Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 61

    Page 61 3-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned. Figure 3-10 Dynamic PAT After the connection expires, the port translation also expires. For multi-session PAT, the PAT timeout is used, 30 seconds by... 
     
3-11
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Types
Figure 3-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and 
responding traffic is allowed back. The mapped address is the same for each translation, but the port is 
dynamically assigned.
Figure 3-10 Dynamic PAT
After the connection expires, the port translation also expires. For multi-session PAT, the PAT timeout is 
used, 30 seconds by...

    Page 62

    Page 62 3-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode Identity NAT You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need... 
     
3-12
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT in Routed and Transparent Mode
Identity NAT
You might have a NAT configuration in which you need to translate an IP address to itself. For example, 
if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, 
you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote 
access VPN, where you need...

    Page 63

    Page 63 3-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-12 shows a typical NAT example in routed mode, with a private network on the inside. Figure 3-12 NAT Example: Routed Mode 1. When the inside host at 10.1.2.27 sends a packet to a web server, the real source address of the packet, 10.1.2.27, is changed to a mapped address, 209.165.201.10. 2.When the server responds, it sends... 
     
3-13
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT in Routed and Transparent Mode
NAT in Routed Mode
Figure 3-12 shows a typical NAT example in routed mode, with a private network on the inside.
Figure 3-12 NAT Example: Routed Mode
1.
When the inside host at 10.1.2.27 sends a packet to a web server, the real source address of the 
packet, 10.1.2.27, is changed to a mapped address, 209.165.201.10.
2.When the server responds, it sends...

    Page 64

    Page 64 3-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode Figure 3-13 NAT Example: Transparent Mode 1. When the inside host at 10.1.1.75 sends a packet to a web server, the real source address of the packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15. 2.When the server responds, it sends the response to the mapped address, 209.165.201.15, and the ASA receives the packet because the upstream... 
     
3-14
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT in Routed and Transparent Mode
Figure 3-13 NAT Example: Transparent Mode
1.
When the inside host at 10.1.1.75 sends a packet to a web server, the real source address of the 
packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15.
2.When the server responds, it sends the response to the mapped address, 209.165.201.15, and the 
ASA receives the packet because the upstream...

    Page 65

    Page 65 3-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT and IPv6 NAT and IPv6 You can use NAT to translate between IPv6 networks, and also to translate between IPv4 and IPv6 networks (routed mode only). We recommend the following best practices: NAT66 (IPv6-to-IPv6)—We recommend using static NAT. Although you can use dynamic NAT or PAT, IPv6 addresses are in such large supply, you do not have to use dynamic NAT. If you do not want to... 
     
3-15
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT and IPv6
NAT and IPv6
You can use NAT to translate between IPv6 networks, and also to translate between IPv4 and IPv6 
networks (routed mode only). We recommend the following best practices:
NAT66 (IPv6-to-IPv6)—We recommend using static NAT. Although you can use dynamic NAT or 
PAT, IPv6 addresses are in such large supply, you do not have to use dynamic NAT. If you do not 
want to...

    Page 66

    Page 66 3-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented How source and destination NAT is implemented. –Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination. –Twice NAT—A... 
     
3-16
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  How NAT is Implemented
How source and destination NAT is implemented.
–Network object NAT— Each rule can apply to either the source or destination of a packet. So 
two rules might be used, one for the source IP address, and one for the destination IP address. 
These two rules cannot be tied together to enforce a specific translation for a source/destination 
combination.
–Twice NAT—A...

    Page 67

    Page 67 3-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented Twice NAT also lets you use service objects for static NAT with port translation; network object NAT only accepts inline definition. To start configuring twice NAT, see Chapter 5, “Configuring Twice NAT (ASA 8.3 and Later).” Figure 3-14 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11,... 
     
3-17
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  How NAT is Implemented
Twice NAT also lets you use service objects for static NAT with port translation; network object NAT 
only accepts inline definition.
To start configuring twice NAT, see Chapter 5, “Configuring Twice NAT (ASA 8.3 and Later).”
Figure 3-14 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host 
accesses the server at 209.165.201.11,...

    Page 68

    Page 68 3-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented Figure 3-15 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the real address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the real address is translated to... 
     
3-18
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  How NAT is Implemented
Figure 3-15 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses 
a single host for both web services and Telnet services. When the host accesses the server for web 
services, the real address is translated to 209.165.202.129. When the host accesses the same server for 
Telnet services, the real address is translated to...

    Page 69

    Page 69 3-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented Figure 3-16 shows a remote host connecting to a mapped host. The mapped host has a twice static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect... 
     
3-19
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  How NAT is Implemented
Figure 3-16 shows a remote host connecting to a mapped host. The mapped host has a twice static NAT 
translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A 
translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to 
that network, nor can a host on that network connect...

    Page 70

    Page 70 3-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Rule Order NAT Rule Order Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. For example, if a match is found in section 1, sections 2 and 3 are not evaluated. Ta b l e 3 - 1 shows the order of rules within each section.... 
     
3-20
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  NAT Rule Order
NAT Rule Order 
Network object NAT rules and twice NAT rules are stored in a single table that is divided into three 
sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. 
For example, if a match is found in section 1, sections 2 and 3 are not evaluated. Ta b l e 3 - 1 shows the 
order of rules within each section....
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals