the same global address pool. For example, you can
configure NAT rules for Inside and DMZ interfaces, both using global pool 1 on the outside interface.
Traffic from the Inside interface and the DMZ interface share a mapped pool or a PAT address when
exiting the Outside interface (see Figure 6-14).
Figure 6-14 NAT Rules on Multiple Interfaces Using the Same Global Pool
Global Pools on Different Interfaces with the Same Pool ID
You can create a global pool for each interface using the same pool ID. If you create a global pool for
the Outside and DMZ interfaces on ID 1, then a single NAT rule associated with ID 1 identifies traffic
to be translated when going to both the Outside and the DMZ interfaces. Similarly, if you create a NAT
rule for the DMZ interface on ID 1, then all global pools on ID 1 are also used for DMZ traffic. (See
Web Server:
www.cisco.com
Outside
DMZ
InsideGlobal 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24NAT 1: 10.1.1.0/24
10.1.1.15
10.1.2.27
132930
Translation
209.165.201.3 10.1.2.27
Translation
209.165.201.4 10.1.1.15
6-19
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 6 Configuring NAT (ASA 8.2 and Earlier)
Using Dynamic NAT
Figure 6-15).
Figure 6-15 NAT Rules and Global Pools using the Same ID on Multiple Interfaces
Multiple NAT Rules with Different Global Pools on the Same Interface
You can identify different sets of real addresses to have different mapped addresses. For example, on the
Inside interface, you can have two NAT rules on two different pool IDs. On the Outside interface, you
configure two global pools for these two IDs. Then, when traffic from Inside network A exits the Outside
interface, the IP addresses are translated to pool 1 addresses; while traffic from Inside network B are
translated to pool 2 addresses (see Figure 6-16). If you use policy NAT, you can specify the same real
addresses for multiple NAT rules, as long as the destination addresses and ports are unique in each ACL.
Web Server:
www.cisco.com
Outside
DMZ
InsideGlobal 1: 209.165.201.3-
209.165.201.10
NAT 1: 10.1.2.0/24NAT 1: 10.1.1.0/24
Global 1: 10.1.1.23
10.1.1.15
10.1.2.27
132926
Translation
209.165.201.3 10.1.2.27
Translation
209.165.201.4 10.1.1.15
Translation
10.1.1.23:2024 10.1.2.27
6-20
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 6 Configuring NAT (ASA 8.2 and Earlier)
Using Dynamic NAT
Figure 6-16 Different NAT IDs
Multiple Addresses in the Same Global Pool
You can have multiple addresses in the same global pool; the ASA uses the dynamic NAT ranges of
addresses first, in the order they are in the configuration, and then uses the PAT single addresses in order.
You might want to add both a range of addresses and a PAT address if you need to use dynamic NAT for
a particular application, but want to have a backup PAT rule in case all the dynamic NAT addresses are
depleted. Similarly, you might want two PAT addresses in the pool if you need more than the
approximately 64,000 PAT sessions that a single PAT mapped address supports (see Figure 6-17).
Web Server:
www.cisco.com
Outside
InsideGlobal 1: 209.165.201.3-
209.165.201.10
Global 2: 209.165.201.11
NAT 1: 10.1.2.0/24
NAT 2: 192.168.1.0/24
10.1.2.27
192.168.1.14
Translation
209.165.201.3 10.1.2.27
Translation209.165.201.11:4567 192.168.1.14
132927
6-21
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 6 Configuring NAT (ASA 8.2 and Earlier)
Using Dynamic NAT
Figure 6-17 NAT and PAT Together
Outside NAT
If a NAT rule translates addresses from an outside interface to an inside interface, then the rule is an
outside NAT rule, and you need to specify that it translates inbound traffic. If you also want to translate
the same traffic when it accesses a lower security interface (for example, traffic on a DMZ is translated
when accessing the Inside and the Outside interfaces), then you can create a second NAT rule using the
same NAT ID (see Figure 6-18), but specifying outbound. Note that for outside NAT (DMZ interface to
Inside interface), the inside host uses a static rule to allow outside access, so both the source and
destination addresses are translated.
Web Server:
www.cisco.com
Outside
InsideGlobal 1: 209.165.201.3-
209.165.201.4
Global 1: 209.165.201.5
NAT 1: 10.1.2.0/24
10.1.2.27
10.1.2.2810.1.2.29
132928
Translation
209.165.201.3 10.1.2.27
Translation
209.165.201.4 10.1.2.28
Translation
209.165.201.5:6096 10.1.2.29
6-22
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 6 Configuring NAT (ASA 8.2 and Earlier)
Using Dynamic NAT
Figure 6-18 Outside NAT and Inside NAT Combined
Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces
When you create a NAT rule for a group of IP addresses, then you must perform NAT on that group of
addresses when they access any lower or same security level interface; you must create a global pool
with the same pool ID on each interface, or use a static rule. NAT is not required for that group when it
accesses a higher security interface. If you create an outside NAT rule, then the NAT requirements
preceding come into effect for that group of addresses when they access all higher security interfaces.
Traffic identified by a static rule is not affected.
Managing Global Pools
Dynamic NAT uses global pools for translation. For information about how global pools work, see the
“Dynamic NAT Implementation” section on page 6-17.
To manage a global pool, perform the following steps:
Step 1In the Configuration > Firewall > Objects > Global Pools pane, click Add to add a new pool, or select a
pool, and click Edit.
You can also manage global pools from the Add/Edit Dynamic NAT Rule dialog box by clicking
Manage.
The Add/Edit Global Address Pool dialog box appears.
Outside
DMZ
InsideGlobal 1: 209.165.201.3-
209.165.201.10
Global 1: 10.1.2.30-
10.1.2.40
Static to DMZ: 10.1.2.2710.1.1.5 Outside NAT 1: 10.1.1.0/24
NAT 1: 10.1.1.0/24
10.1.1.15
10.1.2.27
Translation
209.165.201.4 10.1.1.15
Translation
10.1.2.30 10.1.1.15
Undo Translation
10.1.2.27 10.1.1.5
132940