Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![](/img/blank.gif)
3-11 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Types Figure 3-10 shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned. Figure 3-10 Dynamic PAT After the connection expires, the port translation also expires. For multi-session PAT, the PAT timeout is used, 30 seconds by default. For per-session PAT (9.0(1) and later), the xlate is immediately removed. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access rule). NoteFor the duration of the translation, a remote host can initiate a connection to the translated host if an access rule allows it. Because the port address (both real and mapped) is unpredictable, a connection to the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule. Per-Session PAT vs. Multi-Session PAT (Version 9.0(1) and Later) The per-session PAT feature improves the scalability of PAT and, for clustering, allows each member unit to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. This reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state. Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds. For “hit-and-run” traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the connection rate supported by one address. Without the per-session feature, the maximum connection rate for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the connection rate for one address for an IP protocol is 65535/average-lifetime. By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that can benefit from multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT be creating a per-session deny rule. See the “Configuring Per-Session PAT Rules” section on page 4-19. Dynamic PAT Disadvantages and Advantages Dynamic PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the ASA interface IP address as the PAT address. Dynamic PAT does not work with some multimedia applications that have a data stream that is different from the control path. See the “Default Settings and NAT Limitations” section on page 10-4 for more information about NAT and PAT support. Dynamic PAT may also create a large number of connections appearing to come from a single IP address, and servers might interpret the traffic as a DoS attack. (8.4(2)/8.5(1) and later) You can configure a PAT pool of addresses and use a round-robin assignment of PAT addresses to mitigate this situation. 10.1.1.1:1025209.165.201.1:2020 Inside Outside 10.1.1.1:1026209.165.201.1:2021 10.1.1.2:1025209.165.201.1:2022 130034 Security Appliance
![](/img/blank.gif)
3-12 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode Identity NAT You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT. Figure 3-11 shows a typical identity NAT scenario. Figure 3-11 Identity NAT NAT in Routed and Transparent Mode You can configure NAT in both routed and transparent firewall mode. This section describes typical usage for each firewall mode and includes the following topics: NAT in Routed Mode, page 3-13 NAT in Transparent Mode, page 3-13 209.165.201.1 209.165.201.1 Inside Outside 209.165.201.2 209.165.201.2 130036 Security Appliance
![](/img/blank.gif)
3-13 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode NAT in Routed Mode Figure 3-12 shows a typical NAT example in routed mode, with a private network on the inside. Figure 3-12 NAT Example: Routed Mode 1. When the inside host at 10.1.2.27 sends a packet to a web server, the real source address of the packet, 10.1.2.27, is changed to a mapped address, 209.165.201.10. 2.When the server responds, it sends the response to the mapped address, 209.165.201.10, and the ASA receives the packet because the ASA performs proxy ARP to claim the packet. 3.The ASA then changes the translation of the mapped address, 209.165.201.10, back to the real address, 10.1.2.27, before sending it to the host. NAT in Transparent Mode Using NAT in transparent mode eliminates the need for the upstream or downstream routers to perform NAT for their networks. NAT in transparent mode has the following requirements and limitations: Because the transparent firewall does not have any interface IP addresses, you cannot use interface PAT. ARP inspection is not supported. Moreover, if for some reason a host on one side of the ASA sends an ARP request to a host on the other side of the ASA, and the initiating host real address is mapped to a different address on the same subnet, then the real address remains visible in the ARP request. Translating between IPv4 and IPv6 networks is not supported. Translating between two IPv6 networks, or between two IPv4 networks is supported. Figure 3-13 shows a typical NAT scenario in transparent mode, with the same network on the inside and outside interfaces. The transparent firewall in this scenario is performing the NAT service so that the upstream router does not have to perform NAT. Web Server www.cisco.com Outside Inside209.165.201.2 10.1.2.1 10.1.2.27130023 Translation 209.165.201.10 10.1.2.27 Originating Packet Undo Translation 209.165.201.1010.1.2.27 Responding PacketSecurity Appliance
![](/img/blank.gif)
