Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 201

    Page 201 6-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview For policy static NAT, both translated and remote hosts can originate traffic. For traffic originated on the translated network, the NAT rule specifies the real addresses and the destination addresses, but for traffic originated on the remote network, the rule identifies the real addresses and the source addresses of remote hosts who are allowed to connect to the host using... 
     
6-13
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
For policy static NAT, both translated and remote hosts can originate traffic. For traffic originated on the 
translated network, the NAT rule specifies the real addresses and the destination addresses, but for traffic 
originated on the remote network, the rule identifies the real addresses and the source addresses of 
remote hosts who are allowed to connect to the host using...

    Page 202

    Page 202 6-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview Order of NAT Rules Used to Match Real Addresses The ASA matches real addresses to NAT rules in the following order: 1.NAT exemption—In order, until the first match. 2.Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT is included in this category. 3.Policy dynamic NAT—In order, until the first match. Overlapping addresses are... 
     
6-14
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
Order of NAT Rules Used to Match Real Addresses
The ASA matches real addresses to NAT rules in the following order:
1.NAT exemption—In order, until the first match.
2.Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT 
is included in this category.
3.Policy dynamic NAT—In order, until the first match. Overlapping addresses are...

    Page 203

    Page 203 6-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) NAT Overview When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static statement for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead... 
     
6-15
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  NAT Overview
When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with 
the mapped address (209.165.201.10). The ASA refers to the static statement for the inside server and 
translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, 
then the inside host attempts to send traffic to 209.165.201.10 instead...

    Page 204

    Page 204 6-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Configuring NAT Control Figure 6-13 shows a web server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you... 
     
6-16
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  Configuring NAT Control
Figure 6-13 shows a web server and DNS server on the outside. The ASA has a static translation for the 
outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS 
server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to 
use the mapped address for ftp.cisco.com (10.1.2.56) you...

    Page 205

    Page 205 6-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Using Dynamic NAT This section describes how to configure dynamic NAT, including dynamic NAT and PAT, dynamic policy NAT and PAT, and identity NAT. Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses. You can also optionally specify the source and destination ports. Regular NAT can only consider the... 
     
6-17
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  Using Dynamic NAT
Using Dynamic NAT 
This section describes how to configure dynamic NAT, including dynamic NAT and PAT, dynamic policy 
NAT and PAT, and identity NAT.
Policy NAT lets you identify real addresses for address translation by specifying the source and 
destination addresses. You can also optionally specify the source and destination ports. Regular NAT can 
only consider the...

    Page 206

    Page 206 6-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Real Addresses and Global Pools Paired Using a Pool ID In a dynamic NAT rule, you specify real addresses and then pair them with a global pool of addresses to which the real addresses are mapped when they exit another interface (in the case of PAT, this is one address, and in the case of identity NAT, this is the same as the real address). Each global pool is assigned a... 
     
6-18
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  Using Dynamic NAT
Real Addresses and Global Pools Paired Using a Pool ID
In a dynamic NAT rule, you specify real addresses and then pair them with a global pool of addresses to 
which the real addresses are mapped when they exit another interface (in the case of PAT, this is one 
address, and in the case of identity NAT, this is the same as the real address). Each global pool is assigned 
a...

    Page 207

    Page 207 6-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-15). Figure 6-15 NAT Rules and Global Pools using the Same ID on Multiple Interfaces Multiple NAT Rules with Different Global Pools on the Same Interface You can identify different sets of real addresses to have different mapped addresses. For example, on the Inside interface, you can have two NAT rules on two different pool IDs. On the Outside interface, you... 
     
6-19
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  Using Dynamic NAT
Figure 6-15).
Figure 6-15 NAT Rules and Global Pools using the Same ID on Multiple Interfaces
Multiple NAT Rules with Different Global Pools on the Same Interface
You can identify different sets of real addresses to have different mapped addresses. For example, on the 
Inside interface, you can have two NAT rules on two different pool IDs. On the Outside interface, you...

    Page 208

    Page 208 6-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-16 Different NAT IDs Multiple Addresses in the Same Global Pool You can have multiple addresses in the same global pool; the ASA uses the dynamic NAT ranges of addresses first, in the order they are in the configuration, and then uses the PAT single addresses in order. You might want to add both a range of addresses and a PAT address if you need to use dynamic... 
     
6-20
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  Using Dynamic NAT
Figure 6-16 Different NAT IDs
Multiple Addresses in the Same Global Pool
You can have multiple addresses in the same global pool; the ASA uses the dynamic NAT ranges of 
addresses first, in the order they are in the configuration, and then uses the PAT single addresses in order. 
You might want to add both a range of addresses and a PAT address if you need to use dynamic...

    Page 209

    Page 209 6-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-17 NAT and PAT Together Outside NAT If a NAT rule translates addresses from an outside interface to an inside interface, then the rule is an outside NAT rule, and you need to specify that it translates inbound traffic. If you also want to translate the same traffic when it accesses a lower security interface (for example, traffic on a DMZ is translated when... 
     
6-21
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  Using Dynamic NAT
Figure 6-17 NAT and PAT Together
Outside NAT
If a NAT rule translates addresses from an outside interface to an inside interface, then the rule is an 
outside NAT rule, and you need to specify that it translates inbound traffic. If you also want to translate 
the same traffic when it accesses a lower security interface (for example, traffic on a DMZ is translated 
when...

    Page 210

    Page 210 6-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Figure 6-18 Outside NAT and Inside NAT Combined Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces When you create a NAT rule for a group of IP addresses, then you must perform NAT on that group of addresses when they access any lower or same security level interface; you must create a global pool with the same pool ID on each... 
     
6-22
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 6      Configuring NAT (ASA 8.2 and Earlier)
  Using Dynamic NAT
Figure 6-18 Outside NAT and Inside NAT Combined
Real Addresses in a NAT Rule Must be Translated on All Lower or Same Security Interfaces
When you create a NAT rule for a group of IP addresses, then you must perform NAT on that group of 
addresses when they access any lower or same security level interface; you must create a global pool 
with the same pool ID on each...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals