Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
6-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Step 2For a new pool, from the Interface drop-down list, choose the interface where you want to use the mapped IP addresses. Step 3For a new pool, in the Pool ID field, enter a number between 1 and 2147483647. Do not enter a pool ID that is already in use, or your configuration will be rejected. Step 4In the IP Addresses to Add area, click Range, Port Address Translation (PAT), or PAT Address Translation (PAT) Using IP Address of the interface. If you specify a range of addresses, the ASA performs dynamic NAT. If you specify a subnet mask in the Netmask field, the value specifies the subnet mask assigned to the mapped address when it is assigned to a host. If you do not specify a mask, then the default mask for the address class is used. Step 5Click Add to add the addresses to the Addresses Pool pane. Step 6(Optional) You can add multiple addresses to the global pool. If you want to add a PAT address after you configure a dynamic range, for example, then complete the value for PAT and click Add again. See the “Multiple Addresses in the Same Global Pool” section on page 6-20 for information about using multiple addresses on the same pool ID for an interface. Step 7Click OK. Configuring Dynamic NAT, PAT, or Identity NAT Figure 6-19 shows typical dynamic NAT, dynamic PAT, and identity NAT scenarios. Only real hosts can initiate connections. Figure 6-19 Dynamic NAT Scenarios 10.1.1.1 209.165.201.1 Inside Outside 10.1.1.2 209.165.201.2 Security Appliance 10.1.1.1:1025 209.165.201.1:2020 Inside Outside 10.1.1.1:1026 209.165.201.1:2021 10.1.1.2:1025 209.165.201.1:2022 Security Appliance Dynamic NAT Identity NATDynamic PAT 209.165.201.1 209.165.201.1 Inside Outside 209.165.201.2 209.165.201.2 Security Appliance 191658
6-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT To configure a dynamic NAT, PAT, or identity NAT rule, perform the following steps. Step 1In the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule. The Add Dynamic NAT Rule dialog box appears. Step 2In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate. Step 3Enter the real addresses in the Source field, or click the ... button to select an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Step 4To choose a global pool, use one of the following options: Select an already-defined global pool. If the pool includes a range of addresses, then the ASA performs dynamic NAT. If the pool includes a single address, then the ASA performs dynamic PAT. If a pool includes both ranges and single addresses, then the ranges are used in order, and then the PAT addresses are used in order. See the “Multiple Addresses in the Same Global Pool” section on page 6-20 for more information. Pools are identified by a pool ID. If multiple global pools on different interfaces share the same pool ID, then they are grouped. If you choose a multi-interface pool ID, then traffic is translated as specified when it accesses any of the interfaces in the pool. For more information about pool IDs, see the “Dynamic NAT Implementation” section on page 6-17. Create a new global pool or edit an existing pool by clicking Manage. See the “Managing Global Pools” section on page 6-22. Choose identity NAT by selecting global pool 0. Step 5(Optional) To enable translation of addresses inside DNS replies, expand the Connection Settings area, and check the Translate the DNS replies that match the translation rule check box. If your NAT rule includes the real address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client. The mapped host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with a static rule. See the “DNS and NAT” section on page 6-14 for more information. Step 6(Optional) To enable connection settings, expand the Connection Settings area, and set one or more of the following options: NoteYou can also set these values using a security policy rule (see Chapter 22, “Configuring Connection Settings”). If you set them in both places, then the ASA uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the ASA disables TCP sequence randomization. Randomize sequence number—With this check box checked (the default), the ASA randomizes the sequence number of TCP packets. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session.
6-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT TCP initial sequence number randomization can be disabled if required. For example: –If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic. –If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum. –You use a WAAS device that requires the ASA not to randomize the sequence numbers of connections. Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited. Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited. Maximum Embryonic Connections—Specifies the maximum number of embryonic connections per host up to 65,536. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server. Step 7Click OK. Configuring Dynamic Policy NAT or PAT Figure 6-20 shows typical dynamic policy NAT and PAT scenarios. Only real hosts can initiate connections. Figure 6-20 Dynamic Policy NAT Scenarios To configure dynamic policy NAT or PAT, perform the following steps: Step 1In the Configuration > Firewall > NAT Rules pane, choose Add > Advanced > Add Dynamic Policy NAT Rule. The Add Dynamic Policy NAT Rule dialog box appears. 10.1.1.1209.165.201.1 Inside Outside 10.1.1.2209.165.201.2 Security Appliance 10.1.1.1:1025209.165.201.1:2020 Inside Outside 10.1.1.1:1026209.165.201.1:2021 10.1.1.2:1025209.165.201.1:2022 Security Appliance Dynamic Policy NAT Dynamic Policy PAT 191659
6-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Dynamic NAT Step 2In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate. Step 3Enter the real addresses in the Source field, or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Separate multiple real addresses by a comma. Step 4Enter the destination addresses in the Destination field, or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Separate multiple destination addresses by a comma. By default, the field shows any, which allows any destination address. Step 5To choose a global pool, use one of the following options: Choose an already-defined global pool. If the pool includes a range of addresses, then the ASA performs dynamic NAT. If the pool includes a single address, then the ASA performs dynamic PAT. If a pool includes both ranges and single addresses, then the ranges are used in order, and then the PAT addresses are used in order. See the “Multiple Addresses in the Same Global Pool” section on page 6-20 for more information. Pools are identified by a pool ID. If multiple global pools on different interfaces share the same pool ID, then they are grouped. If you choose a multi-interface pool ID, then traffic is translated as specified when it accesses any of the interfaces in the pool. For more information about pool IDs, see the “Dynamic NAT Implementation” section on page 6-17. Create a new global pool or edit an existing pool by clicking Manage. See the “Managing Global Pools” section on page 6-22. Choose identity NAT by choosing global pool 0. Step 6(Optional) Enter a description in the Description field. Step 7(Optional) To enable translation of addresses inside DNS replies, expand the Connection Settings area, and check the Translate the DNS replies that match the translation rule check box. If your NAT rule includes the real address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client. The mapped host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with a static rule. See the “DNS and NAT” section on page 6-14 for more information. Step 8(Optional) To enable connection settings, expand the Connection Settings area, and set one or more of the following options:
