Cisco Asdm 7 User Guide
Have a look at the manual Cisco Asdm 7 User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
3-21 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT Interfaces For section 2 rules, for example, you have the following IP addresses defined within network objects: 192.168.1.0/24 (static) 192.168.1.0/24 (dynamic) 10.1.1.0/24 (static) 192.168.1.1/32 (static) 172.16.1.0/24 (dynamic) (object def) 172.16.1.0/24 (dynamic) (object abc) The resultant ordering would be: 192.168.1.1/32 (static) 10.1.1.0/24 (static) 192.168.1.0/24 (static) 172.16.1.0/24 (dynamic) (object abc) 172.16.1.0/24 (dynamic) (object def) 192.168.1.0/24 (dynamic) NAT Interfaces You can configure a NAT rule to apply to any interface (in other words, all interfaces), or you can identify specific real and mapped interfaces. You can also specify any interface for the real address, and a specific interface for the mapped address, or vice versa. For example, you might want to specify any interface for the real address and specify the outside interface for the mapped address if you use the same private addresses on multiple interfaces, and you want to translate them all to the same global pool when accessing the outside (Figure 3-17). Figure 3-17 Specifying Any Interface NoteFor transparent mode, you must choose specific source and destination interfaces. Outside Mktg10.1.2.0 10.1.2.0 10.1.2.0 Security Appliance EngHR 10.1.2.0209.165.201.1:xxxx any 248768
3-22 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets Routing NAT Packets The ASA needs to be the destination for any packets sent to the mapped address. The ASA also needs to determine the egress interface for any packets it receives destined for mapped addresses. This section describes how the ASA handles accepting and delivering packets with NAT, and includes the following topics: Mapped Addresses and Routing, page 3-22 Transparent Mode Routing Requirements for Remote Networks, page 3-24 Determining the Egress Interface, page 3-24 Mapped Addresses and Routing When you translate the real address to a mapped address, the mapped address you choose determines how to configure routing, if necessary, for the mapped address. See additional guidelines about mapped IP addresses in Chapter 4, “Configuring Network Object NAT (ASA 8.3 and Later),” and Chapter 5, “Configuring Twice NAT (ASA 8.3 and Later).” See the following mapped address types: Addresses on the same network as the mapped interface. If you use addresses on the same network as the mapped interface, the ASA uses proxy ARP to answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped address. This solution simplifies routing because the ASA does not have to be the gateway for any additional networks. This solution is ideal if the outside network contains an adequate number of free addresses, a consideration if you are using a 1:1 translation like dynamic NAT or static NAT. Dynamic PAT greatly extends the number of translations you can use with a small number of addresses, so even if the available addresses on the outside network is small, this method can be used. For PAT, you can even use the IP address of the mapped interface. NoteIf you configure the mapped interface to be any interface, and you specify a mapped address on the same network as one of the mapped interfaces, then if an ARP request for that mapped address comes in on a different interface, then you need to manually configure an ARP entry for that network on the ingress interface, specifying its MAC address (see Configuration > Device Management > Advanced > ARP > ARP Static Table). Typically, if you specify any interface for the mapped interface, then you use a unique network for the mapped addresses, so this situation would not occur. Addresses on a unique network. If you need more addresses than are available on the mapped interface network, you can identify addresses on a different subnet. The upstream router needs a static route for the mapped addresses that points to the ASA. Alternatively for routed mode, you can configure a static route on the ASA for the mapped addresses, and then redistribute the route using your routing protocol. For transparent mode, if the real host is directly-connected, configure the static route on the upstream router to point to the ASA: in 8.3, specify the global management IP address; in 8.4(1) and later, specify the bridge group IP address. For remote hosts in transparent mode, in the static route on the upstream router, you can alternatively specify the downstream router IP address. The same address as the real address (identity NAT).
3-23 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets (8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You cannot configure this setting. (8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You can disable proxy ARP if desired. Note: You can also disable proxy ARP for regular static NAT if desired, in which case you need to be sure to have proper routes on the upstream router. Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity issues. For example, if you configure a broad identity NAT rule for “any” IP address, then leaving proxy ARP enabled can cause problems for hosts on the network directly-connected to the mapped interface. In this case, when a host on the mapped network wants to communicate with another host on the same network, then the address in the ARP request matches the NAT rule (which matches “any” address). The ASA will then proxy ARP for the address, even though the packet is not actually destined for the ASA. (Note that this problem occurs even if you have a twice NAT rule; although the NAT rule must match both the source and destination addresses, the proxy ARP decision is made only on the “source” address). If the ASA ARP response is received before the actual host ARP response, then traffic will be mistakenly sent to the ASA (see Figure 3-18). Figure 3-18 Proxy ARP Problems with Identity NAT In rare cases, you need proxy ARP for identity NAT; for example for virtual Telnet. When using AAA for network access, a host needs to authenticate with the ASA using a service like Telnet before any other traffic can pass. You can configure a virtual Telnet server on the ASA to provide the necessary login. When accessing the virtual Telnet address from the outside, you must configure an identity NAT rule for the address specifically for the proxy ARP functionality. Due to internal processes for virtual Telnet, proxy ARP lets the ASA keep traffic destined for the virtual Telnet address rather than send the traffic out the source interface according to the NAT rule. (See Figure 3-19). 209.165.200.225209.165.200.230 209.165.200.231 Identity NAT for “any” with Proxy ARPOutsideInside 1 2 4 ARP for 209.165.200.230.Traffic incorrectly sent to ASA.Proxy ARP for 209.165.200.230. 3 ARP Response Too late
3-24 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) Routing NAT Packets Figure 3-19 Proxy ARP and Virtual Telnet Transparent Mode Routing Requirements for Remote Networks When you use NAT in transparent mode,some types of traffic require static routes. See the “MAC Address vs. Route Lookups” section on page 6-6 for more information. Determining the Egress Interface When the ASA receives traffic for a mapped address, the ASA unstranslates the destination address according to the NAT rule, and then it sends the packet on to the real address. The ASA determines the egress interface for the packet in the following ways: Transparent mode—The ASA determines the egress interface for the real address by using the NAT rule; you must specify the source and destination interfaces as part of the NAT rule. Routed mode—The ASA determines the egress interface in one of the following ways: –You configure the interface in the NAT rule—The ASA uses the NAT rule to determine the egress interface. (8.3(1) through 8.4(1)) The only exception is for identity NAT, which always uses a route lookup, regardless of the NAT configuration. (8.4(2) and later) For identity NAT, the default behavior is to use the NAT configuration. However, you have the option to always use a route lookup instead. In certain scenarios, a route lookup override is required; for example, see the “NAT and VPN Management Access” section on page 3-29. –You do not configure the interface in the NAT rule—The ASA uses a route lookup to determine the egress interface. Figure 3-20 shows the egress interface selection method in routed mode. In almost all cases, a route lookup is equivalent to the NAT rule interface, but in some configurations, the two methods might differ. 209.165.201.11 Virtual Telnet: 209.165.200.230 Identity NAT for 209.165.200.230 between inside and outside with Proxy ARP OutsideInside Server 1 2 3 Telnet to 209.165.200.230. Communicate with server. Authenticate.
3-25 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-20 Routed Mode Egress Interface Selection NAT for VPN NAT and Remote Access VPN, page 3-25 NAT and Site-to-Site VPN, page 3-27 NAT and VPN Management Access, page 3-29 Troubleshooting NAT and VPN, page 3-31 NAT and Remote Access VPN Figure 3-21 shows both an inside server (10.1.1.6) and a VPN client (209.165.201.10) accessing the Internet. Unless you configure split tunnelling for the VPN client (where only specified traffic goes through the VPN tunnel), then Internet-bound VPN traffic must also go through the ASA. When the VPN traffic enters the ASA, the ASA decrypts the packet; the resulting packet includes the VPN client local address (10.3.3.10) as the source. For both inside and VPN client local networks, you need a public IP address provided by NAT to access the Internet. The below example uses interface PAT rules. To allow the VPN traffic to exit the same interface it entered, you also need to enable intra-interface communication (AKA “hairpin” networking). Real: 10.1.1.78 Mapped: 209.165.201.08 Inside Untranslation Packet Eng Dest. 209.165.201.08 10.1.1.78 209.165.201.08to NAT rule specifies interface? NAT rule specifies route lookup? NoYes Yes No Send packet out Inside interface. Where to send 10.1.1.78? Outside Look up 10.1.1.78 in routing table. 370049
3-26 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-21 Interface PAT for Internet-Bound VPN Traffic (Intra-Interface) Figure 3-22 shows a VPN client that wants to access an inside mail server. Because the ASA expects traffic between the inside network and any outside network to match the interface PAT rule you set up for Internet access, traffic from the VPN client (10.3.3.10) to the SMTP server (10.1.1.6) will be dropped due to a reverse path failure: traffic from 10.3.3.10 to 10.1.1.6 does not match a NAT rule, but returning traffic from 10.1.1.6 to 10.3.3.10 should match the interface PAT rule for outgoing traffic. Because forward and reverse flows do not match, the ASA drops the packet when it is received. To avoid this failure, you need to exempt the inside-to-VPN client traffic from the interface PAT rule by using an identity NAT rule between those networks. Identity NAT simply translates an address to the same address. VPN Client 209.165.201.10 InternetSrc: 209.165.201.10 10.3.3.10 203.0.113.1:6070 10.3.3.10 10.1.1.6 www.example.com Inside 209.165.201.101. HTTP request to www.example.com 4. HTTP request to www.example.com C. HTTP request to www.example.com 2. ASA decrypts packet; src address is now local address Src: 203.0.113.1:6070 ASA Outside IP: 203.0.113.1 10.1.1.6 203.0.113.1:6075 Src: 10.1.1.6 A. HTTP to www.example.com B. ASA performs interface PAT for outgoing traffic.Src: 203.0.113.1:60753. ASA performs interface PAT for outgoing traffic. Intra-interface config req’d. 303462
3-27 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-22 Identity NAT for VPN Clients See the following sample NAT configuration for the above network: ! Enable hairpin for non-split-tunneled VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, & perform object interface PAT when going to Internet: object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside network, & perform object interface PAT when going to Internet: object network inside_nw subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface ! Use twice NAT to pass traffic between the inside network and the VPN client without ! address translation (identity NAT): nat (inside,outside) source static inside_nw inside_nw destination static vpn_local vpn_local NAT and Site-to-Site VPN Figure 3-23 shows a site-to-site tunnel connecting the Boulder and San Jose offices. For traffic that you want to go to the Internet (for example from 10.1.1.6 in Boulder to www.example.com), you need a public IP address provided by NAT to access the Internet. The below example uses interface PAT rules. However, for traffic that you want to go over the VPN tunnel (for example from 10.1.1.6 in Boulder to 10.2.2.78 in San Jose), you do not want to perform NAT; you need to exempt that traffic by creating an identity NAT rule. Identity NAT simply translates an address to the same address. VPN Client 209.165.201.10 Internet 10.1.1.6 Inside 1. SMTP request to 10.1.1.6 4. SMTP request to 10.1.1.62. ASA decrypts packet; src address is now local address 10.3.3.10209.165.201.10 7. ASA encrypts packet; dst address is now real address Dst: 10.3.3.10 5. SMTP response to VPN Client Src: 10.3.3.10 Src: 209.165.201.10 8. SMTP response to VPN Client Dst: 209.165.201.10 6. Identity NAT 10.3.3.10 3. Identity NAT between inside and VPN Client NWs Src: 10.3.3.10 10.1.1.6 Dst: 10.1.1.6 10.3.3.10 Dst: 10.3.3.10 10.1.1.6 Src: 10.1.1.6 10.3.3.10 209.165.201.10 303463
3-28 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-23 Interface PAT and Identity NAT for Site-to-Site VPN Figure 3-24 shows a VPN client connected to ASA1 (Boulder), with a Telnet request for a server (10.2.2.78) accessible over a site-to-site tunnel between ASA1 and ASA2 (San Jose). Because this is a hairpin connection, you need to enable intra-interface communication, which is also required for non-split-tunneled Internet-bound traffic from the VPN client. You also need to configure identity NAT between the VPN client and the Boulder & San Jose networks, just as you would between any networks connected by VPN to exempt this traffic from outbound NAT rules. Figure 3-24 VPN Client Access to Site-to-Site VPN See the following sample NAT configuration for ASA1 (Boulder): ! Enable hairpin for VPN client traffic: same-security-traffic permit intra-interface ! Identify local VPN network, & perform object interface PAT when going to Internet: 10.1.1.6Firewall1 Firewall2 10.2.2.78 Internet Src: 10.1.1.6 10.1.1.6 203.0.113.1:6070 Src: 10.1.1.6 10.1.1.6 Dst: 10.2.2.78 10.2.2.78 San JoseInside BoulderInside 1. IM to 10.2.2.78 Src: 10.1.1.6 A. HTTP to www.example.comSrc: 10.1.1.6 3. IM received C. HTTP request to www.example.com 2. Identity NAT between NWs connected by VPN B. The firewall performs interface PAT for outgoing traffic. Src: 203.0.113.1:6070 www.example.com FW Outside IP: 203.0.113.1 303459 Site-to-Site VPN Tunnel VPN Client 209.165.201.10 10.1.1.6Firewall1 Firewall2 10.2.2.78 Internet San JoseInside BoulderInsideSite-to-Site VPN Tunnel 4. HTTP request received 1. HTTP request to 10.2.2.78 10.3.3.10 209.165.201.10 2. Firewall decrypts packet; src address is now local address Src: 10.3.3.10 10.3.3.10 Dst: 10.2.2.78 10.2.2.78 3. Identity NAT between VPN Client & San Jose NWs; intra-interface config req’d Src: 209.165.201.10 Src: 10.3.3.10 303460
