Cisco ASA 5506-X, ASA Series, ASA 5512-X, ASA 5545-X, ASA 5555-X Configuration Manual

...

Page 1

Cisco ASA Series Firewall CLI Configuration Guide

Software Version 9.3

For the ASA 5506-X, ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, ASA 5555-X, ASA 5585-X, ASA Services Module, and the Adaptive Security Virtual Appliance

Released: July 24, 2014 Updated: February 18, 2015

Cisco Systems, Inc.

www.cisco.com

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Text Part Number: N/A, Online only

Page 2

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

Cisco ASA Series Firewall CLI Configuration Guide

Page 3

About This Guide

• Document Objectives, page iii

• Related Documentation, page iii

• Conventions, page iii

• Obtaining Documentation and Submitting a Service Request, page iv

Document Objectives

The purpose of this guide is to help you configure the firewall features for Cisco ASA series using the command-line interface. This guide does not cover every feature, but describes only the most common configuration scenarios.

You can also configure and monitor the ASA by using the Adaptive Security Device Manager (ASDM), a web-based GUI application. ASDM includes configuration wizards to guide you through some common configuration scenarios, and online help for less common scenarios.

Throughout this guide, the term “ASA” applies generically to supported models, unless specified otherwise.

Service Policies and Access Control

Page 6

Page 7

CHA PTER

Service Policy Using the Modular Policy Framework

Released: July 24, 2014 Updated: February 18, 2015

Service policies using Modular Policy Framework provide a consistent and flexible way to configure ASA features. For example, you can use a service policy to create a timeout configuration that is specific to a particular TCP application, as opposed to one that applies to all TCP applications. A service policy consists of multiple actions or rules applied to an interface or applied globally.

• About Service Policies, page 1-1

• Guidelines for Service Policies, page 1-8

• Defaults for Service Policies, page 1-9

• Configure Service Policies, page 1-11

• Monitoring Service Policies, page 1-19

• Examples for Service Policies (Modular Policy Framework), page 1-19

• History for Service Policies, page 1-22

About Service Policies

The following topics describe how service policies work.

• The Components of a Service Policy, page 1-2

• Features Configured with Service Policies, page 1-4

• Feature Directionality, page 1-4

• Feature Matching Within a Service Policy, page 1-5

• Order in Which Multiple Feature Actions are Applied, page 1-6

• Incompatibility of Certain Feature Actions, page 1-7

• Feature Matching for Multiple Service Policies, page 1-8

Cisco ASA Series Firewall CLI Configuration Guide

1-1

Page 8

About Service Policies

The Components of a Service Policy

The point of service policies is to apply advanced services to the traffic you are allowing. Any traffic permitted by access rules can have service policies applied, and thus receive special processing, such as being redirected to a service module or having application inspection applied.

You can have these types of service policy:

• One global policy that gets applied to all interfaces.

• One service policy applied per interface. The policy can be a mix of classes for traffic going through

the device and management traffic directed at the ASA interface rather than going through it,

Each service policy is composed of the following elements:

1. Service policy map, which is the ordered set of rules, and is named on the service-policy command.

In ASDM, the policy map is represented as a folder on the Service Policy Rules page.

2. Rules, each rule being a class command within the service policy map and the commands associated

with the class command. In ASDM, each rule is shown on a separate row, and the name of the rule is the class name.

a. The class command defines the traffic matching criteria for the rule.

b. The commands associated with class, such as inspect, set connection timeout, and so forth,

define the services and constraints to apply to matching traffic. Note that inspect commands can point to inspection policy maps, which define actions to apply to inspected traffic. Keep in mind that inspection policy maps are not the same as service policy maps.

The following example compares how service policies appear in the CLI with how they appear in ASDM. Note that there is not a one-to-one mapping between the figure call-outs and lines in the CLI.

Chapter 1 Service Policy Using the Modular Policy Framework

1-2

The following CLI is generated by the rules shown in the figure above.

: Access lists used in class maps. : In ASDM, these map to call-out 3, from the Match to the Time fields.

access-list inside_mpc line 1 extended permit tcp 10.100.10.0 255.255.255.0 any eq sip access-list inside_mpc_1 line 1 extended deny udp host 10.1.1.15 any eq snmp access-list inside_mpc_1 line 2 extended permit udp 10.1.1.0 255.255.255.0 any eq snmp access-list inside_mpc_2 line 1 extended permit icmp any any : SNMP map for SNMP inspection. Denies all by v3. : In ASDM, this maps to call-out 4, rule actions, for the class-inside policy. snmp-map snmp-v3only deny version 1 deny version 2 deny version 2c

: Inspection policy map to define SIP behavior. : The sip-high inspection policy map must be referred to by an inspect sip command

Cisco ASA Series Firewall CLI Configuration Guide

Page 9

Chapter 1 Service Policy Using the Modular Policy Framework

: in the service policy map. : In ASDM, this maps to call-out 4, rule actions, for the sip-class-inside policy.

policy-map type inspect sip sip-high parameters rtp-conformance enforce-payloadtype no traffic-non-sip software-version action mask log uri-non-sip action mask log state-checking action drop-connection log max-forwards-validation action drop log strict-header-validation action drop log

: Class map to define traffic matching for the inside-class rule. : In ASDM, this maps to call-out 3, from the Match to the Time fields.

class-map inside-class match access-list inside_mpc_1

: Class map to define traffic matching for the sip-class-inside rule. : In ASDM, this maps to call-out 3, from the Match to the Time fields.

class-map sip-class-inside match access-list inside_mpc

: Class map to define traffic matching for the inside-class1 rule. : In ASDM, this maps to call-out 3, from the Match to the Time fields.

class-map inside-class1 match access-list inside_mpc_2

: Policy map that actually defines the service policy rule set named test-inside-policy. : In ASDM, this corresponds to the folder at call-out 1.

policy-map test-inside-policy

: First rule in test-inside-policy, named sip-class-inside. Inspects SIP traffic. : The sip-class-inside rule applies the sip-high inspection policy map to SIP inspection. : In ASDM, each rule corresponds to call-out 2.

class sip-class-inside inspect sip sip-high : Second rule, inside-class. Applies SNMP inspection using an SNMP map. class inside-class inspect snmp snmp-v3only : Third rule, inside-class1. Applies ICMP inspection. class inside-class1 inspect icmp : Fourth rule, class-default. Applies connection settings and enables user statistics. class class-default set connection timeout embryonic 0:00:30 half-closed 0:10:00 idle 1:00:00 reset dcd 0:15:00 5 user-statistics accounting

: The service-policy command applies the policy map rule set to the inside interface. : This command activates the policies.

service-policy test-inside-policy interface inside

About Service Policies

Cisco ASA Series Firewall CLI Configuration Guide

1-3

Page 10

About Service Policies

Features Configured with Service Policies

The following table lists the features you configure using service policies.

Table 1-1 Features Configured with Service Policies

Chapter 1 Service Policy Using the Modular Policy Framework

Feature

Application inspection (multiple types)

ASA IPS

ASA CX

ASA FirePOWER (ASA SFR)

NetFlow Secure Event Logging filtering

QoS input and output policing

QoS standard priority queue

TCP and UDP connection limits and timeouts, and TCP sequence number randomization

TCP normalization

TCP state bypass

User statistics for Identity Firewall

For Through Traffic?

All except RADIUS accounting

Ye s No Chapter 18, “ASA IPS Module.”

Ye s No Chapter 17, “ASA CX Module.”

Ye s No Chapter 16, “ASA FirePOWER (SFR) Module.”

Ye s Ye s See the general operations configuration guide.

Ye s No Chapter 12, “Quality of Service.”

Ye s Ye s Chapter 11, “Connection Settings.”

Ye s No Chapter 11, “Connection Settings.”

Ye s Ye s See the user-statistics command in the command

For Management Traffic? See:

RADIUS accounting only

• Chapter 6, “Getting Started with Application

• Chapter 7, “Inspection of Basic Internet

• Chapter 8, “Inspection for Voice and Video

• Chapter 9, “Inspection of Database and Directory

• Chapter 10, “Inspection for Management

• Chapter 14, “ASA and Cisco Cloud Web

reference.

Layer Protocol Inspection.”

Protocols.”

Application Protocols.”

Security.”

Feature Directionality

Actions are applied to traffic bidirectionally or unidirectionally depending on the feature. For features that are applied bidirectionally, all traffic that enters or exits the interface to which you apply the policy map is affected if the traffic matches the class map for both directions.

Cisco ASA Series Firewall CLI Configuration Guide

1-4

Page 11

Chapter 1 Service Policy Using the Modular Policy Framework

Note When you use a global policy, all features are unidirectional; features that are normally bidirectional

when applied to a single interface only apply to the ingress of each interface when applied globally. Because the policy is applied to all interfaces, the policy will be applied in both directions so bidirectionality in this case is redundant.

For features that are applied unidirectionally, for example QoS priority queue, only traffic that enters (or exits, depending on the feature) the interface to which you apply the policy map is affected. See the following table for the directionality of each feature.

Table 1-2 Feature Directionality

Feature Single Interface Direction Global Direction

Application inspection (multiple types) Bidirectional Ingress

ASA CSC Bidirectional Ingress

ASA CX Bidirectional Ingress

ASA CX authentication proxy Ingress Ingress

ASA FirePOWER (ASA SFR) Bidirectional Ingress

ASA IPS Bidirectional Ingress

NetFlow Secure Event Logging filtering N/A Ingress

QoS input policing Ingress Ingress

QoS output policing Egress Egress

QoS standard priority queue Egress Egress

TCP and UDP connection limits and timeouts, and TCP sequence number randomization

TCP normalization Bidirectional Ingress

TCP state bypass Bidirectional Ingress

User statistics for Identity Firewall Bidirectional Ingress

About Service Policies

Bidirectional Ingress

Feature Matching Within a Service Policy

A packet matches class maps in a policy map for a given interface according to the following rules:

1. A packet can match only one class map in the policy map for each feature type.

2. When the packet matches a class map for a feature type, the ASA does not attempt to match it to any

subsequent class maps for that feature type.

3. If the packet matches a subsequent class map for a different feature type, however, then the ASA

also applies the actions for the subsequent class map, if supported. See Incompatibility of Certain

Feature Actions, page 1-7 for more information about unsupported combinations.

Note Application inspection includes multiple inspection types, and most are mutually exclusive.

For inspections that can be combined, each inspection is considered to be a separate feature.

Cisco ASA Series Firewall CLI Configuration Guide

1-5

Page 12

Chapter 1 Service Policy Using the Modular Policy Framework

About Service Policies

Examples of Packet Matching

For example:

• If a packet matches a class map for connection limits, and also matches a class map for an

application inspection, then both actions are applied.

• If a packet matches a class map for HTTP inspection, but also matches another class map that

includes HTTP inspection, then the second class map actions are not applied.

• If a packet matches a class map for HTTP inspection, but also matches another class map that

includes FTP inspection, then the second class map actions are not applied because HTTP and FTP inspections cannot be combined.

• If a packet matches a class map for HTTP inspection, but also matches another class map that

includes IPv6 inspection, then both actions are applied because the IPv6 inspection can be combined with any other type of inspection.

Order in Which Multiple Feature Actions are Applied

The order in which different types of actions in a policy map are performed is independent of the order in which the actions appear in the policy map.

Actions are performed in the following order:

1. QoS input policing

2. TCP normalization, TCP and UDP connection limits and timeouts, TCP sequence number

randomization, and TCP state bypass.

Note When a the ASA performs a proxy service (such as AAA or CSC) or it modifies the TCP

payload (such as FTP inspection), the TCP normalizer acts in dual mode, where it is applied before and after the proxy or payload modifying service.

3. ASA CSC

4. Application inspections that can be combined with other inspections:

a. IPv6

b. IP options

c. WAAS

5. Application inspections that cannot be combined with other inspections. See Incompatibility of

Certain Feature Actions, page 1-7 for more information.

6. ASA IPS

7. ASA CX

8. ASA FirePOWER (ASA SFR)

9. QoS output policing

10. QoS standard priority queue

1-6

Note NetFlow Secure Event Logging filtering and User statistics for Identity Firewall are order-independent.

Cisco ASA Series Firewall CLI Configuration Guide

Page 13

Chapter 1 Service Policy Using the Modular Policy Framework

Incompatibility of Certain Feature Actions

Some features are not compatible with each other for the same traffic. The following list might not include all incompatibilities; for information about compatibility of each feature, see the chapter or section for the feature:

• You cannot configure QoS priority queuing and QoS policing for the same set of traffic.

• Most inspections should not be combined with another inspection, so the ASA only applies one

inspection if you configure multiple inspections for the same traffic. HTTP inspection can be combined with the Cloud Web Security inspection. Other exceptions are listed in Order in Which

Multiple Feature Actions are Applied, page 1-6.

• You cannot configure traffic to be sent to multiple modules, such as the ASA CX and ASA IPS.

• HTTP inspection is not compatible with ASA CX or ASA FirePOWER.

• Cloud Web Security is not compatible with ASA CX or ASA FirePOWER.

Note The match default-inspection-traffic command, which is used in the default global policy, is a special

CLI shortcut to match the default ports for all inspections. When used in a policy map, this class map ensures that the correct inspection is applied to each packet, based on the destination port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you can configure multiple inspections for the same class map. Normally, the ASA does not use the port number to determine which inspection to apply, thus giving you the flexibility to apply inspections to non-standard ports, for example.

About Service Policies

This traffic class does not include the default ports for Cloud Web Security inspection (80 and 443).

An example of a misconfiguration is if you configure multiple inspections in the same policy map and do not use the default-inspection-traffic shortcut. In Example 1-1, traffic destined to port 21 is mistakenly configured for both FTP and HTTP inspection. In Example 1-2, traffic destined to port 80 is mistakenly configured for both FTP and HTTP inspection. In both cases of misconfiguration examples, only the FTP inspection is applied, because FTP comes before HTTP in the order of inspections applied.

Example 1-1 Misconfiguration for FTP packets: HTTP Inspection Also Configured

class-map ftp match port tcp eq 21 class-map http match port tcp eq 21 policy-map test class ftp inspect ftp class http inspect http

Example 1-2 Misconfiguration for HTTP packets: FTP Inspection Also Configured

class-map ftp match port tcp eq 80 class-map http match port tcp eq 80 policy-map test class ftp

[it should be 80]

[it should be 21]

Cisco ASA Series Firewall CLI Configuration Guide

1-7

Page 14

Chapter 1 Service Policy Using the Modular Policy Framework

Guidelines for Service Policies

inspect ftp class http inspect http

Feature Matching for Multiple Service Policies

For TCP and UDP traffic (and ICMP when you enable stateful ICMP inspection), service policies operate on traffic flows, and not just individual packets. If traffic is part of an existing connection that matches a feature in a policy on one interface, that traffic flow cannot also match the same feature in a policy on another interface; only the first policy is used.