6-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT NoteYou can also set these values using a security policy rule. To set the number of rate intervals maintained for host statistics, on the Configuration > Firewall > Threat Detection > Scanning Threat Statistics area, choose 1, 2, or 3 from the User can specify the number of rate for Threat Detection Host drop-down list. Because host statistics use a lot of memory, reducing the number of rate intervals from the default of 3 reduces the memory usage. By default, the Firewall Dashboard Tab shows information for three rate intervals, for example, for the last 1 hour, 8 hours, and 24 hours. If you set this keyword to 1, then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained. If you set them in both places, then the ASA uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the ASA disables TCP sequence randomization. Randomize sequence number—With this check box checked (the default), the ASA randomizes the sequence number of TCP packets. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session. TCP initial sequence number randomization can be disabled if required. For example: –If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic. –If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum. –You use a WAAS device that requires the ASA not to randomize the sequence numbers of connections. Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited. Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited. Maximum Embryonic Connections—Specifies the maximum number of embryonic connections per host up to 65,536. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server. Step 9Click OK. Using Static NAT This section describes how to configure a static translation, using regular or policy static NAT, PAT, or identity NAT. For more information about static NAT, see the “Static NAT” section on page 6-9.
6-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses. You can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, and not the destination. See the “Policy NAT” section on page 6-11 for more information. Static PAT lets you translate the real IP address to a mapped IP address, as well as the real port to a mapped port. You can choose to translate the real port to the same port, which lets you translate only specific types of traffic, or you can take it further by translating to a different port. For applications that require application inspection for secondary channels (for example, FTP and VoIP), the ASA automatically translates the secondary ports. For more information about static PAT, see the “Static PAT” section on page 6-9. You cannot use the same real or mapped address in multiple static rules between the same two interfaces unless you use static PAT. Do not use a mapped address in the static rule that is also defined in a global pool for the same mapped interface. Static identity NAT translates the real IP address to the same IP address. This section includes the following topics: Configuring Static NAT, PAT, or Identity NAT, page 6-28 Configuring Static Policy NAT, PAT, or Identity NAT, page 6-31 Configuring Static NAT, PAT, or Identity NAT Figure 6-21 shows typical static NAT, static PAT, and static identity NAT scenarios. The translation is always active so both translated and remote hosts can originate connections. Figure 6-21 Static NAT Scenarios To configure static NAT, PAT, or identity NAT, perform the following steps: 10.1.1.1 209.165.201.1 Inside Outside 10.1.1.2 209.165.201.2 Security Appliance Static NAT Static Identity NATStatic PAT 10.1.1.1:23 209.165.201.1:23 Inside Outside 10.1.1.2:8080 209.165.201.2:80 Security Appliance 209.165.201.1 209.165.201.1 Inside Outside 209.165.201.2 209.165.201.2 Security Appliance 191660
6-29 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Step 1In the Configuration > Firewall > NAT Rules pane, choose Add > Add Static NAT Rule. The Add Static NAT Rule dialog box appears. Step 2In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate. Step 3Enter the real addresses in the Source field, or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Step 4In the Translated area, from the Interface drop-down list, choose the interface where you want to use the mapped addresses. Step 5Specify the mapped IP address by clicking one of the following: Use IP Address Enter the IP address or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Use Interface IP Address The real and mapped addresses must have the same subnet mask. NoteFor identity NAT, enter the same IP address in the Original and Translated fields. Step 6(Optional) To use static PAT, check Enable Port Address Translation (PAT). a.For the Protocol, click TCP or UDP. b.In the Original Port field, enter the real port number. c.In the Translated Port field, enter the mapped port number. Step 7(Optional) To enable translation of addresses inside DNS replies, expand the Connection Settings area, and check the Translate the DNS replies that match the translation rule check box. If your NAT rule includes the real address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client. The mapped host needs to be on the same interface as either the client or the DNS server. See the “DNS and NAT” section on page 6-14 for more information. Step 8(Optional) To enable connection settings, expand the Connection Settings area, and set one or more of the following options:
6-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT NoteYou can also set these values using a security policy rule. To set the number of rate intervals maintained for host statistics, on the Configuration > Firewall > Threat Detection > Scanning Threat Statistics area, choose 1, 2, or 3 from the User can specify the number of rate for Threat Detection Host drop-down list. Because host statistics use a lot of memory, reducing the number of rate intervals from the default of 3 reduces the memory usage. By default, the Firewall Dashboard Tab shows information for three rate intervals, for example, for the last 1 hour, 8 hours, and 24 hours. If you set this keyword to 1, then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained. If you set them in both places, then the ASA uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the ASA disables TCP sequence randomization. Randomize sequence number—With this check box checked (the default), the ASA randomizes the sequence number of TCP packets. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session. TCP initial sequence number randomization can be disabled if required. For example: –If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic. –If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum. –You use a WAAS device that requires the ASA not to randomize the sequence numbers of connections. Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited. Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0 and 65,535. If this value is set to 0, the number of connections is unlimited. Maximum Embryonic Connections—Specifies the maximum number of embryonic connections per host up to 65,536. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination. This limit enables the TCP Intercept feature. The default is 0, which means the maximum embryonic connections. TCP Intercept protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. When the embryonic limit has been surpassed, the TCP intercept feature intercepts TCP SYN packets from clients to servers on a higher security level. SYN cookies are used during the validation process and help to minimize the amount of valid traffic being dropped. Thus, connection attempts from unreachable hosts will never reach the server. Step 9Click OK.
