Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
4-45 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT e.Click OK to return to the Edit Network Object dialog box. Step 5Click OK, and then click Apply. Feature History for Network Object NAT Ta b l e 4 - 1 lists each feature change and the platform release in which it was implemented. ASDM is backwards-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed. Table 4-1 Feature History for Network Object NAT Feature NamePlatform Releases Feature Information Network Object NAT 8.3(1) Configures NAT for a network object IP address(es). We introduced or modified the following screens: Configuration > Firewall > NAT Rules Configuration > Firewall > Objects > Network Objects/Groups Identity NAT configurable proxy ARP and route lookup8.4(2)/8.5(1) In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. We modified the following screen: Configuration > Firewall > NAT Rules > Add/Edit Network Object > Advanced NAT Settings.
4-46 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT PAT pool and round robin address assignment 8.4(2)/8.5(1) You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy. We modified the following screens: Configuration > Firewall > NAT Rules > Add/Edit Network Object. Round robin PAT pool allocation uses the same IP address for existing hosts8.4(3) When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available. We did not modify any screens. This feature is not available in 8.5(1) or 8.6(1). Flat range of PAT ports for a PAT pool 8.4(3) If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool. If you have a lot of traffic that uses the lower port ranges, when using a PAT pool, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535. We modified the following screens: Configuration > Firewall > NAT Rules > Add/Edit Network Object. This feature is not available in 8.5(1) or 8.6(1). Extended PAT for a PAT pool 8.4(3) Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. We modified the following screens: Configuration > Firewall > NAT Rules > Add/Edit Network Object. This feature is not available in 8.5(1) or 8.6(1). Table 4-1 Feature History for Network Object NAT (continued) Feature NamePlatform Releases Feature Information
4-47 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT PAT pool and round robin address assignment 8.4(2)/8.5(1) You can now specify a pool of PAT addresses instead of a single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy. We modified the following screens: Configuration > Firewall > NAT Rules > Add/Edit Network Object. Round robin PAT pool allocation uses the same IP address for existing hosts8.4(3) When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available. We did not modify any screens. This feature is not available in 8.5(1) or 8.6(1). Flat range of PAT ports for a PAT pool 8.4(3) If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool. If you have a lot of traffic that uses the lower port ranges, when using a PAT pool, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535. We modified the following screens: Configuration > Firewall > NAT Rules > Add/Edit Network Object. This feature is not available in 8.5(1) or 8.6(1). Extended PAT for a PAT pool 8.4(3) Each PAT IP address allows up to 65535 ports. If 65535 ports do not provide enough translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. We modified the following screens: Configuration > Firewall > NAT Rules > Add/Edit Network Object. This feature is not available in 8.5(1) or 8.6(1). Table 4-1 Feature History for Network Object NAT (continued) Feature NamePlatform Releases Feature Information
4-48 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT Automatic NAT rules to translate a VPN peer’s local IP address back to the peer’s real IP address8.4(3) In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local IP address to access the inside network. However, you might want to translate the local IP address back to the peer’s real public IP address if, for example, your inside servers and network security is based on the peer’s real IP address. You can enable this feature on one interface per tunnel group. Object NAT rules are dynamically added and deleted when the VPN session is established or disconnected. You can view the rules using the show nat command. NoteBecause of routing issues, we do not recommend using this feature unless you know you need this feature; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations: Only supports Cisco IPsec and AnyConnect Client. Return traffic to the public IP addresses must be routed back to the ASA so the NAT policy and VPN policy can be applied. Does not support load-balancing (because of routing issues). Does not support roaming (public IP changing). ASDM does not support this command; enter the command using the Command Line Tool. NAT support for IPv6 9.0(1) NAT now supports IPv6 traffic, as well as translating between IPv4 and IPv6. Translating between IPv4 and IPv6 is not supported in transparent mode. We modified the following screen: Configuration > Firewall > Objects > Network Objects/Group. Table 4-1 Feature History for Network Object NAT (continued) Feature NamePlatform Releases Feature Information
4-49 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT NAT support for reverse DNS lookups 9.0(1) NAT now supports translation of the DNS PTR record for reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule. Per-session PAT 9.0(1) The per-session PAT feature improves the scalability of PAT and, for clustering, allows each member unit to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. This reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state. Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds. For “hit-and-run” traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the connection rate supported by one address. Without the per-session feature, the maximum connection rate for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the connection rate for one address for an IP protocol is 65535/average-lifetime. By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that requires multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule. We introduced the following screen: Configuration > Firewall > Advanced > Per-Session NAT Rules. Table 4-1 Feature History for Network Object NAT (continued) Feature NamePlatform Releases Feature Information
4-50 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 4 Configuring Network Object NAT (ASA 8.3 and Later) Feature History for Network Object NAT
CH A P T E R 5-1 Cisco ASA Series Firewall ASDM Configuration Guide 5 Configuring Twice NAT (ASA 8.3 and Later) Twice NAT lets you identify both the source and destination address in a single rule. This chapter shows you how to configure twice NAT and includes the following sections: Information About Twice NAT, page 5-1 Licensing Requirements for Twice NAT, page 5-2 Prerequisites for Twice NAT, page 5-2 Guidelines and Limitations, page 5-2 Default Settings, page 5-4 Configuring Twice NAT, page 5-4 Monitoring Twice NAT, page 5-29 Configuration Examples for Twice NAT, page 5-30 Feature History for Twice NAT, page 5-48 NoteFor detailed information about how NAT works, see Chapter 3, “Information About NAT (ASA 8.3 and Later).” Information About Twice NAT Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y, for example. NoteFor static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in commands and descriptions throughout this guide even though a given connection might originate at the “destination” address. For example, if you configure static NAT with port address translation, and specify the source address as a Telnet server, and you want all traffic going to that Telnet server to have the port translated from 2323 to 23, then in the command, you must specify the source ports to be translated (real: 23, mapped: 2323). You specify the source ports because you specified the Telnet server address as the source address. The destination address is optional. If you specify the destination address, you can either map it to itself (identity NAT), or you can map it to a different address. The destination mapping is always a static mapping.