For example, if HTTP traffic matches a policy on the inside interface to inspect HTTP traffic, and you have a separate policy on the outside interface for HTTP inspection, then that traffic is not also inspected on the egress of the outside interface. Similarly, the return traffic for that connection will not be inspected by the ingress policy of the outside interface, nor by the egress policy of the inside interface.

For traffic that is not treated as a flow, for example ICMP when you do not enable stateful ICMP inspection, returning traffic can match a different policy map on the returning interface. For example, if you configure IPS on the inside and outside interfaces, but the inside policy uses virtual sensor 1 while the outside policy uses virtual sensor 2, then a non-stateful Ping will match virtual sensor 1 outbound, but will match virtual sensor 2 inbound.

Guidelines for Service Policies

IPv6 Guidelines

Supports IPv6 for the following features:

• Application inspection for DNS, FTP, HTTP, ICMP, ScanSafe, SIP, SMTP, IPsec-pass-thru, and

IPv6.

• ASA IPS

• ASA CX

• ASA FirePOWER

• NetFlow Secure Event Logging filtering

• TCP and UDP connection limits and timeouts, TCP sequence number randomization

• TCP normalization

• TCP state bypass

• User statistics for Identity Firewall

Class Map (Traffic Class) Guidelines

The maximum number of class maps (traffic classes) of all types is 255 in single mode or per context in multiple mode. Class maps include the following types:

• Layer 3/4 class maps (for through traffic and management traffic).

• Inspection class maps

1-8

• Regular expression class maps

• match commands used directly underneath an inspection policy map

Cisco ASA Series Firewall CLI Configuration Guide

Page 15

Chapter 1 Service Policy Using the Modular Policy Framework

This limit also includes default class maps of all types, limiting user-configured class maps to approximately 235. See Default Class Maps (Traffic Classes), page 1-11.

Policy Map Guidelines

See the following guidelines for using policy maps:

• You can only assign one policy map per interface. However you can create up to 64 policy maps in

the configuration.

• You can apply the same policy map to multiple interfaces.

• You can identify up to 63 Layer 3/4 class maps in a Layer 3/4 policy map.

• For each class map, you can assign multiple actions from one or more feature types, if supported.

See Incompatibility of Certain Feature Actions, page 1-7.

Service Policy Guidelines

• Interface service policies take precedence over the global service policy for a given feature. For

example, if you have a global policy with FTP inspection, and an interface policy with TCP normalization, then both FTP inspection and TCP normalization are applied to the interface. However, if you have a global policy with FTP inspection, and an interface policy with FTP inspection, then only the interface policy FTP inspection is applied to that interface.

• You can only apply one global policy. For example, you cannot create a global policy that includes

feature set 1, and a separate global policy that includes feature set 2. All features must be included in a single policy.

Defaults for Service Policies

• When you make service policy changes to the configuration, all new connections use the new service

policy. Existing connections continue to use the policy that was configured at the time of the connection establishment. Output for the show command will not include data about the old connections.

For example, if you remove a QoS service policy from an interface, then add a modified version, then the show service-policy command only displays QoS counters associated with new connections that match the new service policy; existing connections on the old policy no longer show in the command output.

To ensure that all connections use the new policy, you need to disconnect the current connections so they can reconnect using the new policy. Use the clear conn or clear local-host commands.

Defaults for Service Policies

The following topics describe the default settings for service policies and the Modular Policy Framework:

• Default Service Policy Configuration, page 1-10

• Default Class Maps (Traffic Classes), page 1-11

Cisco ASA Series Firewall CLI Configuration Guide

1-9

Page 16

Defaults for Service Policies

Default Service Policy Configuration

By default, the configuration includes a policy that matches all default application inspection traffic and applies certain inspections to the traffic on all interfaces (a global policy). Not all inspections are enabled by default. You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. (An interface policy overrides the global policy for a particular feature.)

The default policy includes the following application inspections:

• DNS

• FTP

• H323 (H225)

• H323 (RAS)

• RSH

• RTS P

• ESMTP

• SQLnet

Chapter 1 Service Policy Using the Modular Policy Framework

• Skinny (SCCP)

• SunRPC

• XDMCP

• SIP

• NetBios

• TFTP

• IP Options

The default policy configuration includes the following commands:

class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters

message-length maximum client auto message-length maximum 512 dns-guard protocol-enforcement

nat-rewrite policy-map global_policy class inspection_default

inspect dns preset_dns_map inspect ftp inspect h323 h225 _default_h323_map inspect h323 ras _default_h323_map inspect ip-options _default_ip_options_map inspect netbios inspect rsh inspect rtsp inspect skinny inspect esmtp _default_esmtp_map inspect sqlnet inspect sunrpc inspect tftp inspect sip

1-10

Cisco ASA Series Firewall CLI Configuration Guide

Page 17

Chapter 1 Service Policy Using the Modular Policy Framework

inspect xdmcp service-policy global_policy global

Note See Incompatibility of Certain Feature Actions, page 1-7 for more information about the special match

default-inspection-traffic command used in the default class map.

Default Class Maps (Traffic Classes)

The configuration includes a default Layer 3/4 class map (traffic class) that the ASA uses in the default global policy called default-inspection-traffic; it matches the default inspection traffic. This class, which is used in the default global policy, is a special shortcut to match the default ports for all inspections.

When used in a policy, this class ensures that the correct inspection is applied to each packet, based on the destination port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you can configure multiple inspections for the same class map. Normally, the ASA does not use the port number to determine which inspection to apply, thus giving you the flexibility to apply inspections to non-standard ports, for example.

class-map inspection_default match default-inspection-traffic

Configure Service Policies

Another class map that exists in the default configuration is called class-default, and it matches all traffic. This class map appears at the end of all Layer 3/4 policy maps and essentially tells the ASA to not perform any actions on all other traffic. You can use the class-default class if desired, rather than making your own match any class map. In fact, some features are only available for class-default.

class-map class-default match any

Configure Service Policies

To configure service policies using the Modular Policy Framework, perform the following steps:

Step 1 Identify the traffic on which you want to act by creating Layer 3/4 class maps, as described in Identify

Traffic (Layer 3/4 Class Maps), page 1-13.

For example, you might want to perform actions on all traffic that passes through the ASA; or you might only want to perform certain actions on traffic from 10.1.1.0/24 to any destination address.

Layer 3/4 Class Map Layer 3/4 Class Map

241506

Step 2 Optionally, perform additional actions on some inspection traffic.

Cisco ASA Series Firewall CLI Configuration Guide

1-11

Page 18

Configure Service Policies

Regular Expression Statement/

Regular Expression Class Map

Inspection Class Map/

Match Commands

Inspection Policy Map Actions

241509

If one of the actions you want to perform is application inspection, and you want to perform additional actions on some inspection traffic, then create an inspection policy map. The inspection policy map identifies the traffic and specifies what to do with it.

For example, you might want to drop all HTTP requests with a body length greater than 1000 bytes.

Inspection Class Map/

You can create a self-contained inspection policy map that identifies the traffic directly with match commands, or you can create an inspection class map for reuse or for more complicated matching. For example, you could match text within a inspected packets using a regular expression or a group of regular expressions (a regular expression class map), and target actions based on narrower criteria. For example, you might want to drop all HTTP requests with a URL including the text “example.com.”

Chapter 1 Service Policy Using the Modular Policy Framework

Inspection Policy Map Actions

Match Commands

241507

See Defining Actions in an Inspection Policy Map, page 2-4 and Identifying Traffic in an Inspection

Class Map, page 2-5.

Step 3 Define the actions you want to perform on each Layer 3/4 class map by creating a Layer 3/4 policy map,

as described in Define Actions (Layer 3/4 Policy Map), page 1-16.

Cisco ASA Series Firewall CLI Configuration Guide

1-12

Page 19

Chapter 1 Service Policy Using the Modular Policy Framework

Inspection

Connection Limits

Layer 3/4 Policy Map

Service Policy

IPS

Inspection

Connection Limits

241508

Configure Service Policies

Step 4 Determine on which interfaces you want to apply the policy map, or apply it globally, as described in

Apply Actions to an Interface (Service Policy), page 1-18.

Identify Traffic (Layer 3/4 Class Maps)

A Layer 3/4 class map identifies Layer 3 and 4 traffic to which you want to apply actions. You can create multiple Layer 3/4 class maps for each Layer 3/4 policy map.

Create a Layer 3/4 Class Map for Through Traffic

Tip We suggest that you only inspect traffic on ports on which you expect application traffic; if you inspect

• Create a Layer 3/4 Class Map for Through Traffic, page 1-13

• Create a Layer 3/4 Class Map for Management Traffic, page 1-15

A Layer 3/4 class map matches traffic based on protocols, ports, IP addresses and other Layer 3 or 4 attributes.

all traffic, for example using match any, the ASA performance can be impacted.

Cisco ASA Series Firewall CLI Configuration Guide

1-13

Page 20

Configure Service Policies

Procedure

Step 1 Create a Layer 3/4 class map, where class_map_name is a string up to 40 characters in length.

class-map class_map_name

The name “class-default” is reserved. All types of class maps use the same name space, so you cannot reuse a name already used by another type of class map. The CLI enters class-map configuration mode.

Example:

hostname(config)# class-map all_udp

Step 2 (Optional) Add a description to the class map.

description string

Example:

hostname(config-cmap)# description All UDP traffic

Step 3 Match traffic using one of the following commands. Unless otherwise specified, you can include only

one match command in the class map.

• match any—Matches all traffic.

Chapter 1 Service Policy Using the Modular Policy Framework

hostname(config-cmap)# match any

• match access-list access_list_name—Matches traffic specified by an extended ACL. If the ASA is

operating in transparent firewall mode, you can use an EtherType ACL.

hostname(config-cmap)# match access-list udp

• match port {tcp | udp} {eq port_num | range port_num port_num}—Matches TCP or UDP

destination ports, either a single port or a contiguous range of ports. For applications that use multiple, non-contiguous ports, use the match access-list command and define an ACE to match each port.

hostname(config-cmap)# match tcp eq 80

• match default-inspection-traffic—Matches default traffic for inspection: the default TCP and

UDP ports used by all applications that the ASA can inspect.

hostname(config-cmap)# match default-inspection-traffic

This command, which is used in the default global policy, is a special CLI shortcut that when used in a policy map, ensures that the correct inspection is applied to each packet, based on the destination port of the traffic. For example, when UDP traffic for port 69 reaches the ASA, then the ASA applies the TFTP inspection; when TCP traffic for port 21 arrives, then the ASA applies the FTP inspection. So in this case only, you can configure multiple inspections for the same class map (with the exception of WAAS inspection, which can be configured with other inspections. See

Incompatibility of Certain Feature Actions, page 1-7 for more information about combining

actions). Normally, the ASA does not use the port number to determine the inspection applied, thus giving you the flexibility to apply inspections to non-standard ports, for example.

See Default Inspections and NAT Limitations, page 6-6 for a list of default ports. Not all applications whose ports are included in the match default-inspection-traffic command are enabled by default in the policy map.

1-14

You can specify a match access-list command along with the match default-inspection-traffic command to narrow the matched traffic. Because the match default-inspection-traffic command specifies the ports and protocols to match, any ports and protocols in the ACL are ignored.

Cisco ASA Series Firewall CLI Configuration Guide

Page 21

Chapter 1 Service Policy Using the Modular Policy Framework

• match dscp value1 [value2] [...] [value8]—Matches the DSCP value in an IP header, up to eight

DSCP values.

hostname(config-cmap)# match dscp af43 cs1 ef

• match precedence value1 [value2] [value3] [value4]—Matches up to four precedence values,

represented by the TOS byte in the IP header, where value1 through value4 can be 0 to 7, corresponding to the possible precedences.

hostname(config-cmap)# match precedence 1 4

• match rtp starting_port range—Matches RTP traffic, where the starting_port specifies an

even-numbered UDP destination port between 2000 and 65534. The range specifies the number of additional UDP ports to match above the starting_port, between 0 and 16383.

hostname(config-cmap)# match rtp 4004 100

• match tunnel-group name—Matches VPN tunnel group traffic to which you want to apply QoS.

You can also specify one other match command to refine the traffic match. You can specify any of the preceding commands, except for the match any, match access-list, or match

default-inspection-traffic commands. Or you can also enter the match flow ip destination-address command to match flows in the tunnel group going to each IP address.

hostname(config-cmap)# match tunnel-group group1 hostname(config-cmap)# match flow ip destination-address

Configure Service Policies

Examples

The following is an example for the class-map command:

hostname(config)# access-list udp permit udp any any hostname(config)# access-list tcp permit tcp any any hostname(config)# access-list host_foo permit ip any 10.1.1.1 255.255.255.255

hostname(config)# class-map all_udp hostname(config-cmap)# description "This class-map matches all UDP traffic" hostname(config-cmap)# match access-list udp

hostname(config-cmap)# class-map all_tcp hostname(config-cmap)# description "This class-map matches all TCP traffic" hostname(config-cmap)# match access-list tcp

hostname(config-cmap)# class-map all_http hostname(config-cmap)# description "This class-map matches all HTTP traffic" hostname(config-cmap)# match port tcp eq http

hostname(config-cmap)# class-map to_server hostname(config-cmap)# description "This class-map matches all traffic to server 10.1.1.1" hostname(config-cmap)# match access-list host_foo

Create a Layer 3/4 Class Map for Management Traffic

For management traffic to the ASA, you might want to perform actions specific to this kind of traffic. You can specify a management class map that can match an ACL or TCP or UDP ports. The types of actions available for a management class map in the policy map are specialized for management traffic. See Features Configured with Service Policies, page 1-4.

Cisco ASA Series Firewall CLI Configuration Guide

1-15

Page 22

Configure Service Policies

Procedure

Step 1 Create a management class map, where class_map_name is a string up to 40 characters in length.

class-map type management class_map_name

Example:

hostname(config)# class-map all_udp

Step 2 (Optional) Add a description to the class map.

description string

Example:

hostname(config-cmap)# description All UDP traffic

Step 3 Match traffic using one of the following commands.

• match access-list access_list_name—Matches traffic specified by an extended ACL. If the ASA is

Chapter 1 Service Policy Using the Modular Policy Framework

operating in transparent firewall mode, you can use an EtherType ACL.

hostname(config-cmap)# match access-list udp

• match port {tcp | udp} {eq port_num | range port_num port_num}—Matches TCP or UDP

hostname(config-cmap)# match tcp eq 80

Define Actions (Layer 3/4 Policy Map)

After you configure Layer 3/4 class maps to identify traffic, use a Layer 3/4 policy map to associate actions to those classes.

Tip The maximum number of policy maps is 64, but you can only apply one policy map per interface.

Procedure

Step 1 Add the policy map.

policy-map policy_map_name

The policy_map_name argument is the name of the policy map, up to 40 characters in length. All types of policy maps use the same name space, so you cannot reuse a name already used by another type of policy map. The CLI enters policy-map configuration mode.

Example:

hostname(config)# policy-map global_policy

1-16

Cisco ASA Series Firewall CLI Configuration Guide

Page 23

Chapter 1 Service Policy Using the Modular Policy Framework

Step 2 Specify a previously configured Layer 3/4 class map, where the class_map_name is the name of the class

map.

class class_map_name

See Identify Traffic (Layer 3/4 Class Maps), page 1-13 to add a class map.

Note If there is no match default-inspection-traffic command in a class map, then at most one

inspect command is allowed to be configured under the class.

class class_map_name

Example:

hostname(config-pmap)# description global policy map

Step 3 Specify one or more actions for this class map.

See Features Configured with Service Policies, page 1-4.

Step 4 Repeat the process for each class map you want to include in this policy map.

Configure Service Policies

Examples

The following is an example of a policy-map command for a connection policy. It limits the number of connections allowed to the web server 10.1.1.1:

hostname(config)# access-list http-server permit tcp any host 10.1.1.1 hostname(config)# class-map http-server hostname(config-cmap)# match access-list http-server

hostname(config)# policy-map global-policy hostname(config-pmap)# description This policy map defines a policy concerning connection

to http server.

hostname(config-pmap)# class http-server hostname(config-pmap-c)# set connection conn-max 256

The following example shows how multi-match works in a policy map:

hostname(config)# class-map inspection_default hostname(config-cmap)# match default-inspection-traffic hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80

hostname(config)# policy-map outside_policy hostname(config-pmap)# class inspection_default hostname(config-pmap-c)# inspect http http_map hostname(config-pmap-c)# inspect sip hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# set connection timeout idle 0:10:0

The following example shows how traffic matches the first available class map, and will not match any subsequent class maps that specify actions in the same feature domain:

hostname(config)# class-map telnet_traffic hostname(config-cmap)# match port tcp eq 23 hostname(config)# class-map ftp_traffic hostname(config-cmap)# match port tcp eq 21 hostname(config)# class-map tcp_traffic hostname(config-cmap)# match port tcp range 1 65535 hostname(config)# class-map udp_traffic hostname(config-cmap)# match port udp range 0 65535 hostname(config)# policy-map global_policy

Cisco ASA Series Firewall CLI Configuration Guide

1-17

Page 24

Configure Service Policies

hostname(config-pmap)# class telnet_traffic hostname(config-pmap-c)# set connection timeout idle 0:0:0 hostname(config-pmap-c)# set connection conn-max 100 hostname(config-pmap)# class ftp_traffic hostname(config-pmap-c)# set connection timeout idle 0:5:0 hostname(config-pmap-c)# set connection conn-max 50 hostname(config-pmap)# class tcp_traffic hostname(config-pmap-c)# set connection timeout idle 2:0:0 hostname(config-pmap-c)# set connection conn-max 2000

When a Telnet connection is initiated, it matches class telnet_traffic. Similarly, if an FTP connection is initiated, it matches class ftp_traffic. For any TCP connection other than Telnet and FTP, it will match class tcp_traffic. Even though a Telnet or FTP connection can match class tcp_traffic, the ASA does not make this match because they previously matched other classes.

Apply Actions to an Interface (Service Policy)

To activate the Layer 3/4 policy map, create a service policy that applies it to one or more interfaces or that applies it globally to all interfaces. Use the following command:

service-policy policy_map_name {global | interface interface_name} [fail-close]

Chapter 1 Service Policy Using the Modular Policy Framework

Where:

• policy_map_name is the name of the policy map.

• global creates a service policy that applies to all interfaces that do not have a specific policy.

You can only apply one global policy, so if you want to alter the global policy, you need to either edit the default policy or disable it and apply a new one. By default, the configuration includes a global policy that matches all default application inspection traffic and applies inspection to the traffic globally. The default service policy includes the following command: service-policy global_policy global.

• interface interface_name creates a service policy by associating a policy map with an interface.

• fail-close generates a syslog (767001) for IPv6 traffic that is dropped by application inspections that

do not support IPv6 traffic. By default, syslogs are not generated. For a list of inspections that support IPv6, see IPv6 Guidelines, page 1-8.

Examples

For example, the following command enables the inbound_policy policy map on the outside interface:

hostname(config)# service-policy inbound_policy interface outside

The following commands disable the default global policy, and enables a new one called new_global_policy on all other ASA interfaces:

hostname(config)# no service-policy global_policy global hostname(config)# service-policy new_global_policy global

1-18

Cisco ASA Series Firewall CLI Configuration Guide

Page 25

Chapter 1 Service Policy Using the Modular Policy Framework

143356

inside

port 80

outside

Host A

Host B

port 80

Security

appliance

insp.

police

Monitoring Service Policies

To monitor service policies, enter the following command:

• show service-policy

Displays the service policy statistics.

Examples for Service Policies (Modular Policy Framework)

This section includes several Modular Policy Framework examples.

• Applying Inspection and QoS Policing to HTTP Traffic, page 1-19

• Applying Inspection to HTTP Traffic Globally, page 1-20

• Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers, page 1-20

• Applying Inspection to HTTP Traffic with NAT, page 1-21

Applying Inspection and QoS Policing to HTTP Traffic

In this example, any HTTP connection (TCP traffic on port 80) that enters or exits the ASA through the outside interface is classified for HTTP inspection. Any HTTP traffic that exits the outside interface is classified for policing.

Figure 1-1 HTTP Inspection and QoS Policing

See the following commands for this example:

hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80

hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config-pmap-c)# police output 250000 hostname(config)# service-policy http_traffic_policy interface outside

Cisco ASA Series Firewall CLI Configuration Guide

1-19

Page 26

Examples for Service Policies (Modular Policy Framework)

inside

port 80

outside

Host A

Host B

port 80

insp.

Security

appliance

143414

Applying Inspection to HTTP Traffic Globally

In this example, any HTTP connection (TCP traffic on port 80) that enters the ASA through any interface is classified for HTTP inspection. Because the policy is a global policy, inspection occurs only as the traffic enters each interface.

Figure 1-2 Global HTTP Inspection

See the following commands for this example:

hostname(config)# class-map http_traffic hostname(config-cmap)# match port tcp eq 80

Chapter 1 Service Policy Using the Modular Policy Framework

hostname(config)# policy-map http_traffic_policy hostname(config-pmap)# class http_traffic hostname(config-pmap-c)# inspect http hostname(config)# service-policy http_traffic_policy global

Applying Inspection and Connection Limits to HTTP Traffic to Specific Servers

In this example, any HTTP connection destined for Server A (TCP traffic on port 80) that enters the ASA through the outside interface is classified for HTTP inspection and maximum connection limits. Connections initiated from Server A to Host A do not match the ACL in the class map, so they are not affected.

Any HTTP connection destined for Server B that enters the ASA through the inside interface is classified for HTTP inspection. Connections initiated from Server B to Host B do not match the ACL in the class map, so they are not affected.

1-20

Cisco ASA Series Firewall CLI Configuration Guide

Page 27

Chapter 1 Service Policy Using the Modular Policy Framework

inside outside

Server A

Real Address: 192.168.1.2

Mapped Address: 209.165.201.1

Host B

Real Address: 192.168.1.1

Mapped Address: 209.165.201.2:

port

Host A

209.165.200.226

Server B

209.165.200.227

port 80

insp.

set conns

143357

Security

appliance

Figure 1-3 HTTP Inspection and Connection Limits to Specific Servers

See the following commands for this example:

hostname(config)# object network obj-192.168.1.2 hostname(config-network-object)# host 192.168.1.2 hostname(config-network-object)# nat (inside,outside) static 209.165.201.1 hostname(config)# object network obj-192.168.1.0 hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0 hostname(config-network-object)# nat (inside,outside) dynamic 209.165.201.2 hostname(config)# access-list serverA extended permit tcp any host 209.165.201.1 eq 80 hostname(config)# access-list ServerB extended permit tcp any host 209.165.200.227 eq 80

Examples for Service Policies (Modular Policy Framework)

Applying Inspection to HTTP Traffic with NAT

hostname(config)# class-map http_serverA hostname(config-cmap)# match access-list serverA hostname(config)# class-map http_serverB hostname(config-cmap)# match access-list serverB

hostname(config)# policy-map policy_serverA hostname(config-pmap)# class http_serverA hostname(config-pmap-c)# inspect http hostname(config-pmap-c)# set connection conn-max 100 hostname(config)# policy-map policy_serverB hostname(config-pmap)# class http_serverB hostname(config-pmap-c)# inspect http

hostname(config)# service-policy policy_serverB interface inside hostname(config)# service-policy policy_serverA interface outside

In this example, the Host on the inside network has two addresses: one is the real IP address 192.168.1.1, and the other is a mapped IP address used on the outside network, 209.165.200.225. You must use the real IP address in the ACL in the class map. If you applied it to the outside interface, you would also use the real address.

Cisco ASA Series Firewall CLI Configuration Guide

1-21

Page 28

History for Service Policies

inside outside

Host

Real IP: 192.168.1.1

Mapped IP: 209.165.200.225

Server

209.165.201.1

port 80

insp.

Security

appliance

143416

Figure 1-4 HTTP Inspection with NAT

See the following commands for this example:

hostname(config)# object network obj-192.168.1.1 hostname(config-network-object)# host 192.168.1.1 hostname(config-network-object)# nat (VM1,outside) static 209.165.200.225

hostname(config)# access-list http_client extended permit tcp host 192.168.1.1 any eq 80

hostname(config)# class-map http_client hostname(config-cmap)# match access-list http_client

Chapter 1 Service Policy Using the Modular Policy Framework

hostname(config)# policy-map http_client hostname(config-pmap)# class http_client hostname(config-pmap-c)# inspect http

hostname(config)# service-policy http_client interface inside

History for Service Policies

Feature Name Releases Description

Modular Policy Framework 7.0(1) Modular Policy Framework was introduced.

Management class map for use with RADIUS accounting traffic

Inspection policy maps 7.2(1) The inspection policy map was introduced. The following

Regular expressions and policy maps 7.2(1) Regular expressions and policy maps were introduced to be

Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with

7.2(1) The management class map was introduced for use with RADIUS accounting traffic. The following commands were introduced: class-map type management, and inspect radius-accounting.

command was introduced: class-map type inspect.

used under inspection policy maps. The following commands were introduced: class-map type regex, regex, match regex.

inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available.

Cisco ASA Series Firewall CLI Configuration Guide

1-22

Page 29

CHA PTER

Special Actions for Application Inspections (Inspection Policy Map)

Modular Policy Framework lets you configure special actions for many application inspections. When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map. When the inspection policy map matches traffic within the Layer 3/4 class map for which you have defined an inspection action, then that subset of traffic will be acted upon as specified (for example, dropped or rate-limited).

• Information About Inspection Policy Maps, page 2-1

• Guidelines and Limitations, page 2-2

• Default Inspection Policy Maps, page 2-3

• Defining Actions in an Inspection Policy Map, page 2-4

• Identifying Traffic in an Inspection Class Map, page 2-5

• Where to Go Next, page 2-7

• Feature History for Inspection Policy Maps, page 2-7

Information About Inspection Policy Maps

See Configure Application Layer Protocol Inspection, page 6-9 for a list of applications that support inspection policy maps.

An inspection policy map consists of one or more of the following elements. The exact options available for an inspection policy map depends on the application.

• Traffic matching command—You can define a traffic matching command directly in the inspection

policy map to match application traffic to criteria specific to the application, such as a URL string, for which you then enable actions.

–

Some traffic matching commands can specify regular expressions to match text inside a packet. Be sure to create and test the regular expressions before you configure the policy map, either singly or grouped together in a regular expression class map.

• Inspection class map—An inspection class map includes multiple traffic matching commands. You

then identify the class map in the policy map and enable actions for the class map as a whole. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that you can create more complex match criteria and you can reuse class maps. However, you cannot set different actions for different matches. Note: Not all inspections support inspection class maps.

Cisco ASA Series Firewall CLI Configuration Guide

2-1

Page 30

Guidelines and Limitations

• Parameters—Parameters affect the behavior of the inspection engine.

Guidelines and Limitations

• HTTP inspection policy maps—If you modify an in-use HTTP inspection policy map (policy-map

type inspect http), you must remove and reapply the inspect http map action for the changes to take effect. For example, if you modify the “http-map” inspection policy map, you must remove and readd the inspect http http-map command from the layer 3/4 policy:

hostname(config)# policy-map test hostname(config-pmap)# class http hostname(config-pmap-c)# no inspect http http-map hostname(config-pmap-c)# inspect http http-map

• All inspection policy maps—If you want to exchange an in-use inspection policy map for a different

map name, you must remove the inspect protocol map command, and readd it with the new map. For example:

hostname(config)# policy-map test hostname(config-pmap)# class sip hostname(config-pmap-c)# no inspect sip sip-map1 hostname(config-pmap-c)# inspect sip sip-map2

Chapter 2 Special Actions for Application Inspections (Inspection Policy Map)

• You can specify multiple class or match commands in the inspection policy map.

If a packet matches multiple different match or class commands, then the order in which the ASA applies the actions is determined by internal ASA rules, and not by the order they are added to the inspection policy map. The internal rules are determined by the application type and the logical progression of parsing a packet, and are not user-configurable. For example for HTTP traffic, parsing a Request Method field precedes parsing the Header Host Length field; an action for the Request Method field occurs before the action for the Header Host Length field. For example, the following match commands can be entered in any order, but the match request method get command is matched first.

match request header host length gt 100

reset

match request method get

log

If an action drops a packet, then no further actions are performed in the inspection policy map. For example, if the first action is to reset the connection, then it will never match any further match or class commands. If the first action is to log the packet, then a second action, such as resetting the connection, can occur.

