Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 191

    Page 191 6-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview NAT in Transparent Mode Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform NAT for their networks. For example, a transparent firewall ASA is useful between two VRFs so you can establish BGP neighbor relations between the VRFs and the global table. However, NAT per VRF might not be supported. In this case, using NAT in... 
     
6-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform 
NAT for their networks. For example, a transparent firewall ASA is useful between two VRFs so you can 
establish BGP neighbor relations between the VRFs and the global table. However, NAT per VRF might 
not be supported. In this case, using NAT in...

    Page 192

    Page 192 6-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figure 6-2 NAT Example: Transparent Mode NAT Control NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address, as shown in Figure 6-3. Figure 6-3 NAT Control and Outbound Traffic Management... 
     
6-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
Figure 6-2 NAT Example: Transparent Mode
NAT Control
NAT control requires that packets traversing from an inside interface to an outside interface match a NAT 
rule; for any host on the inside network to access a host on the outside network, you must configure NAT 
to translate the inside host address, as shown in Figure 6-3.
Figure 6-3 NAT Control and Outbound Traffic
Management...

    Page 193

    Page 193 6-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Interfaces at the same security level are not required to use NAT to communicate. However, if you configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same security interface or an outside interface must match a NAT rule, as shown in Figure 6-4. Figure 6-4 NAT Control and Same Security Traffic Similarly, if you enable outside... 
     
6-5
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
Interfaces at the same security level are not required to use NAT to communicate. However, if you 
configure dynamic NAT or PAT on a same security interface, then all traffic from the interface to a same 
security interface or an outside interface must match a NAT rule, as shown in Figure 6-4.
Figure 6-4 NAT Control and Same Security Traffic
Similarly, if you enable outside...

    Page 194

    Page 194 6-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview NAT Types This section describes the available NAT types, and includes the following topics: Dynamic NAT, page 6-6 PAT, page 6-8 Static NAT, page 6-9 Static PAT, page 6-9 Bypassing NAT When NAT Control is Enabled, page 6-10 You can implement address translation as dynamic NAT, Port Address Translation, static NAT, static PAT, or as a mix of these types. You can also configure... 
     
6-6
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
NAT Types
This section describes the available NAT types, and includes the following topics:
Dynamic NAT, page 6-6
PAT, page 6-8
Static NAT, page 6-9
Static PAT, page 6-9
Bypassing NAT When NAT Control is Enabled, page 6-10
You can implement address translation as dynamic NAT, Port Address Translation, static NAT, static 
PAT, or as a mix of these types. You can also configure...

    Page 195

    Page 195 6-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figure 6-6 Remote Host Attempts to Connect to the Real Address Figure 6-7 shows a remote host attempting to initiate a connection to a mapped address. This address is not currently in the translation table; therefore, the ASA drops the packet. Figure 6-7 Remote Host Attempts to Initiate a Connection to a Mapped Address NoteFor the duration of the translation, a remote host can... 
     
6-7
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
Figure 6-6 Remote Host Attempts to Connect to the Real Address
Figure 6-7 shows a remote host attempting to initiate a connection to a mapped address. This address is 
not currently in the translation table; therefore, the ASA drops the packet.
Figure 6-7 Remote Host Attempts to Initiate a Connection to a Mapped Address
NoteFor the duration of the translation, a remote host can...

    Page 196

    Page 196 6-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Dynamic NAT has these disadvantages: If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected. Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address. You have to use a large number of routable addresses in the mapped pool; if the... 
     
6-8
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
Dynamic NAT has these disadvantages:
If the mapped pool has fewer addresses than the real group, you could run out of addresses if the 
amount of traffic is more than expected.
Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a 
single address.
You have to use a large number of routable addresses in the mapped pool; if the...

    Page 197

    Page 197 6-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Static NAT Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and PAT, each host uses a different address or port for each subsequent translation. Because the mapped address is the same for each consecutive connection with static NAT, and a persistent translation rule exists, static NAT allows hosts on the destination network to... 
     
6-9
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
Static NAT
Static NAT creates a fixed translation of real address(es) to mapped address(es).With dynamic NAT and 
PAT, each host uses a different address or port for each subsequent translation. Because the mapped 
address is the same for each consecutive connection with static NAT, and a persistent translation rule 
exists, static NAT allows hosts on the destination network to...

    Page 198

    Page 198 6-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP, but these are all actually different servers on the real network, you can specify static PAT statements for each server that uses the same mapped IP address, but different ports (see Figure 6-8). Figure 6-8 Static PAT You can also use static PAT to translate a well-known port... 
     
6-10
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
For example, if you want to provide a single address for remote users to access FTP, HTTP, and SMTP, 
but these are all actually different servers on the real network, you can specify static PAT statements for 
each server that uses the same mapped IP address, but different ports (see Figure 6-8).
Figure 6-8 Static PAT
You can also use static PAT to translate a well-known port...

    Page 199

    Page 199 6-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your ACLs. For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside... 
     
6-11
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
the other hand, lets you specify a particular interface on which to translate the addresses. Make sure 
that the real addresses for which you use identity NAT are routable on all networks that are available 
according to your ACLs.
For identity NAT, even though the mapped address is the same as the real address, you cannot initiate 
a connection from the outside to the inside...

    Page 200

    Page 200 6-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Figure 6-9 Policy NAT with Different Destination Addresses Figure 6-10 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the real address is translated to 209.165.202.129. When the host accesses the same server for Telnet... 
     
6-12
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
Figure 6-9 Policy NAT with Different Destination Addresses
Figure 6-10 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses 
a single host for both web services and Telnet services. When the host accesses the server for web 
services, the real address is translated to 209.165.202.129. When the host accesses the same server for 
Telnet...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals