Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
3-31 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT ! Use twice NAT to pass traffic between the inside network and the VPN client without ! address translation (identity NAT), w/route-lookup: nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup Troubleshooting NAT and VPN See the following monitoring tools for troubleshooting NAT issues with VPN: Packet tracer—When used correctly, a packet tracer shows which NAT rules a packet is hitting. show nat detail—Shows hit counts and untranslated traffic for a given NAT rule. show conn all—Lets you see active connections including to and from the box traffic. To familiarize yourself with a non-working configuration vs. a working configuration, you can perform the following steps: 1.Configure VPN without identity NAT. 2.Enter show nat detail and show conn all. 3.Add the identity NAT configuration. Repeat show nat detail and show conn all. DNS and NAT You might need to configure the ASA to modify DNS replies by replacing the address in the reply with an address that matches the NAT configuration. You can configure DNS modification when you configure each translation rule. This feature rewrites the address in DNS queries and replies that match a NAT rule (for example, the A record for IPv4, the AAAA record for IPv6, or the PTR record for reverse DNS queries). For DNS replies traversing from a mapped interface to any other interface, the record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped interface, the record is rewritten from the real value to the mapped value. NoteDNS rewrite is not applicable for PAT because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous. NoteIf you configure a twice NAT rule, you cannot configure DNS modification if you specify the source address as well as the destination address. These kinds of rules can potentially have a different translation for a single address when going to A vs. B. Therefore, the ASA cannot accurately match the IP address inside the DNS reply to the correct twice NAT rule; the DNS reply does not contain information about which source/destination address combination was in the packet that prompted the DNS request. NoteThis feature requires DNS application inspection to be enabled, which it is by default. See the “DNS Inspection” section on page 11-1 for more information.
3-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Figure 3-26 shows a DNS server that is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address. When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly. Figure 3-26 DNS Reply Modification, DNS Server on Outside Figure 3-27 shows a user on the inside network requesting the IP address for ftp.cisco.com, which is on the DMZ network, from an outside DNS server. The DNS server replies with the mapped address (209.165.201.10) according to the static rule between outside and DMZ even though the user is not on the DMZ network. The ASA translates the address inside the DNS reply to 10.1.3.14. If the user needs to access ftp.cisco.com using the real address, then no further configuration is required. If there is also DNS Server Outside Inside User 130021 1 2 3 4 5 DNS Reply Modification 209.165.201.1010.1.3.14 DNS Reply 209.165.201.10 DNS Reply 10.1.3.14 DNS Query ftp.cisco.com? FTP Request 10.1.3.14 Security Appliance ftp.cisco.com 10.1.3.14 Static Translation on Outside to: 209.165.201.10
3-33 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this rule. The DNS reply will then be modified two times.In this case, the ASA again translates the address inside the DNS reply to 192.168.1.10 according to the static rule between inside and DMZ. Figure 3-27 DNS Reply Modification, DNS Server, Host, and Server on Separate Networks DNS Server Outside Inside User 1 2 3 56 DNS Reply Modification 1 209.165.201.1010.1.3.14 7 Translation 10.1.3.14 4 DNS Reply Modification 2 10.1.3.14 DNS Reply 209.165.201.10 DNS Reply DNS Query ftp.cisco.com? FTP Request Security Device ftp.cisco.com 10.1.3.14 Static Translation 1 on Outside to: 209.165.201.10 Static Translation 2 on Inside to: 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10 192.168.1.10DMZ
3-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Figure 3-28 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation. Figure 3-28 DNS Reply Modification, DNS Server on Host Network Figure 3-28 shows an FTP server and DNS server on the outside IPv4 network. The ASA has a static translation for the outside server. In this case, when an inside IPv6 user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.200.225. ftp.cisco.com 209.165.201.10 DNS Server Outside Inside User 10.1.2.27 Static Translation on Inside to: 10.1.2.56 130022 1 2 7 6 5 4 3 DNS Query ftp.cisco.com? DNS Reply 209.165.201.10 DNS Reply Modification 209.165.201.1010.1.2.56 DNS Reply 10.1.2.56 FTP Request 209.165.201.10 Dest Addr. Translation 209.165.201.10 10.1.2.56 FTP Request 10.1.2.56 Security Appliance
3-35 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation. This example also includes a static NAT translation for the DNS server, and a PAT rule for the inside IPv6 hosts. Figure 3-29 DNS64 Reply Modification Using Outside NAT ftp.cisco.com 209.165.200.225 IPv4 Internet IPv6 Net Static Translation on Inside to: 2001:DB8::D1A5:C8E1 PAT Translation on Outside to: 209.165.200.230User: 2001:DB8::1 DNS Server 209.165.201.15 Static Translation on Inside to: 2001:DB8::D1A5:C90F 1 2 7 6 5 4 3 DNS Query ftp.cisco.com? DNS Reply 209.165.200.225 DNS Reply Modification 209.165.200.2252001:DB8::D1A5:C8E1 DNS Reply 2001:DB8::D1A5:C8E1 FTP Request 209.165.200.225 Dest Addr. Translation 209.165.200.225 2001:DB8::D1A5:C8E1 FTP Request 2001:DB8::D1A5:C8E1 Security Device 333368
3-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Where to Go Next Figure 3-30 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user performs a reverse DNS lookup for 10.1.2.56, the ASA modifies the reverse DNS query with the real address, and the DNS server responds with the server name, ftp.cisco.com. Figure 3-30 PTR Modification, DNS Server on Host Network Where to Go Next To configure network object NAT, see Chapter 4, “Configuring Network Object NAT (ASA 8.3 and Later).” To configure twice NAT, see Chapter 5, “Configuring Twice NAT (ASA 8.3 and Later).” ftp.cisco.com 209.165.201.10 DNS Server Outside Inside User 10.1.2.27 Static Translation on Inside to: 10.1.2.56 1 2 4 3 Reverse DNS Query 209.165.201.10 Reverse DNS Query Modification 209.165.201.10 10.1.2.56 PTR Record ftp.cisco.com Security Device Reverse DNS Query 10.1.2.56? 304002
CH A P T E R 4-1 Cisco ASA Series Firewall ASDM Configuration Guide 4 Configuring Network Object NAT (ASA 8.3 and Later) All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a single IP address, a range of addresses, or a subnet. After you configure the network object, you can then identify the mapped address for that object. This chapter describes how to configure network object NAT, and it includes the following sections: Information About Network Object NAT, page 4-1 Licensing Requirements for Network Object NAT, page 4-2 Prerequisites for Network Object NAT, page 4-2 Guidelines and Limitations, page 4-2 Default Settings, page 4-3 Configuring Network Object NAT, page 4-4 Monitoring Network Object NAT, page 4-19 Configuration Examples for Network Object NAT, page 4-20 Feature History for Network Object NAT, page 4-45 NoteFor detailed information about how NAT works, see Chapter 3, “Information About NAT (ASA 8.3 and Later).” Information About Network Object NAT When a packet enters the ASA, both the source and destination IP addresses are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic. Because the rules are never paired, you cannot specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y. Use twice NAT for that kind of functionality (twice NAT lets you identify the source and destination address in a single rule). For detailed information about the differences between twice NAT and network object NAT, see the “How NAT is Implemented” section on page 3-15.