If a packet matches multiple match or class commands that are the same, then they are matched in the order they appear in the policy map. For example, for a packet with the header length of 1001, it will match the first command below, and be logged, and then will match the second command and be reset. If you reverse the order of the two match commands, then the packet will be dropped and the connection reset before it can match the second match command; it will never be logged.

match request header length gt 100

log

match request header length gt 1000

reset

2-2

A class map is determined to be the same type as another class map or match command based on the lowest priority match command in the class map (the priority is based on the internal rules). If a class map has the same type of lowest priority match command as another class map, then the class

Cisco ASA Series Firewall CLI Configuration Guide

Page 31

Chapter 2 Special Actions for Application Inspections (Inspection Policy Map)

maps are matched according to the order they are added to the policy map. If the lowest priority match for each class map is different, then the class map with the higher priority match command is matched first. For example, the following three class maps contain two types of match commands: match request-cmd (higher priority) and match filename (lower priority). The ftp3 class map includes both commands, but it is ranked according to the lowest priority command, match filename. The ftp1 class map includes the highest priority command, so it is matched first, regardless of the order in the policy map. The ftp3 class map is ranked as being of the same priority as the ftp2 class map, which also contains the match filename command. They are matched according to the order in the policy map: ftp3 and then ftp2.

class-map type inspect ftp match-all ftp1

match request-cmd get

class-map type inspect ftp match-all ftp2

match filename regex abc

class-map type inspect ftp match-all ftp3

match request-cmd get match filename regex abc

policy-map type inspect ftp ftp

class ftp3

log

class ftp2

log

class ftp1

log

Default Inspection Policy Maps

DNS inspection is enabled by default, using the preset_dns_map inspection class map:

• The maximum DNS message length is 512 bytes.

• The maximum client DNS message length is automatically set to match the Resource Record.

• DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as

soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.

• Translation of the DNS record based on the NAT configuration is enabled.

• Protocol enforcement is enabled, which enables DNS message format check, including domain

name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check.

See the following default commands:

policy-map type inspect dns preset_dns_map parameters

message-length maximum client auto message-length maximum 512 dns-guard protocol-enforcement nat-rewrite

Note There are other default inspection policy maps such as _default_esmtp_map. For example, inspect

esmtp implicitly uses the policy map “_default_esmtp_map.” All the default policy maps can be shown by using the show running-config all policy-map command.

Cisco ASA Series Firewall CLI Configuration Guide

2-3

Page 32

Chapter 2 Special Actions for Application Inspections (Inspection Policy Map)

Defining Actions in an Inspection Policy Map

When you enable an inspection engine in the Layer 3/4 policy map, you can also optionally enable actions as defined in an inspection policy map.

Detailed Steps

Command Purpose

Step 1

Step 2

Step 3

Step 4

(Optional)

Create an inspection class map.

See Identifying Traffic in an Inspection Class Map, page 2-5.

Alternatively, you can identify the traffic directly within the policy map.

(Optional)

Create a regular expression.

policy-map type inspect application policy_map_name

For policy map types that support regular expressions, see the general operations configuration guide.

Creates the inspection policy map. See Configure Application

Layer Protocol Inspection, page 6-9 for a list of applications that

support inspection policy maps.

Example:

hostname(config)# policy-map type inspect http http_policy

The policy_map_name argument is the name of the policy map up to 40 characters in length. All types of policy maps use the same name space, so you cannot reuse a name already used by another type of policy map. The CLI enters policy-map configuration mode.

Specify the traffic on which you want to perform actions using one of the following methods:

class class_map_name

Specifies the inspection class map that you created in the

Identifying Traffic in an Inspection Class Map, page 2-5.

Example:

hostname(config-pmap)# class http_traffic hostname(config-pmap-c)#

Specify traffic directly in the policy map using one of the match commands described for each application in the inspection chapter.

Not all applications support inspection class maps.

If you use a match not command, then any traffic that matches the criterion in the match not command does not have the action applied.

Step 5

Step 6

2-4

Example:

hostname(config-pmap)# match req-resp content-type mismatch hostname(config-pmap-c)#

action

Example:

hostname(config-pmap-c)# drop-connection log

parameters

Example:

hostname(config-pmap)# parameters hostname(config-pmap-p)#

Cisco ASA Series Firewall CLI Configuration Guide

For policy map types that support regular expressions, see the general operations configuration guide.

Specifies the action you want to perform on the matching traffic. Actions vary depending on the inspection and match type. Common actions include: drop, log, and drop-connection. For the actions available for each match, see the appropriate inspection chapter.

Configures parameters that affect the inspection engine. The CLI enters parameters configuration mode. For the parameters available for each application, see the appropriate inspection chapter.

Page 33

Chapter 2 Special Actions for Application Inspections (Inspection Policy Map)

Examples

The following is an example of an HTTP inspection policy map and the related class maps. This policy map is activated by the Layer 3/4 policy map, which is enabled by the service policy.

hostname(config)# regex url_example example\.com hostname(config)# regex url_example2 example2\.com hostname(config)# class-map type regex match-any URLs hostname(config-cmap)# match regex url_example hostname(config-cmap)# match regex url_example2

hostname(config-cmap)# class-map type inspect http match-all http-traffic hostname(config-cmap)# match req-resp content-type mismatch hostname(config-cmap)# match request body length gt 1000 hostname(config-cmap)# match not request uri regex class URLs

hostname(config-cmap)# policy-map type inspect http http-map1 hostname(config-pmap)# class http-traffic hostname(config-pmap-c)# drop-connection log hostname(config-pmap-c)# match req-resp content-type mismatch hostname(config-pmap-c)# reset log hostname(config-pmap-c)# parameters hostname(config-pmap-p)# protocol-violation action log

Identifying Traffic in an Inspection Class Map

hostname(config-pmap-p)# policy-map test hostname(config-pmap)# class test hostname(config-pmap-c)# inspect http http-map1

hostname(config-pmap-c)# service-policy test interface outside

(a Layer 3/4 class map not shown)

Identifying Traffic in an Inspection Class Map

This type of class map allows you to match criteria that is specific to an application. For example, for DNS traffic, you can match the domain name in a DNS query.

A class map groups multiple traffic matches (in a match-all class map), or lets you match any of a list of matches (in a match-any class map). The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you group multiple match commands, and you can reuse class maps. For the traffic that you identify in this class map, you can specify actions such as dropping, resetting, and/or logging the connection in the inspection policy map. If you want to perform different actions on different types of traffic, you should identify the traffic directly in the policy map.

Restrictions

Not all applications support inspection class maps. See the CLI help for class-map type inspect for a list of supported applications.

Cisco ASA Series Firewall CLI Configuration Guide

2-5

Page 34

Identifying Traffic in an Inspection Class Map

Detailed Steps

Command Purpose

Step 1

(Optional)

Create a regular expression.

Step 2

class-map type inspect application [match-all | match-any] class_map_name

Example:

hostname(config)# class-map type inspect http http_traffic hostname(config-cmap)#

Step 3

(Optional)

description string

Chapter 2 Special Actions for Application Inspections (Inspection Policy Map)

See the general operations configuration guide.

Creates an inspection class map, where the application is the application you want to inspect. For supported applications, see the CLI help for a list of supported applications or see Chapter 6,

“Getting Started with Application Layer Protocol Inspection.”