5-2 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Licensing Requirements for Twice NAT Twice NAT also lets you use service objects for static NAT-with-port-translation; network object NAT only accepts inline definition. For detailed information about the differences between twice NAT and network object NAT, see the “How NAT is Implemented” section on page 3-15. Twice NAT rules are added to section 1 of the NAT rules table, or if specified, section 3. For more information about NAT ordering, see the “NAT Rule Order” section on page 3-20. Licensing Requirements for Twice NAT Prerequisites for Twice NAT For both the real and mapped addresses, configure network objects or network object groups. Network object groups are particularly useful for creating a mapped address pool with discontinuous IP address ranges or multiple hosts or subnets. To create a network object or group, see the “Configuring Network Objects and Groups” section on page 20-2 in the general operations configuration guide. For static NAT-with-port-translation, configure TCP or UDP service objects. To create a service object, see the “Configuring Service Objects and Service Groups” section on page 20-7 in the general operations configuration guide. For specific guidelines for objects and groups, see the configuration section for the NAT type you want to configure. See also the “Guidelines and Limitations” section. Guidelines and Limitations This section includes the guidelines and limitations for this feature. Context Mode Guidelines Supported in single and multiple context mode. Firewall Mode Guidelines Supported in routed and transparent firewall mode. In transparent mode, you must specify the real and mapped interfaces; you cannot use --Any--. In transparent mode, you cannot configure interface PAT, because the transparent mode interfaces do not have IP addresses. You also cannot use the management IP address as a mapped address. In transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6 networks, or between two IPv4 networks is supported. Model License Requirement All models Base License.
5-3 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Guidelines and Limitations IPv6 Guidelines Supports IPv6. For routed mode, you can also translate between IPv4 and IPv6. For transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6 networks, or between two IPv4 networks is supported. For transparent mode, a PAT pool is not supported for IPv6. For static NAT, you can specify an IPv6 subnet up to /64. Larger subnets are not supported. When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT commands are not supported with IPv6. Additional Guidelines (This limitation is for 9.1.0 to 9.1.5; this limitation was removed in 9.1.6 and following maintenance releases.) You cannot configure FTP destination port translation when the source IP address is a subnet (or any other application that uses a secondary connection); the FTP data channel establishment does not succeed. If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations. NoteIf you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses that overlap the addresses in the removed rule, then the new rule will not be used until all connections associated with the removed rule time out or are cleared using the clear xlate command. This safeguard ensures that the same address is not assigned to multiple hosts. You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include only one type of address. When using the any keyword in a NAT rule, the definition of “any” traffic (IPv4 vs. IPv6) depends on the rule. Before the ASA performs NAT on a packet, the packet must be IPv6-to-IPv6 or IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of any in a NAT rule. For example, if you configure a rule from “any” to an IPv6 server, and that server was mapped from an IPv4 address, then any means “any IPv6 traffic.” If you configure a rule from “any” to “any,” and you map the source to the interface IPv4 address, then any means “any IPv4 traffic” because the mapped interface address implies that the destination is also IPv4. Objects and object groups used in NAT cannot be undefined; they must include IP addresses. You can use the same objects in multiple rules. The mapped IP address pool cannot include: –The mapped interface IP address. If you specify --Any-- interface for the rule, then all interface IP addresses are disallowed. For interface PAT (routed mode only), use the interface name instead of the IP address. –(Transparent mode) The management IP address. –(Dynamic NAT) The standby interface IP address when VPN is enabled. –Existing VPN pool addresses.
5-4 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Default Settings Default Settings By default, the rule is added to the end of section 1 of the NAT table. (Routed mode) The default real and mapped interface is Any, which applies the rule to all interfaces. (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. If you specify an optional interface, then the ASA uses the NAT configuration to determine the egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default behavior is to use the NAT configuration, but you have the option to always use a route lookup instead. Configuring Twice NAT This section describes how to configure twice NAT. This section includes the following topics: Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool, page 5-4 Configuring Dynamic PAT (Hide), page 5-12 Configuring Static NAT or Static NAT-with-Port-Translation, page 5-18 Configuring Identity NAT, page 5-24 Configuring Per-Session PAT Rules, page 5-29 Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool This section describes how to configure twice NAT for dynamic NAT or for dynamic PAT using a PAT pool. For more information, see the “Dynamic NAT” section on page 3-8 or the “Dynamic PAT” section on page 3-10. Guidelines For a PAT pool: If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can now specify for a PAT pool a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you use the same PAT pool object in two separate rules, then be sure to specify the same options for each rule. For example, if one rule specifies extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range. For extended PAT for a PAT pool (8.4(3) and later, not including 8.5(1) or 8.6(1)): Many application inspections do not support extended PAT. See the “Default Settings and NAT Limitations” section on page 10-4 in Chapter 10, “Getting Started with Application Layer Protocol Inspection,” for a complete list of unsupported inspections.