3-14 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT in Routed and Transparent Mode Figure 3-13 NAT Example: Transparent Mode 1. When the inside host at 10.1.1.75 sends a packet to a web server, the real source address of the packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15. 2.When the server responds, it sends the response to the mapped address, 209.165.201.15, and the ASA receives the packet because the upstream router includes this mapped network in a static route directed to the ASA management IP address. See the “Mapped Addresses and Routing” section on page 3-22 for more information about required routes. 3.The ASA then undoes the translation of the mapped address, 209.165.201.15, back to the real address, 10.1.1.1.75. Because the real address is directly-connected, the ASA sends it directly to the host. 4.For host 192.168.1.2, the same process occurs, except for returning traffic, the ASA looks up the route in its routing table and sends the packet to the downstream router at 10.1.1.3 based on the ASA static route for 192.168.1.0/24. See the “Transparent Mode Routing Requirements for Remote Networks” section on page 3-24 for more information about required routes. Management IP 10.1.1.1 www.example.com 10.1.1.2 Internet Source Addr Translation209.165.201.10 192.168.1.2 Source Addr Translation209.165.201.15 10.1.1.75 ASA 10.1.1.7510.1.1.3 192.168.1.1 192.168.1.2 Network 2 Static route on router: 209.165.201.0/27 to 10.1.1.1 Static route on ASA: 192.168.1.0/24 to 10.1.1.3 250261
![](/img/blank.gif)
3-15 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT and IPv6 NAT and IPv6 You can use NAT to translate between IPv6 networks, and also to translate between IPv4 and IPv6 networks (routed mode only). We recommend the following best practices: NAT66 (IPv6-to-IPv6)—We recommend using static NAT. Although you can use dynamic NAT or PAT, IPv6 addresses are in such large supply, you do not have to use dynamic NAT. If you do not want to allow returning traffic, you can make the static NAT rule unidirectional (twice NAT only). NAT46 (IPv4-to-IPv6)—We recommend using static NAT. Because the IPv6 address space is so much larger than the IPv4 address space, you can easily accommodate a static translation. If you do not want to allow returning traffic, you can make the static NAT rule unidirectional (twice NAT only). When translating to an IPv6 subnet (/96 or lower), the resulting mapped address is by default an IPv4-embedded IPv6 address, where the 32-bits of the IPv4 address is embedded after the IPv6 prefix. For example, if the IPv6 prefix is a /96 prefix, then the IPv4 address is appended in the last 32-bits of the address. For example, if you map 192.168.1.0/24 to 201b::0/96, then 192.168.1.4 will be mapped to 201b::0.192.168.1.4 (shown with mixed notation). If the prefix is smaller, such as /64, then the IPv4 address is appended after the prefix, and a suffix of 0s is appended after the IPv4 address. You can also optionally translate the addresses net-tonet, where the first IPv4 address maps to the first IPv6 address, the second to the second, and so on. NAT64 (IPv6-to-IPv4)—You may not have enough IPv4 addresses to accommodate the number of IPv6 addresses. We recommend using a dynamic PAT pool to provide a large number of IPv4 translations. For specific implementation guidelines and limitations, see the configuration chapters. How NAT is Implemented The ASA can implement address translation in two ways: network object NAT and twice NAT. This section includes the following topics: Main Differences Between Network Object NAT and Twice NAT, page 3-15 Information About Network Object NAT, page 3-16 Information About Twice NAT, page 3-16 Main Differences Between Network Object NAT and Twice NAT The main differences between these two NAT types are: How you define the real address. –Network object NAT—You define NAT as a parameter for a network object. A network object names an IP host, range, or subnet so you can then use the object in configuration instead of the actual IP addresses. The network object IP address serves as the real address. This method lets you easily add NAT to network objects that might already be used in other parts of your configuration. –Twice NAT—You identify a network object or network object group for both the real and mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.
![](/img/blank.gif)
3-16 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented How source and destination NAT is implemented. –Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination. –Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB. Order of NAT Rules. –Network object NAT—Automatically ordered in the NAT table. –Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules). See the “NAT Rule Order” section on page 3-20 for more information. We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a failure in the translation of indirect addresses that do not belong to either of the objects.) Information About Network Object NAT All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a network object, which can be a single IP address, a range of addresses, or a subnet. After you configure the network object, you can then identify the mapped address for that object, either as an inline address or as another network object or network object group. When a packet enters the ASA, both the source and destination IP addresses are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic. Because the rules are never paired, you cannot specify that sourceA/destinationA should have a different translation than sourceA/destinationB. Use twice NAT for that kind of functionality (twice NAT lets you identify the source and destination address in a single rule). To start configuring network object NAT, see Chapter 4, “Configuring Network Object NAT (ASA 8.3 and Later).” Information About Twice NAT Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that sourceA/destinationA can have a different translation than sourceA/destinationB. The destination address is optional. If you specify the destination address, you can either map it to itself (identity NAT), or you can map it to a different address. The destination mapping is always a static mapping.
