Filter
Top Products
21-31
Cisco ASDM User Guide
OL-16647-01
Chapter 21 Configuring NAT
Using Static NAT
Step 6 Specify the mapped IP address by clicking one of the following:
• Use IP Address
Enter the IP address or click the ... button to choose an IP address that you already defined in ASDM.
Specify the address and subnet mask using prefix/length notation, such as 10.1.1.0/24. If you enter
an IP address without a mask, it is considered to be a host address, even if it ends with a 0.
• Use Interface IP Address
The real and mapped addresses must have the same subnet mask.
Step 7 (Optional) To use static PAT, check Enable Port Address Translation (PAT).
a. For the Protocol, click TCP or UDP.
b. In the Original Port field, enter the real port number.
c. In the Translated Port field, enter the mapped port number.
Step 8 (Optional) Enter a description in the Description field.
Step 9 (Optional) To enable translation of addresses inside DNS replies, click the Connection Settings area
open, and check Translate the DNS replies that match the translation rule.
If your NAT rule includes the real address of a host that has an entry in a DNS server, and the DNS server
is on a different interface from a client, then the client and the DNS server need different addresses for
the host; one needs the mapped address and one needs the real address. This option rewrites the address
in the DNS reply to the client. The mapped host needs to be on the same interface as either the client or
the DNS server. See the “DNS and NAT” section on page 21-13 for more information.
Step 10 (Optional) To enable connection settings, click the Connection Settings area open, and set one or more
of the following options:
Note You can also set these values using a security policy rule (see the “Configuring Connection
Settings” section on page 27-6). If you set them in both places, then the security appliance uses
the lower limit. For TCP sequence randomization, if it is disabled using either method, then the
security appliance disables TCP sequence randomization.
• Randomize sequence number—With this check box checked (the default), the security appliance
randomizes the sequence number of TCP packets. Each TCP connection has two ISNs: one
generated by the client and one generated by the server. The security appliance randomizes the ISN
of the TCP SYN passing in both the inbound and outbound directions.
Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a
new connection and potentially hijacking the new session.
TCP initial sequence number randomization can be disabled if required. For example:
–
If another in-line firewall is also randomizing the initial sequence numbers, there is no need for
both firewalls to be performing this action, even though this action does not affect the traffic.
–
If you use eBGP multi-hop through the security appliance, and the eBGP peers are using MD5.
Randomization breaks the MD5 checksum.
–
You use a WAAS device that requires the security appliance not to randomize the sequence
numbers of connections.
• Maximum TCP Connections—Specifies the maximum number of TCP connections, between 0 and
65,535. If this value is set to 0, the number of connections is unlimited.
• Maximum UDP Connections—Specifies the maximum number of UDP connections, between 0
and 65,535. If this value is set to 0, the number of connections is unlimited.