Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
CH A P T E R 3-1 Cisco ASA Series Firewall ASDM Configuration Guide 3 Information About NAT (ASA 8.3 and Later) This chapter provides an overview of how Network Address Translation (NAT) works on the ASA. This chapter includes the following sections: Why Use NAT?, page 3-1 NAT Terminology, page 3-2 NAT Types, page 3-3 NAT in Routed and Transparent Mode, page 3-12 NAT and IPv6, page 3-15 How NAT is Implemented, page 3-15 NAT Rule Order, page 3-20 Routing NAT Packets, page 3-22 NAT for VPN, page 3-25 DNS and NAT, page 3-31 Where to Go Next, page 3-36 NoteTo start configuring NAT, see Chapter 4, “Configuring Network Object NAT (ASA 8.3 and Later),” or Chapter 5, “Configuring Twice NAT (ASA 8.3 and Later).” Why Use NAT? Each computer and device within an IP network is assigned a unique IP address that identifies the host. Because of a shortage of public IPv4 addresses, most of these IP addresses are private, not routable anywhere outside of the private company network. RFC 1918 defines the private IP addresses you can use internally that should not be advertised: 10.0.0.0 through 10.255.255.255 172.16.0.0 through 172.31.255.255 192.168.0.0 through 192.168.255.255
3-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Terminology One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet. In this way, NAT conserves public addresses because it can be configured to advertise at a minimum only one public address for the entire network to the outside world. Other functions of NAT include: Security—Keeping internal IP addresses hidden discourages direct attacks. IP routing solutions—Overlapping IP addresses are not a problem when you use NAT. Flexibility—You can change internal IP addressing schemes without affecting the public addresses available externally; for example, for a server accessible to the Internet, you can maintain a fixed IP address for Internet use, but internally, you can change the server address. Translating between IPv4 and IPv6 (Routed mode only) (Version 9.0(1) and later)—If you want to connect an IPv6 network to an IPv4 network, NAT lets you translate between the two types of addresses. NoteNAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be translated, but will have all of the security policies applied as normal. NAT Terminology This document uses the following terminology: Real address/host/network/interface—The real address is the address that is defined on the host, before it is translated. In a typical NAT scenario where you want to translate the inside network when it accesses the outside, the inside network would be the “real” network. Note that you can translate any network connected to the ASA, not just an inside network, Therefore if you configure NAT to translate outside addresses, “real” can refer to the outside network when it accesses the inside network. Mapped address/host/network/interface—The mapped address is the address that the real address is translated to. In a typical NAT scenario where you want to translate the inside network when it accesses the outside, the outside network would be the “mapped” network. NoteDuring address translation, IP addresses residing on the ASA’s interfaces are not translated. Bidirectional initiation—Static NAT allows connections to be initiated bidirectionally, meaning both to the host and from the host. Source and destination NAT—For any given packet, both the source and destination IP addresses are compared to the NAT rules, and one or both can be translated/untranslated. For static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in commands and descriptions throughout this guide even though a given connection might originate at the “destination” address.
3-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types NAT Types NAT Types Overview, page 3-3 Static NAT, page 3-3 Dynamic NAT, page 3-8 Dynamic PAT, page 3-10 Identity NAT, page 3-12 NAT Types Overview You can implement NAT using the following methods: Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation. See the “Static NAT” section on page 3-3. Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses, on a first come, first served basis. Only the real host can initiate traffic. See the “Dynamic NAT” section on page 3-8. Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address. See the “Dynamic PAT” section on page 3-10. Identity NAT—A real address is statically translated to itself, essentially bypassing NAT. You might want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses. See the “Identity NAT” section on page 3-12. Static NAT This section describes static NAT and includes the following topics: Information About Static NAT, page 3-3 Information About Static NAT with Port Translation, page 3-4 Information About One-to-Many Static NAT, page 3-6 Information About Other Mapping Scenarios (Not Recommended), page 3-7 Information About Static NAT Static NAT creates a fixed translation of a real address to a mapped address. Because the mapped address is the same for each consecutive connection, static NAT allows bidirectional connection initiation, both to and from the host (if an access rule exists that allows it). With dynamic NAT and PAT, on the other hand, each host uses a different address or port for each subsequent translation, so bidirectional initiation is not supported.