6-31 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Configuring Static Policy NAT, PAT, or Identity NAT Figure 6-22 shows typical static policy NAT, static policy PAT, and static policy identity NAT scenarios. The translation is always active so both translated and remote hosts can originate connections. Figure 6-22 Static Policy NAT Scenarios To configure static policy NAT, PAT, or identity NAT, perform the following steps: Step 1In the Configuration > Firewall > NAT Rules pane, choose Add > Advanced > Add Static Policy NAT Rule. The Add Static Policy NAT Rule dialog box appears. Step 2In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts with real addresses that you want to translate. Step 3Enter the real addresses in the Source field, or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Step 4Enter the destination addresses in the Destination field, or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Separate multiple destination addresses by a comma. By default, the field shows any, which allows any destination address. Step 5In the Translated area, from the Interface drop-down list, choose the interface where you want to use the mapped addresses. 10.1.1.1 209.165.201.1 Inside Outside 10.1.1.2 209.165.201.2 Security Appliance Static Policy NAT Static Policy Identity NATStatic Policy PAT 10.1.1.1:23 209.165.201.1:23 Inside Outside 10.1.1.2:8080 209.165.201.2:80 Security Appliance 209.165.201.1 209.165.201.1 Inside Outside 209.165.201.2 209.165.201.2 Security Appliance 191661
6-32 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 6 Configuring NAT (ASA 8.2 and Earlier) Using Static NAT Step 6Specify the mapped IP address by clicking one of the following: Use IP Address Enter the IP address or click the ... button to choose an IP address that you already defined in ASDM. Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an IP address without a mask, it is considered to be a host address, even if it ends with a 0. Use Interface IP Address The real and mapped addresses must have the same subnet mask. Step 7(Optional) To use static PAT, check Enable Port Address Translation (PAT). a.For the Protocol, click TCP or UDP. b.In the Original Port field, enter the real port number. c.In the Translated Port field, enter the mapped port number. Step 8(Optional) Enter a description in the Description field. Step 9(Optional) To enable translation of addresses inside DNS replies, expand the Connection Settings area, and check the Translate the DNS replies that match the translation rule check box. If your NAT rule includes the real address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the mapped address and one needs the real address. This option rewrites the address in the DNS reply to the client. The mapped host needs to be on the same interface as either the client or the DNS server. See the “DNS and NAT” section on page 6-14 for more information. Step 10(Optional) To enable connection settings, expand the Connection Settings area, and set one or more of the following options: NoteYou can also set these values using a security policy rule. To set the number of rate intervals maintained for host statistics, on the Configuration > Firewall > Threat Detection > Scanning Threat Statistics area, choose 1, 2, or 3 from the User can specify the number of rate for Threat Detection Host drop-down list. Because host statistics use a lot of memory, reducing the number of rate intervals from the default of 3 reduces the memory usage. By default, the the Firewall Dashboard Tab shows information for three rate intervals, for example, for the last 1 hour, 8 hours, and 24 hours. If you set this keyword to 1, then only the shortest rate interval statistics are maintained. If you set the value to 2, then the two shortest intervals are maintained. If you set them in both places, then the ASA uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the ASA disables TCP sequence randomization. Randomize sequence number—With this check box checked (the default), the ASA randomizes the sequence number of TCP packets. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions. Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a new connection and potentially hijacking the new session. TCP initial sequence number randomization can be disabled if required. For example: –If another in-line firewall is also randomizing the initial sequence numbers, there is no need for both firewalls to be performing this action, even though this action does not affect the traffic. –If you use eBGP multi-hop through the ASA, and the eBGP peers are using MD5. Randomization breaks the MD5 checksum.