4-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Licensing Requirements for Network Object NAT Network object NAT rules are added to section 2 of the NAT rules table. For more information about NAT ordering, see the “NAT Rule Order” section on page 3-20. Licensing Requirements for Network Object NAT The following table shows the licensing requirements for this feature: Prerequisites for Network Object NAT Depending on the configuration, you can configure the mapped address inline if desired or you can create a separate network object or network object group for the mapped address. Network object groups are particularly useful for creating a mapped address pool with discontinous IP address ranges or multiple hosts or subnets. To create a network object or group, see the “Configuring Network Objects and Groups” section on page 20-2 in the general operations configuration guide. For specific guidelines for objects and groups, see the configuration section for the NAT type you want to configure. See also the “Guidelines and Limitations” section. Guidelines and Limitations Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. In transparent mode, you must specify the real and mapped interfaces; you cannot use --Any--. In transparent mode, you cannot configure interface PAT, because the transparent mode interfaces do not have IP addresses. You also cannot use the management IP address as a mapped address. In transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6 networks, or between two IPv4 networks is supported. IPv6 Guidelines Supports IPv6. See also the “NAT and IPv6” section on page 3-15. For routed mode, you can also translate between IPv4 and IPv6. For transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6 networks, or between two IPv4 networks is supported. For transparent mode, a PAT pool is not supported for IPv6. For static NAT, you can specify an IPv6 subnet up to /64. Larger subnets are not supported. Model License Requirement All models Base License.
4-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Default Settings When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT commands are not supported with IPv6. Additional Guidelines You can only define a single NAT rule for a given object; if you want to configure multiple NAT rules for an object, you need to create multiple objects with different names that specify the same IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02, and so on. If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT configuration is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations. NoteIf you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses that overlap the addresses in the removed rule, then the new rule will not be used until all connections associated with the removed rule time out or are cleared using the clear xlate command. This safeguard ensures that the same address is not assigned to multiple hosts. Objects and object groups used in NAT cannot be undefined; they must include IP addresses. You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include only one type of address. You can use the same mapped object or group in multiple NAT rules. The mapped IP address pool cannot include: –The mapped interface IP address. If you specify --Any-- interface for the rule, then all interface IP addresses are disallowed. For interface PAT (routed mode only), use the interface name instead of the IP address. –(Transparent mode) The management IP address. –(Dynamic NAT) The standby interface IP address when VPN is enabled. –Existing VPN pool addresses. For application inspection limitations with NAT or PAT, see the “Default Settings and NAT Limitations” section on page 10-4 in Chapter 10, “Getting Started with Application Layer Protocol Inspection.” Default Settings (Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces. (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. See the “Routing NAT Packets” section on page 3-22 for more information. If you specify an optional interface, then the ASA uses the NAT configuration to determine the egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default behavior is to use the NAT configuration, but you have the option to always use a route lookup
4-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT instead. See the “Routing NAT Packets” section on page 3-22 for more information. Configuring Network Object NAT This section describes how to configure network object NAT and includes the following topics: Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool, page 4-4 Configuring Dynamic PAT (Hide), page 4-8 Configuring Static NAT or Static NAT-with-Port-Translation, page 4-11 Configuring Identity NAT, page 4-15 Configuring Per-Session PAT Rules, page 4-18 Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool This section describes how to configure network object NAT for dynamic NAT or for dynamic PAT using a PAT pool. For more information, see the “Dynamic NAT” section on page 3-8 or the “Dynamic PAT” section on page 3-10. Guidelines For a PAT pool: If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify for a PAT pool a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535. If you use the same PAT pool object in two separate rules, then be sure to specify the same options for each rule. For example, if one rule specifies extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range. For extended PAT for a PAT pool: Many application inspections do not support extended PAT. See the “Default Settings and NAT Limitations” section on page 10-4 in Chapter 10, “Getting Started with Application Layer Protocol Inspection,” for a complete list of unsupported inspections. If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT pool as the PAT address in a separate static NAT with port translation rule. For example, if the PAT pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1 as the PAT address. If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT. For VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the PAT binding to be the same for all destinations. For round robin for a PAT pool: If a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available. Note: This “stickiness” does not survive a failover. If the ASA fails over, then subsequent connections from a host may not use the initial IP address.