3-29 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside Boulder network, & perform object interface PAT when going to Internet: object network boulder_inside subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface ! Identify inside San Jose network for use in twice NAT rule: object network sanjose_inside subnet 10.2.2.0 255.255.255.0 ! Use twice NAT to pass traffic between the Boulder network and the VPN client without ! address translation (identity NAT): nat (inside,outside) source static boulder_inside boulder_inside destination static vpn_local vpn_local ! Use twice NAT to pass traffic between the Boulder network and San Jose without ! address translation (identity NAT): nat (inside,outside) source static boulder_inside boulder_inside destination static sanjose_inside sanjose_inside ! Use twice NAT to pass traffic between the VPN client and San Jose without ! address translation (identity NAT): nat (outside,outside) source static vpn_local vpn_local destination static sanjose_inside sanjose_inside See the following sample NAT configuration for ASA2 (San Jose): ! Identify inside San Jose network, & perform object interface PAT when going to Internet: object network sanjose_inside subnet 10.2.2.0 255.255.255.0 nat (inside,outside) dynamic interface ! Identify inside Boulder network for use in twice NAT rule: object network boulder_inside subnet 10.1.1.0 255.255.255.0 ! Identify local VPN network for use in twice NAT rule: object network vpn_local subnet 10.3.3.0 255.255.255.0 ! Use twice NAT to pass traffic between the San Jose network and Boulder without ! address translation (identity NAT): nat (inside,outside) source static sanjose_inside sanjose_inside destination static boulder_inside boulder_inside ! Use twice NAT to pass traffic between the San Jose network and the VPN client without ! address translation (identity NAT): nat (inside,outside) source static sanjose_inside sanjose_inside destination static vpn_local vpn_local NAT and VPN Management Access When using VPN, you can allow management access to an interface other than the one from which you entered the ASA ( “Configuring Management Access Over a VPN Tunnel” section on page 96-16). For example, if you enter the ASA from the outside interface, the management-access feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface.
3-30 Cisco ASA Series Firewall ASDM Configuration Guide Chapter 3 Information About NAT (ASA 8.3 and Later) NAT for VPN Figure 3-25 shows a VPN client Telnetting to the ASA inside interface. When you use a management-access interface, and you configure identity NAT according to the “NAT and Remote Access VPN” or “NAT and Site-to-Site VPN” section, you must configure NAT with the route lookup option. Without route lookup, the ASA sends traffic out the interface specified in the NAT command, regardless of what the routing table says; in the below example, the egress interface is the inside interface. You do not want the ASA to send the management traffic out to the inside network; it will never return to the inside interface IP address. The route lookup option lets the ASA send the traffic directly to the inside interface IP address instead of to the inside network. For traffic from the VPN client to a host on the inside network, the route lookup option will still result in the correct egress interface (inside), so normal traffic flow is not affected. See the “Determining the Egress Interface” section on page 3-24 for more information about the route lookup option. Figure 3-25 VPN Management Access See the following sample NAT configuration for the above network: ! Enable hairpin for non-split-tunneled VPN client traffic: same-security-traffic permit intra-interface ! Enable management access on inside ifc: management-access inside ! Identify local VPN network, & perform object interface PAT when going to Internet: object network vpn_local subnet 10.3.3.0 255.255.255.0 nat (outside,outside) dynamic interface ! Identify inside network, & perform object interface PAT when going to Internet: object network inside_nw subnet 10.1.1.0 255.255.255.0 nat (inside,outside) dynamic interface VPN Client 209.165.201.10 Internet Inside 1. Telnet request to ASA inside ifc; management-access config req’d 4. Telnet request to 10.1.1.1 2. ASA decrypts packet; src address is now local address Dst: 10.3.3.10209.165.201.10 7. ASA encrypts packet; dst address is now real address 10.3.3.10 Src: 209.165.201.10 8. Telnet response to VPN Client Dst: 209.165.201.10 Dst: 10.3.3.10 10.1.1.1 Src: 10.1.1.1 10.3.3.10 3. Identity NAT between inside & VPN client NWs; route-lookup req’d Src: 10.3.3.10 10.1.1.1 Dst: 10.1.1.1 10.3.3.10 209.165.201.10 ASA Inside IP:10.1.1.1 5. Telnet response to VPN Client Dst: 10.3.3.10 6. Identity NAT Src: 10.3.3.10 303461