Address Translation

You can configure address translation under Configuration > Features > NAT. ASDM allows both dynamic and static NAT/PAT for either all or selected hosts on the inside and the outside networks. Click Add to define a new NAT/PAT policy in the Add Address Translation Rule window. As shown in Figure 19-6, ASDM is identifying the inside network of for address translation.

Figure 19-6. Defining a NAT/PAT Policy

In Figure 9-6, the administrator has also checked the Enable Traffic Through the Firewall Without Address Translation window. This option appears in the main window under Configuration > Features and NAT. This option allows traffic that does not match any NAT policy to pass through the security Cisco ASA without changing the source or destination addresses. However, the packets that match the NAT/PAT policies are translated.

SecureMe, a fictitious company, wants to dynamically translate the inside network from a pool of public addresses. Click Manage Pools to define a new pool of IP addresses, as shown in Figure 19-7. Because the inside hosts will be translated to the outside network, select the outside interface and click Add to add a range of IP addresses from to to be mapped to a pool ID of 10. The address is used for PAT if all the other addresses have been assigned. Click OK to finish the setup.

Figure 19-7. Defining a Pool of Addresses

If you need to configure static NAT, click the Static radio button in the Add Address Translation Rule window and specify the translated address in the IP Address box, as shown in Figure 19-8, in which an inside host,, is being translated to

Figure 19-8. Static Address Translation

To configure DNS Doctoring and the maximum connection limits, discussed in Chapter 5, click NAT Options in the Add Address Translation Rule window to open the Advanced NAT Options window, shown in Figure 19-9. In this case, the administrator has restricted the maximum TCP-based connections to not exceed 500 for the static entry created in the previous step. The maximum embryonic connection limit is 200, and Cisco ASA is being set up to randomize the sequence numbers in the TCP packets.

Figure 19-9. Setting the TCP-Based and Embryonic Connection Limits

ASDM also supports NAT exemption policies to bypass address translation. You configure these policies under Configuration > Features > NAT > Translation Exemption Rules, as shown in Figure 19-10. This process is important if packets are traversing over a site-to-site VPN tunnel and do not need to be translated. In Figure 19-10, if packets are sourced from and destined for, the security Cisco ASA will not translate them.

Figure 19-10. Setting Translation Exemption Rules


For NAT order of operation, consult Chapter 5.

Example 19-3 shows the relevant configuration generated by ASDM for address translation.

Example 19-3. Address Translation Configuration Generated by ASDM

access-list inside_nat0_outbound line 1 extended permit ip

nat (inside) 0 access-list inside_nat0_outbound

static (inside,outside) netmask tcp

 500 200 udp 0

no nat-control

nat (inside) 10 tcp 0 0 udp 0

global (outside) 10

global (outside) 10

Part I: Product Overview

Introduction to Network Security

Product History

Hardware Overview

Part II: Firewall Solution

Initial Setup and System Maintenance

Network Access Control

IP Routing

Authentication, Authorization, and Accounting (AAA)

Application Inspection

Security Contexts

Transparent Firewalls

Failover and Redundancy

Quality of Service

Part III: Intrusion Prevention System (IPS) Solution

Intrusion Prevention System Integration

Configuring and Troubleshooting Cisco IPS Software via CLI

Part IV: Virtual Private Network (VPN) Solution

Site-to-Site IPSec VPNs

Remote Access VPN

Public Key Infrastructure (PKI)

Part V: Adaptive Security Device Manager

Introduction to ASDM

Firewall Management Using ASDM

IPS Management Using ASDM

VPN Management Using ASDM

Case Studies

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231 © 2008-2020.
If you may any questions please contact us: