Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
35-23
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 35 Configuring NAT (ASA 8.2 and Earlier)
Using Dynamic NAT
To configure a dynamic NAT, PAT, or identity NAT rule, perform the following steps.
Step 1 In the Configuration > Firewall > NAT Rules pane, choose Add > Add Dynamic NAT Rule.
The Add Dynamic NAT Rule dialog box appears.
Step 2 In the Original area, from the Interface drop-down list, choose the interface that is connected to the hosts
with real addresses that you want to translate.
Step 3 Enter the real addresses in the Source field, or click the ... button to select an IP address that you already
defined in ASDM.
Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter an
IP address without a mask, it is considered to be a host address, even if it ends with a 0.
Step 4 To choose a global pool, use one of the following options:
Select an already-defined global pool.
If the pool includes a range of addresses, then the ASA performs dynamic NAT. If the pool includes
a single address, then the ASA performs dynamic PAT. If a pool includes both ranges and single
addresses, then the ranges are used in order, and then the PAT addresses are used in order. See the
“Multiple Addresses in the Same Global Pool” section on page 35-19 for more information.
Pools are identified by a pool ID. If multiple global pools on different interfaces share the same pool
ID, then they are grouped. If you choose a multi-interface pool ID, then traffic is translated as
specified when it accesses any of the interfaces in the pool. For more information about pool IDs,
see the “Dynamic NAT Implementation” section on page 35-16.
Create a new global pool or edit an existing pool by clicking Manage. See the “Managing Global
Pools” section on page 35-21.
Choose identity NAT by selecting global pool 0.
Step 5 (Optional) To enable translation of addresses inside DNS replies, expand the Connection Settings area,
and check the Translate the DNS replies that match the translation rule check box.
If your NAT rule includes the real address of a host that has an entry in a DNS server, and the DNS server
is on a different interface from a client, then the client and the DNS server need different addresses for
the host; one needs the mapped address and one needs the real address. This option rewrites the address
in the DNS reply to the client. The mapped host needs to be on the same interface as either the client or
the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation,
so this option is more likely to be used with a static rule. See the “DNS and NAT” section on page 35-13
for more information.
Step 6 (Optional) To enable connection settings, expand the Connection Settings area, and set one or more of
the following options:
Note You can also set these values using a security policy rule (see Chapter 57, “Configuring
Connection Settings”). If you set them in both places, then the ASA uses the lower limit. For
TCP sequence randomization, if it is disabled using either method, then the ASA disables TCP
sequence randomization.
Randomize sequence number—With this check box checked (the default), the ASA randomizes
the sequence number of TCP packets. Each TCP connection has two ISNs: one generated by the
client and one generated by the server. The ASA randomizes the ISN of the TCP SYN passing in
both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predicting the next ISN for a
new connection and potentially hijacking the new session.