Address Translation

You can configure address translation under Configuration > Features > NAT. ASDM allows both dynamic and static NAT/PAT for either all or selected hosts on the inside and the outside networks. Click Add to define a new NAT/PAT policy in the Add Address Translation Rule window. As shown in Figure 19-6, ASDM is identifying the inside network of 192.168.10.0/24 for address translation.

Figure 19-6. Defining a NAT/PAT Policy

In Figure 9-6, the administrator has also checked the Enable Traffic Through the Firewall Without Address Translation window. This option appears in the main window under Configuration > Features and NAT. This option allows traffic that does not match any NAT policy to pass through the security Cisco ASA without changing the source or destination addresses. However, the packets that match the NAT/PAT policies are translated.

SecureMe, a fictitious company, wants to dynamically translate the inside 192.168.10.0/24 network from a pool of public addresses. Click Manage Pools to define a new pool of IP addresses, as shown in Figure 19-7. Because the inside hosts will be translated to the outside network, select the outside interface and click Add to add a range of IP addresses from 209.165.200.230 to 209.165.200.235 to be mapped to a pool ID of 10. The 209.165.200.236 address is used for PAT if all the other addresses have been assigned. Click OK to finish the setup.

Figure 19-7. Defining a Pool of Addresses

If you need to configure static NAT, click the Static radio button in the Add Address Translation Rule window and specify the translated address in the IP Address box, as shown in Figure 19-8, in which an inside host, 192.168.10.100, is being translated to 209.165.200.240.

Figure 19-8. Static Address Translation

To configure DNS Doctoring and the maximum connection limits, discussed in Chapter 5, click NAT Options in the Add Address Translation Rule window to open the Advanced NAT Options window, shown in Figure 19-9. In this case, the administrator has restricted the maximum TCP-based connections to not exceed 500 for the static entry created in the previous step. The maximum embryonic connection limit is 200, and Cisco ASA is being set up to randomize the sequence numbers in the TCP packets.

Figure 19-9. Setting the TCP-Based and Embryonic Connection Limits

ASDM also supports NAT exemption policies to bypass address translation. You configure these policies under Configuration > Features > NAT > Translation Exemption Rules, as shown in Figure 19-10. This process is important if packets are traversing over a site-to-site VPN tunnel and do not need to be translated. In Figure 19-10, if packets are sourced from 192.168.10.0/24 and destined for 192.168.30.0/24, the security Cisco ASA will not translate them.

Figure 19-10. Setting Translation Exemption Rules

Note

For NAT order of operation, consult Chapter 5.

Example 19-3 shows the relevant configuration generated by ASDM for address translation.

Example 19-3. Address Translation Configuration Generated by ASDM

access-list inside_nat0_outbound line 1 extended permit ip 192.168.10.0

 255.255.255.0 192.168.30.0 255.255.255.0

nat (inside) 0 access-list inside_nat0_outbound

static (inside,outside) 209.165.200.240 192.168.10.100 netmask 255.255.255.255 tcp

 500 200 udp 0

no nat-control

nat (inside) 10 192.168.10.0 255.255.255.0 tcp 0 0 udp 0

global (outside) 10 209.165.200.230-209.165.200.235

global (outside) 10 209.165.200.236