Home > Cisco > Computer Equipment > Cisco Asdm 7 User Guide

Cisco Asdm 7 User Guide

Add to Favourites
    Download as PDF

    Here you can view all the pages of manual Cisco Asdm 7 User Guide. The Cisco manuals for Computer Equipment are available online for free. You can easily download all the documents as PDF.

    Overview View all the pages Comments

    Page 81

    Page 81 3-31 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT ! Use twice NAT to pass traffic between the inside network and the VPN client without ! address translation (identity NAT), w/route-lookup: nat (outside,inside) source static vpn_local vpn_local destination static inside_nw inside_nw route-lookup Troubleshooting NAT and VPN See the following monitoring tools for troubleshooting NAT issues with VPN: Packet tracer—When used... 
     
3-31
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  DNS and NAT
! Use twice NAT to pass traffic between the inside network and the VPN client without
! address translation (identity NAT), w/route-lookup:
nat (outside,inside) source static vpn_local vpn_local destination static inside_nw 
inside_nw route-lookup
Troubleshooting NAT and VPN
See the following monitoring tools for troubleshooting NAT issues with VPN:
Packet tracer—When used...

    Page 82

    Page 82 3-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Figure 3-26 shows a DNS server that is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. In this case, you want to enable DNS reply modification on this static rule so... 
     
3-32
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  DNS and NAT
Figure 3-26 shows a DNS server that is accessible from the outside interface. A server, ftp.cisco.com, is 
on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address 
(10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. In this case, you 
want to enable DNS reply modification on this static rule so...

    Page 83

    Page 83 3-33 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this rule. The DNS reply will then be modified two times.In this case, the ASA again translates the address inside the DNS reply to 192.168.1.10 according to the static rule between inside and DMZ. Figure 3-27 DNS Reply Modification, DNS Server, Host, and Server on Separate... 
     
3-33
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  DNS and NAT
a static rule between the inside and DMZ, then you also need to enable DNS reply modification on this 
rule. The DNS reply will then be modified two times.In this case, the ASA again translates the address 
inside the DNS reply to 192.168.1.10 according to the static rule between inside and DMZ.
Figure 3-27 DNS Reply Modification, DNS Server, Host, and Server on Separate...

    Page 84

    Page 84 3-34 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Figure 3-28 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to... 
     
3-34
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  DNS and NAT
Figure 3-28 shows an FTP server and DNS server on the outside. The ASA has a static translation for 
the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS 
server, the DNS server responds with the real address, 209.165.20.10. Because you want inside users to 
use the mapped address for ftp.cisco.com (10.1.2.56) you need to...

    Page 85

    Page 85 3-35 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) DNS and NAT Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation. This example also includes a static NAT translation for the DNS server, and a PAT rule for the inside IPv6 hosts. Figure 3-29 DNS64 Reply Modification Using Outside NAT ftp.cisco.com 209.165.200.225 IPv4... 
     
3-35
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  DNS and NAT
Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) 
you need to configure DNS reply modification for the static translation. This example also includes a 
static NAT translation for the DNS server, and a PAT rule for the inside IPv6 hosts.
Figure 3-29 DNS64 Reply Modification Using Outside NAT
ftp.cisco.com
209.165.200.225
IPv4...

    Page 86

    Page 86 3-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Where to Go Next Figure 3-30 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user performs a reverse DNS lookup for 10.1.2.56, the ASA modifies the reverse DNS query with the real address, and the DNS server responds with the server name, ftp.cisco.com. Figure 3-30 PTR Modification, DNS Server on... 
     
3-36
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 3      Information About NAT (ASA 8.3 and Later)
  Where to Go Next
Figure 3-30 shows an FTP server and DNS server on the outside. The ASA has a static translation for 
the outside server. In this case, when an inside user performs a reverse DNS lookup for 10.1.2.56, the 
ASA modifies the reverse DNS query with the real address, and the DNS server responds with the server 
name, ftp.cisco.com.
Figure 3-30 PTR Modification, DNS Server on...

    Page 87

    Page 87 CH A P T E R 4-1 Cisco ASA Series Firewall ASDM Configuration Guide 4 Configuring Network Object NAT (ASA 8.3 and Later) All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a single IP address, a range of addresses, or a subnet. After you configure the network object, you can then identify the mapped address for that object. This chapter describes how to configure... 
    CH A P T E R
 
4-1
Cisco ASA Series Firewall ASDM Configuration Guide
 
4
Configuring Network Object NAT (ASA 8.3 and 
Later)
All NAT rules that are configured as a parameter of a network object are considered to be network object 
NAT rules. Network object NAT is a quick and easy way to configure NAT for a single IP address, a range 
of addresses, or a subnet. After you configure the network object, you can then identify the mapped 
address for that object.
This chapter describes how to configure...

    Page 88

    Page 88 4-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Licensing Requirements for Network Object NAT Network object NAT rules are added to section 2 of the NAT rules table. For more information about NAT ordering, see the “NAT Rule Order” section on page 3-20. Licensing Requirements for Network Object NAT The following table shows the licensing requirements for this feature: Prerequisites for Network Object NAT Depending on the... 
     
4-2
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 4      Configuring Network Object NAT (ASA 8.3 and Later)
  Licensing Requirements for Network Object NAT
Network object NAT rules are added to section 2 of the NAT rules table. For more information about 
NAT ordering, see the “NAT Rule Order” section on page 3-20.
Licensing Requirements for Network Object NAT
The following table shows the licensing requirements for this feature:
Prerequisites for Network Object NAT
Depending on the...

    Page 89

    Page 89 4-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Default Settings When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT commands are not supported with IPv6. Additional Guidelines You can only define a single NAT rule for a given object; if you want to configure multiple NAT rules for an... 
     
4-3
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 4      Configuring Network Object NAT (ASA 8.3 and Later)
  Default Settings
When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client 
must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT 
commands are not supported with IPv6.
Additional Guidelines
You can only define a single NAT rule for a given object; if you want to configure multiple NAT 
rules for an...

    Page 90

    Page 90 4-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuring Network Object NAT instead. See the “Routing NAT Packets” section on page 3-22 for more information. Configuring Network Object NAT This section describes how to configure network object NAT and includes the following topics: Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool, page 4-4 Configuring Dynamic PAT (Hide), page 4-8 Configuring Static NAT or Static... 
     
4-4
Cisco ASA Series Firewall ASDM Configuration Guide
 
Chapter 4      Configuring Network Object NAT (ASA 8.3 and Later)
  Configuring Network Object NAT
instead. See the “Routing NAT Packets” section on page 3-22 for more information.
Configuring Network Object NAT
This section describes how to configure network object NAT and includes the following topics:
Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool, page 4-4
Configuring Dynamic PAT (Hide), page 4-8
Configuring Static NAT or Static...
    Start reading Cisco Asdm 7 User Guide
    All Cisco manuals