![](/img/blank.gif)
3-17 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented Twice NAT also lets you use service objects for static NAT with port translation; network object NAT only accepts inline definition. To start configuring twice NAT, see Chapter 5, “Configuring Twice NAT (ASA 8.3 and Later).” Figure 3-14 shows a host on the 10.1.2.0/24 network accessing two different servers. When the host accesses the server at 209.165.201.11, the real address is translated to 209.165.202.129. When the host accesses the server at 209.165.200.225, the real address is translated to 209.165.202.130. (See the “Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation)” section on page 4-33 for details on how to configure this example.) Figure 3-14 Twice NAT with Different Destination Addresses Server 1 209.165.201.11Server 2 209.165.200.225 DMZ Inside 10.1.2.2710.1.2.0/24 130039 209.165.201.0/27209.165.200.224/27 Translation 209.165.202.129 10.1.2.27Translation 209.165.202.130 10.1.2.27 Packet Dest. Address: 209.165.201.11Packet Dest. Address: 209.165.200.225
![](/img/blank.gif)
3-18 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented Figure 3-15 shows the use of source and destination ports. The host on the 10.1.2.0/24 network accesses a single host for both web services and Telnet services. When the host accesses the server for web services, the real address is translated to 209.165.202.129. When the host accesses the same server for Telnet services, the real address is translated to 209.165.202.130. Figure 3-15 Twice NAT with Different Destination Ports Web and Telnet server: 209.165.201.11 Internet Inside Translation 209.165.202.129 10.1.2.27:80 10.1.2.2710.1.2.0/24 Translation 209.165.202.130 10.1.2.27:23 Web Packet Dest. Address: 209.165.201.11:80Telnet Packet Dest. Address: 209.165.201.11:23 130040
![](/img/blank.gif)
3-19 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) How NAT is Implemented Figure 3-16 shows a remote host connecting to a mapped host. The mapped host has a twice static NAT translation that translates the real address only for traffic to and from the 209.165.201.0/27 network. A translation does not exist for the 209.165.200.224/27 network, so the translated host cannot connect to that network, nor can a host on that network connect to the translated host. Figure 3-16 Twice Static NAT with Destination Address Translation 209.165.201.11 209.165.200.225 DMZ InsideNo Translation 10.1.2.27 10.1.2.2710.1.2.0/27 209.165.201.0/27209.165.200.224/27 Undo Translation 209.165.202.128 130037
![](/img/blank.gif)
3-20 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Rule Order NAT Rule Order Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. For example, if a match is found in section 1, sections 2 and 3 are not evaluated. Ta b l e 3 - 1 shows the order of rules within each section. Table 3-1 NAT Rule Table Table Section Rule Type Order of Rules within the Section Section 1 Twice NAT Applied on a first match basis, in the order they appear in the configuration. Because the first match is applied, you must ensure that specific rules come before more general rules, or the specific rules might not be applied as desired. By default, twice NAT rules are added to section 1. NoteIf you configure EasyVPN remote, the ASA dynamically adds invisible NAT rules to the end of this section. Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic, instead of matching the invisible rule. If VPN does not work due to NAT failure, consider adding twice NAT rules to section 3 instead. Section 2 Network object NAT If a match in section 1 is not found, section 2 rules are applied in the following order, as automatically determined by the ASA: 1.Static rules. 2.Dynamic rules. Within each rule type, the following ordering guidelines are used: a.Quantity of real IP addresses—From smallest to largest. For example, an object with one address will be assessed before an object with 10 addresses. b.For quantities that are the same, then the IP address number is used, from lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0. c.If the same IP address is used, then the name of the network object is used, in alphabetical order. For example, abracadabra is assessed before catwoman. Section 3 Twice NAT If a match is still not found, section 3 rules are applied on a first match basis, in the order they appear in the configuration. This section should contain your most general rules. You must also ensure that any specific rules in this section come before general rules that would otherwise apply. You can specify whether to add a twice NAT rule to section 3 when you add the rule.