Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![](/img/blank.gif)
5-5 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT pool as the PAT address in a separate static NAT with port translation rule. For example, if the PAT pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1 as the PAT address. Extended PAT can consume a large amount of memory because NAT pools are created for each unique destination, which in turn uses up memory. This may lead to memory exhaustion quickly even with less number of connections. If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT. For VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the PAT binding to be the same for all destinations. For round robin for a PAT pool: (8.4(3) and later, not including 8.5(1) or 8.6(1)) If a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available. Note: This “stickiness” does not survive a failover. If the ASA fails over, then subsequent connections from a host may not use the initial IP address. (8.4(2), 8.5(1), and 8.6(1)) If a host has an existing connection, then subsequent connections from that host will likely use different PAT addresses for each connection because of the round robin allocation. In this case, you may have problems when accessing two websites that exchange information about the host, for example an e-commerce site and a payment site. When these sites see two different IP addresses for what is supposed to be a single host, the transaction may fail. Round robin, especially when combined with extended PAT, can consume a large amount of memory. Because NAT pools are created for every mapped protocol/IP address/port range, round robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results in an even larger number of concurrent NAT pools. Detailed Steps To configure dynamic NAT, perform the following steps: Step 1Choose Configuration > Firewall > NAT Rules, and then click Add. If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules. The Add NAT Rule dialog box appears.
![](/img/blank.gif)
5-6 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 2Set the source and destination interfaces. By default in routed mode, both interfaces are set to --Any--. In transparent firewall mode, you must set specific interfaces. a.From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface. b.From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface. Step 3Identify the original packet addresses, either IPv4 or IPv6; namely, the packet addresses as they appear on the source interface network (the real source address and the mapped destination address). See the following figure for an example of the original packet vs. the translated packet.
![](/img/blank.gif)
5-7 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT a.For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Source Address dialog box. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. The default is any. b.(Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Destination Address dialog box. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the “Main Differences Between Network Object NAT and Twice NAT” section on page 3-15. Step 4(Optional) Identify the original packet port (the mapped destination port). For the Match Criteria: Original Packet > Service, click the browse button and choose an existing TCP or UDP service object or create a new object from the Browse Original Service dialog box. Dynamic NAT does not support port translation. However, because the destination translation is always static, you can perform port translation for the destination port. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The “not equal” (!=) operator is not supported. Real: 192.168.1.1 Mapped: 10.1.1.1 Real: 10.1.2.2 Mapped: 192.168.2.2NAT Source Destination OutsideInside 10.1.2.2 ---> 10.1.1.1192.168.2.2 ---> 192.168.1.1 Original Packet Translated Packet
![](/img/blank.gif)
5-8 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 5Choose Dynamic from the Match Criteria: Translated Packet > Source NAT Type drop-down list. This setting only applies to the source address; the destination translation is always static. Step 6Identify the translated packet addresses, either IPv4 or IPv6; namely, the packet addresses as they appear on the destination interface network (the mapped source address and the real destination address). You can translate between IPv4 and IPv6 if desired. See the following figure for an example of the original packet vs. the translated packet. a.You can perform either dynamic NAT or Dynamic PAT using a PAT pool: Dynamic NAT—For the Match Criteria: Translated Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Translated Source Address dialog box. For dynamic NAT, you typically configure a larger group of source addresses to be mapped to a smaller group. Real: 192.168.1.1 Mapped: 10.1.1.1 Real: 10.1.2.2 Mapped: 192.168.2.2NAT Source Destination OutsideInside 10.1.2.2 ---> 10.1.1.1192.168.2.2 ---> 192.168.1.1 Original Packet Translated Packet
![](/img/blank.gif)
5-9 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT NoteThe object or group cannot contain a subnet. Dynamic PAT using a PAT pool—.To configure a PAT pool, check the PAT Pool Translated Address check box, then click the browse button and choose an existing network object or group or create a new object or group from the Browse Translated PAT Pool Address dialog box. Note: Leave the Source Address field empty. NoteThe object or group cannot contain a subnet. (Optional) For a PAT pool, configure the following options: –To assign addresses/ports in a round-robin fashion, check the Round Robin check box. Without round-robin, by default, all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on. –(8.4(3) and later, not including 8.5(1) or 8.6(1)) Check the Extend PAT uniqueness to per destination instead of per interface check box to use extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80. –(8.4(3) and later, not including 8.5(1) or 8.6(1)) Check the Translate TCP or UDP ports into flat range (1024-65535) check box to use the 1024 to 65535 port range as a single flat range when allocating ports. When choosing the mapped port number for a translation, the ASA uses the real source port number if it is available. However, without this option, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also check the Include range 1 to 1023 check box. b.(Optional, Routed Mode Only) To use the interface IP address as a backup method if the other mapped source addresses are already allocated, check the Fall through to interface PAT check box. To use the IPv6 interface address, also check the Use IPv6 for interface PAT check box. The destination interface IP address is used. This option is only available if you configure a specific Destination Interface.