3-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-1 shows a typical static NAT scenario. The translation is always active so both real and remote hosts can initiate connections. Figure 3-1 Static NAT NoteYou can disable bidirectionality if desired. Information About Static NAT with Port Translation Static NAT with port translation lets you specify a real and mapped protocol (TCP or UDP) and port. This section includes the following topics: Information About Static NAT with Port Address Translation, page 3-4 Static NAT with Identity Port Translation, page 3-5 Static NAT with Port Translation for Non-Standard Ports, page 3-5 Static Interface NAT with Port Translation, page 3-6 Information About Static NAT with Port Address Translation When you specify the port with static NAT, you can choose to map the port and/or the IP address to the same value or to a different value. Figure 3-2 shows a typical static NAT with port translation scenario showing both a port that is mapped to itself and a port that is mapped to a different value; the IP address is mapped to a different value in both cases. The translation is always active so both translated and remote hosts can initiate connections. Figure 3-2 Typical Static NAT with Port Translation Scenario 10.1.1.1209.165.201.1 Inside Outside 10.1.1.2209.165.201.2 130035 Security Appliance 10.1.1.1:23209.165.201.1:23 Inside Outside 10.1.1.2:8080209.165.201.2:80 130044 Security Appliance
3-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types NoteFor applications that require application inspection for secondary channels (for example, FTP and VoIP), the ASA automatically translates the secondary ports. Static NAT with Identity Port Translation The following static NAT with port translation example provides a single address for remote users to access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for each server, you can specify static NAT with port translation rules that use the same mapped IP address, but different ports. (See Figure 3-3. See the “Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)” section on page 4-33 for details on how to configure this example.) Figure 3-3 Static NAT with Port Translation Static NAT with Port Translation for Non-Standard Ports You can also use static NAT with port translation to translate a well-known port to a non-standard port or vice versa. For example, if inside web servers use port 8080, you can allow outside users to connect to port 80, and then undo translation to the original port 8080. Similarly, to provide extra security, you can tell web users to connect to non-standard port 6785, and then undo translation to port 80. Host Outside Inside Undo Translation 10.1.2.27 209.165.201.3:21 Undo Translation 10.1.2.28 209.165.201.3:80 Undo Translation 10.1.2.29 209.165.201.3:25 FTP server 10.1.2.27 HTTP server 10.1.2.28SMTP server 10.1.2.29 130031
3-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Static Interface NAT with Port Translation You can configure static NAT to map a real address to an interface address/port combination. For example, if you want to redirect Telnet access for the ASA outside interface to an inside host, then you can map the inside host IP address/port 23 to the ASA interface address/port 23. (Note that although Telnet to the ASA is not allowed to the lowest security interface, static NAT with interface port translation redirects the Telnet session instead of denying it). Information About One-to-Many Static NAT Typically, you configure static NAT with a one-to-one mapping. However, in some cases, you might want to configure a single real address to several mapped addresses (one-to-many). When you configure one-to-many static NAT, when the real host initiates traffic, it always uses the first mapped address. However, for traffic initiated to the host, you can initiate traffic to any of the mapped addresses, and they will be untranslated to the single real address. Figure 3-4 shows a typical one-to-many static NAT scenario. Because initiation by the real host always uses the first mapped address, the translation of real host IP/1st mapped IP is technically the only bidirectional translation. Figure 3-4 One-to-Many Static NAT 10.1.2.27 10.1.2.27 10.1.2.27209.165.201.3 Inside Outside 209.165.201.4 209.165.201.5 Security Appliance 248771
3-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types For example, you have a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traffic to the correct web server (see Figure 3-5). (See the “Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many)” section on page 4-29 for details on how to configure this example.) Figure 3-5 One-to-Many Static NAT Information About Other Mapping Scenarios (Not Recommended) The ASA has the flexibility to allow any kind of static mapping scenario: one-to-one, one-to-many, but also few-to-many, many-to-few, and many-to-one mappings. We recommend using only one-to-one or one-to-many mappings. These other mapping options might result in unintended consequences. Functionally, few-to-many is the same as one-to-many; but because the configuration is more complicated and the actual mappings may not be obvious at a glance, we recommend creating a one-to-many configuration for each real address that requires it. For example, for a few-to-many scenario, the few real addresses are mapped to the many mapped addresses in order (A to 1, B to 2, C to 3). When all real addresses are mapped, the next mapped address is mapped to the first real address, and so on until all mapped addresses are mapped (A to 4, B to 5, C to 6). This results in multiple mapped addresses for each real address. Just like a one-to-many configuration, only the first mappings are bidirectional; subsequent mappings allow traffic to be initiated to the real host, but all traffic from the real host uses only the first mapped address for the source. Host Outside Inside Load Balancer 10.1.2.27 Web Servers Undo Translation 10.1.2.27 209.165.201.3 Undo Translation 10.1.2.27 209.165.201.4 Undo Translation 10.1.2.27 209.165.201.5 248633
