Filter
Top Products
21-13
Cisco ASDM User Guide
OL-16647-01
Chapter 21 Configuring NAT
NAT Overview
Order of NAT Rules Used to Match Real Addresses
The security appliance matches real addresses to NAT rules in the following order:
1. NAT exemption—In order, until the first match.
2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT
is included in this category.
3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT—Best match. Regular identity NAT is included in this category. The order of
the NAT rules does not matter; the NAT rule that best matches the real address is used. For example,
you can create a general rule to translate all addresses (0.0.0.0) on an interface. If you want to
translate a subset of your network (10.1.1.1) to a different address, then you can create a rule to
translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for 10.1.1.1 is used
because it matches the real address best. We do not recommend using overlapping rules; they use
more memory and can slow the performance of the security appliance.
Mapped Address Guidelines
When you translate the real address to a mapped address, you can use the following mapped addresses:
• Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface (through which traffic exits the
security appliance), the security appliance uses proxy ARP to answer any requests for mapped
addresses, and thus intercepts traffic destined for a real address. This solution simplifies routing,
because the security appliance does not have to be the gateway for any additional networks.
However, this approach does put a limit on the number of available addresses used for translations.
For PAT, you can even use the IP address of the mapped interface.
• Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The security appliance uses proxy ARP to answer any requests for
mapped addresses, and thus intercepts traffic destined for a real address. If you use OSPF, and you
advertise routes on the mapped interface, then the security appliance advertises the mapped
addresses. If the mapped interface is passive (not advertising routes) or you are using static routing,
then you need to add a static route on the upstream router that sends traffic destined for the mapped
addresses to the security appliance.
DNS and NAT
You might need to configure the security appliance to modify DNS replies by replacing the address in
the reply with an address that matches the NAT configuration. You can configure DNS modification
when you configure each translation.
For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the
inside interface. You configure the security appliance to statically translate the ftp.cisco.com real address
(10.1.3.14) to a mapped address (209.165.201.10) that is visible on the outside network (see
Figure 21-12). In this case, you want to enable DNS reply modification on this static statement so that
inside users who have access to ftp.cisco.com using the real address receive the real address from the
DNS server, and not the mapped address.