![](/img/blank.gif)
5-10 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT c.For the Match Criteria: Translated Packet > Destination Address, click the browse button and choose an existing network object, group, or interface or create a new object or group from the Browse Translated Destination Address dialog box. For identity NAT for the destination address, simply use the same object or group for both the real and mapped addresses. If you want to translate the destination address, then the static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired. For more information, see the “Static NAT” section on page 3-3. See the “Guidelines and Limitations” section on page 5-2 for information about disallowed mapped IP addresses. For static interface NAT with port translation only, choose an interface from the Browse dialog box. Be sure to also configure a service translation (see Step 7). For this option, you must configure a specific interface for the Source Interface in Step 2. See the “Static Interface NAT with Port Translation” section on page 3-6 for more information. Step 7(Optional) Identify the translated packet port (the real destination port). For the Match Criteria: Translated Packet > Service, click the browse button and choose an existing TCP or UDP service object or create a new object from the Browse Translated Service dialog box. Dynamic NAT does not support port translation. However, because the destination translation is always static, you can perform port translation for the destination port. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The “not equal” (!=) operator is not supported.
![](/img/blank.gif)
5-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 8(Optional) Configure NAT options in the Options area. a.Enable rule —Enables this NAT rule. The rule is enabled by default. b.(For a source-only rule) Translate DNS replies that match this rule—Rewrites the DNS A record in DNS replies. Be sure DNS inspection is enabled (it is enabled by default). You cannot configure DNS modification if you configure a destination address. See the “DNS and NAT” section on page 3-31 for more information. c.Description—Adds a description about the rule up to 200 characters in length. Step 9Click OK.
![](/img/blank.gif)
5-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Configuring Dynamic PAT (Hide) This section describes how to configure twice NAT for dynamic PAT (hide). For dynamic PAT using a PAT pool, see the “Configuring Dynamic NAT or Dynamic PAT Using a PAT Pool” section on page 5-4 instead of using this section. For more information, see the “Dynamic PAT” section on page 3-10. Detailed Steps To configure dynamic PAT, perform the following steps: Step 1Choose Configuration > Firewall > NAT Rules, and then click Add. If you want to add this rule to section 3 after the network object rules, then click the down arrow next to Add, and choose Add NAT Rule After Network Object NAT Rules. The Add NAT Rule dialog box appears.
![](/img/blank.gif)
5-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT Step 2Set the source and destination interfaces. By default in routed mode, both interfaces are set to --Any--. In transparent firewall mode, you must set specific interfaces. a.From the Match Criteria: Original Packet > Source Interface drop-down list, choose the source interface. b.From the Match Criteria: Original Packet > Destination Interface drop-down list, choose the destination interface. Step 3Identify the original packet addresses, either IPv4 or IPv6; namely, the packet addresses as they appear on the source interface network (the real source address and the mapped destination address). See the following figure for an example of the original packet vs. the translated packet.
![](/img/blank.gif)
5-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 5 Configuring Twice NAT (ASA 8.3 and Later) Configuring Twice NAT a.For the Match Criteria: Original Packet > Source Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Source Address dialog box. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. The default is any. b.(Optional) For the Match Criteria: Original Packet > Destination Address, click the browse button and choose an existing network object or group or create a new object or group from the Browse Original Destination Address dialog box. The group cannot contain both IPv4 and IPv6 addresses; it must contain one type only. Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see the “Main Differences Between Network Object NAT and Twice NAT” section on page 3-15. Step 4(Optional) Identify the original packet port (the mapped destination port). For the Match Criteria: Original Packet > Service, click the browse button and choose an existing TCP or UDP service object or create a new object from the Browse Original Service dialog box. Dynamic PAT does not support additional port translation. However, because the destination translation is always static, you can perform port translation for the destination port. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored. NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and mapped service objects are identical (both TCP or both UDP). For identity NAT, you can use the same service object for both the real and mapped ports. The “not equal” (!=) operator is not supported. Real: 192.168.1.1 Mapped: 10.1.1.1 Real: 10.1.2.2 Mapped: 192.168.2.2NAT Source Destination OutsideInside 10.1.2.2 ---> 10.1.1.1192.168.2.2 ---> 192.168.1.1 Original Packet Translated Packet