3-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-6 shows a typical few-to-many static NAT scenario. Figure 3-6 Few-to-Many Static NAT For a many-to-few or many-to-one configuration, where you have more real addresses than mapped addresses, you run out of mapped addresses before you run out of real addresses. Only the mappings between the lowest real IP addresses and the mapped pool result in bidirectional initiation. The remaining higher real addresses can initiate traffic, but traffic cannot be initiated to them (returning traffic for a connection is directed to the correct real address because of the unique 5-tuple (source IP, destination IP, source port, destination port, protocol) for the connection). NoteMany-to-few or many-to-one NAT is not PAT. If two real hosts use the same source port number and go to the same outside server and the same TCP destination port, and both hosts are translated to the same IP address, then both connections will be reset because of an address conflict (the 5-tuple is not unique). Figure 3-7 shows a typical many-to-few static NAT scenario. Figure 3-7 Many-to-Few Static NAT Instead of using a static rule this way, we suggest that you create a one-to-one rule for the traffic that needs bidirectional initiation, and then create a dynamic rule for the rest of your addresses. Dynamic NAT This section describes dynamic NAT and includes the following topics: Information About Dynamic NAT, page 3-9 Dynamic NAT Disadvantages and Advantages, page 3-10 10.1.2.27209.165.201.3 Inside Outside 10.1.2.28209.165.201.4 10.1.2.27209.165.201.5 10.1.2.28209.165.201.6 10.1.2.27209.165.201.7 Security Appliance 248769 10.1.2.27209.165.201.3 Inside Outside 10.1.2.28209.165.201.4 10.1.2.29209.165.201.3 10.1.2.30209.165.201.4 10.1.2.31209.165.201.3 Security Appliance 248770
3-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Information About Dynamic NAT Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool typically includes fewer addresses than the real group. When a host you want to translate accesses the destination network, the ASA assigns the host an IP address from the mapped pool. The translation is created only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out. Users on the destination network, therefore, cannot initiate a reliable connection to a host that uses dynamic NAT, even if the connection is allowed by an access rule. Figure 3-8 shows a typical dynamic NAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. Figure 3-8 Dynamic NAT Figure 3-9 shows a remote host attempting to initiate a connection to a mapped address. This address is not currently in the translation table; therefore, the ASA drops the packet. Figure 3-9 Remote Host Attempts to Initiate a Connection to a Mapped Address 10.1.1.1209.165.201.1 Inside Outside 10.1.1.2209.165.201.2 130032 Security Appliance Web Server www.example.com Outside Inside209.165.201.2 10.1.2.1 10.1.2.27 Security Appliance209.165.201.10 132217
3-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types NoteFor the duration of the translation, a remote host can initiate a connection to the translated host if an access rule allows it. Because the address is unpredictable, a connection to the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule. Dynamic NAT Disadvantages and Advantages Dynamic NAT has these disadvantages: If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected. Use PAT or a PAT fallback method if this event occurs often because PAT provides over 64,000 translations using ports of a single address. You have to use a large number of routable addresses in the mapped pool, and routable addresses may not be available in large quantities. The advantage of dynamic NAT is that some protocols cannot use PAT. PAT does not work with the following: IP protocols that do not have a port to overload, such as GRE version 0. Some multimedia applications that have a data stream on one port, the control path on another port, and are not open standard. See the “Default Settings and NAT Limitations” section on page 10-4 for more information about NAT and PAT support. Dynamic PAT This section describes dynamic PAT and includes the following topics: Information About Dynamic PAT, page 3-10 Per-Session PAT vs. Multi-Session PAT (Version 9.0(1) and Later), page 3-11 Dynamic PAT Disadvantages and Advantages, page 3-11 Information About Dynamic PAT Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. If you have a lot of traffic that uses the lower port ranges, you can specify a flat range of ports to be used instead of the three unequal-sized tiers. Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.