Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
4-35 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 9Click Advanced to configure the real and mapped interfaces and port translation for SMTP. Step 10Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply. DNS Server on Mapped Interface, Web Server on Real Interface (Static NAT with DNS Modification) For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the inside interface. You configure the ASA to statically translate the ftp.cisco.com real address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network. (See Figure 4-5.) In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the mapped address.
4-36 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT When an inside host sends a DNS request for the address of ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10). The ASA refers to the static rule for the inside server and translates the address inside the DNS reply to 10.1.3.14. If you do not enable DNS reply modification, then the inside host attempts to send traffic to 209.165.201.10 instead of accessing ftp.cisco.com directly. Figure 4-5 DNS Reply Modification Step 1Create a network object for the FTP server address: DNS Server Outside Inside User 130021 1 2 3 4 5 DNS Reply Modification 209.165.201.1010.1.3.14 DNS Reply 209.165.201.10 DNS Reply 10.1.3.14 DNS Query ftp.cisco.com? FTP Request 10.1.3.14 Security Appliance ftp.cisco.com 10.1.3.14 Static Translation on Outside to: 209.165.201.10
4-37 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 2Define the FTP server address, and configure static NAT with DNS modification: Step 3Click Advanced to configure the real and mapped interfaces and DNS modification. Step 4Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.
4-38 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT DNS Server and FTP Server on Mapped Interface, FTP Server is Translated (Static NAT with DNS Modification) Figure 4-6 shows an FTP server and DNS server on the outside. The ASA has a static translation for the outside server. In this case, when an inside user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.201.10. Because you want inside users to use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS reply modification for the static translation. Figure 4-6 DNS Reply Modification Using Outside NAT Step 1Create a network object for the FTP server address: ftp.cisco.com 209.165.201.10 DNS Server Outside Inside User 10.1.2.27 Static Translation on Inside to: 10.1.2.56 130022 1 2 7 6 5 4 3 DNS Query ftp.cisco.com? DNS Reply 209.165.201.10 DNS Reply Modification 209.165.201.1010.1.2.56 DNS Reply 10.1.2.56 FTP Request 209.165.201.10 Dest Addr. Translation 209.165.201.10 10.1.2.56 FTP Request 10.1.2.56 Security Appliance
4-39 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT Step 2Define the FTP server address, and configure static NAT with DNS modification: Step 3Click Advanced to configure the real and mapped interfaces and DNS modification. Step 4Click OK to return to the Edit Network Object dialog box, click OK again, and then click Apply.
4-40 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT IPv4 DNS Server and FTP Server on Mapped Interface, IPv6 Host on Real Interface (Static NAT64 with DNS64 Modification) Figure 4-6 shows an FTP server and DNS server on the outside IPv4 network. The ASA has a static translation for the outside server. In this case, when an inside IPv6 user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.200.225. Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1) you need to configure DNS reply modification for the static translation. This example also includes a static NAT translation for the DNS server, and a PAT rule for the inside IPv6 hosts. Figure 4-7 DNS Reply Modification Using Outside NAT Step 1Configure static NAT with DNS modification for the FTP server. a.Create a network object for the FTP server address. ftp.cisco.com 209.165.200.225 IPv4 Internet IPv6 Net Static Translation on Inside to: 2001:DB8::D1A5:C8E1 PAT Translation on Outside to: 209.165.200.230User: 2001:DB8::1 DNS Server 209.165.201.15 Static Translation on Inside to: 2001:DB8::D1A5:C90F 1 2 7 6 5 4 3 DNS Query ftp.cisco.com? DNS Reply 209.165.200.225 DNS Reply Modification 209.165.200.2252001:DB8::D1A5:C8E1 DNS Reply 2001:DB8::D1A5:C8E1 FTP Request 209.165.200.225 Dest Addr. Translation 209.165.200.225 2001:DB8::D1A5:C8E1 FTP Request 2001:DB8::D1A5:C8E1 Security Device 333368
4-41 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT b.Define the FTP server address, and configure static NAT with DNS modification and, because this is a one-to-one translation, configure the one-to-one method for NAT46. c.Click Advanced to configure the real and mapped interfaces and DNS modification.
4-42 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT d.Click OK to return to the Edit Network Object dialog box. Step 2Configure NAT for the DNS server. a.Create a network object for the DNS server address. b.Define the DNS server address, and configure static NAT using the one-to-one method.
4-43 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT c.Click Advanced to configure the real and mapped interfaces. d.Click OK to return to the Edit Network Object dialog box. Step 3Configure an IPv4 PAT pool for translating the inside IPv6 network. Under NAT, uncheck the Add Automatic Address Translation Rules check box. Step 4Configure PAT for the inside IPv6 network. a.Create a network object for the inside IPv6 network. b.Define the IPv6 network address, and configure dynamic NAT using a PAT pool.
4-44 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Configuration Examples for Network Object NAT c.Next to the PAT Pool Translated Address field, click the ... button to choose the PAT pool you created earlier, and click OK. d.Click Advanced to configure the real and mapped interfaces.