The class_map_name argument is the name of the class map up to 40 characters in length.

The match-all keyword is the default, and specifies that traffic must match all criteria to match the class map.

The match-any keyword specifies that the traffic matches the class map if it matches at least one of the criteria.

The CLI enters class-map configuration mode, where you can enter one or more match commands.

Adds a description to the class map.

Step 4

Examples

Example:

hostname(config-cmap)# description All UDP traffic

Define the traffic to include in the class by entering one or more match commands available for your application.

The following example creates an HTTP class map that must match all criteria:

The following example creates an HTTP class map that can match any of the criteria:

hostname(config-cmap)# class-map type inspect http match-any monitor-http hostname(config-cmap)# match request method get hostname(config-cmap)# match request method put hostname(config-cmap)# match request method post

To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map.

To see the match commands available for each application, see the appropriate inspection chapter.

2-6

Cisco ASA Series Firewall CLI Configuration Guide

Page 35

Chapter 2 Special Actions for Application Inspections (Inspection Policy Map)

Where to Go Next

To use an inspection policy, see Chapter 1, “Service Policy Using the Modular Policy Framework.”

Feature History for Inspection Policy Maps

Table 2-1 lists the release history for this feature.

Table 2-1 Feature History for Service Policies

Feature Name Releases Feature Information

Inspection policy maps 7.2(1) The inspection policy map was introduced. The following

command was introduced: class-map type inspect.

Regular expressions and policy maps 7.2(1) Regular expressions and policy maps were introduced to be

used under inspection policy maps. The following commands were introduced: class-map type regex, regex, match regex.

Match any for inspection policy maps 8.0(2) The match any keyword was introduced for use with

inspection policy maps: traffic can match one or more criteria to match the class map. Formerly, only match all was available.

Cisco ASA Series Firewall CLI Configuration Guide

2-7

Page 36

Feature History for Inspection Policy Maps

Chapter 2 Special Actions for Application Inspections (Inspection Policy Map)

2-8

Cisco ASA Series Firewall CLI Configuration Guide

Page 37

CHA PTER

Access Rules

This chapter describes how to control network access through or to the ASA using access rules. You use access rules to control network access in both routed and transparent firewall modes. In transparent mode, you can use both access rules (for Layer 3 traffic) and EtherType rules (for Layer 2 traffic).

Note To access the ASA interface for management access, you do not also need an access rule allowing the

host IP address. You only need to configure management access according to the general operations configuration guide.

• Controlling Network Access, page 3-1

• Guidelines for Access Control, page 3-7

• Configure Access Control, page 3-7

• Monitoring Access Rules, page 3-10

• Configuration Examples for Permitting or Denying Network Access, page 3-11

• History for Access Rules, page 3-12

Controlling Network Access

Access rules determine which traffic is allowed through the ASA. There are several different layers of rules that work together to implement your access control policy:

• Extended access rules (Layer 3+ traffic) assigned to interfaces—You can apply separate rule sets

(ACLs) in the inbound and outbound directions. An extended access rule permits or denies traffic based on the source and destination traffic criteria.

• Extended access rules assigned globally—You can create a single global rule set, which serves as

your default access control. The global rules are applied after interface rules.

• Management access rules (Layer 3+ traffic)—You can apply a single rule set to cover traffic directed

at an interface, which would typically be management traffic. In the CLI, these are “control plane” access groups. For ICMP traffic directed at the device, you can alternatively configure ICMP rules.

• EtherType rules (Layer 2 traffic) assigned to interfaces (transparent firewall mode only)—You can

apply separate rule sets in the inbound and outbound directions. EtherType rules control network access for non-IP traffic. An EtherType rule permits or denies traffic based on the EtherType.

Cisco ASA Series Firewall CLI Configuration Guide

3-1

Page 38

Controlling Network Access

In transparent firewall mode, you can combine extended access rules, management access rules, and EtherType rules on the same interface.

• General Information About Rules, page 3-2

• Extended Access Rules, page 3-4

• EtherType Rules, page 3-6

General Information About Rules

This section describes information for both access rules and EtherType rules, and it includes the following topics:

• Interface Access Rules and Global Access Rules, page 3-2

• Inbound and Outbound Rules, page 3-2

• Rule Order, page 3-3

• Implicit Permits, page 3-3

• Implicit Deny, page 3-4

• NAT and Access Rules, page 3-4

Chapter 3 Access Rules

Interface Access Rules and Global Access Rules

You can apply an access rule to a specific interface, or you can apply an access rule globally to all interfaces. You can configure global access rules in conjunction with interface access rules, in which case, the specific inbound interface access rules are always processed before the general global access rules. Global access rules apply only to inbound traffic.

Inbound and Outbound Rules

You can configure access rules based on the direction of traffic:

• Inbound—Inbound access rules apply to traffic as it enters an interface. Global and management

access rules are always inbound.

• Outbound—Outbound rules apply to traffic as it exits an interface.

Note “Inbound” and “outbound” refer to the application of an ACL on an interface, either to traffic entering

the ASA on an interface or traffic exiting the ASA on an interface. These terms do not refer to the movement of traffic from a lower security interface to a higher security interface, commonly known as inbound, or from a higher to lower interface, commonly known as outbound.

An outbound ACL is useful, for example, if you want to allow only certain hosts on the inside networks to access a web server on the outside network. Rather than creating multiple inbound ACLs to restrict access, you can create a single outbound ACL that allows only the specified hosts. (See the following figure.) The outbound ACL prevents any other hosts from reaching the outside network.

3-2

Cisco ASA Series Firewall CLI Configuration Guide

Page 39

Chapter 3 Access Rules

Controlling Network Access

Figure 3-1 Outbound ACL

Web Server:

209.165.200.225

ASA

Permit HTTP from 10.1.1.14, 10.1.2.67,

Inside

ACL Inbound

Permit from any to any

209.165.201.410.1.1.14

Static NAT

ACL Outbound

and 10.1.3.34 to 209.165.200.225

Deny all others

ACL Inbound

Permit from any to any

Outside

209.165.201.610.1.2.67

Static NAT

Eng

ACL Inbound

Permit from any to any

Static NAT

See the following commands for this example:

hostname(config)# access-list OUTSIDE extended permit tcp host 10.1.1.14 host 209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 10.1.2.67 host 209.165.200.225 eq www hostname(config)# access-list OUTSIDE extended permit tcp host 10.1.3.34 host 209.165.200.225 eq www hostname(config)# access-group OUTSIDE out interface outside

209.165.201.810.1.3.34

333823

Rule Order

Implicit Permits

The order of rules is important. When the ASA decides whether to forward or drop a packet, the ASA tests the packet against each rule in the order in which the rules are listed in the applied ACL. After a match is found, no more rules are checked. For example, if you create an access rule at the beginning that explicitly permits all traffic for an interface, no further rules are ever checked.

For routed mode, the following types of traffic are allowed through by default:

• Unicast IPv4 and IPv6 traffic from a higher security interface to a lower security interface.

Cisco ASA Series Firewall CLI Configuration Guide

3-3

Page 40

Controlling Network Access

Implicit Deny

Chapter 3 Access Rules

For transparent mode, the following types of traffic are allowed through by default:

• Unicast IPv4 and IPv6 traffic from a higher security interface to a lower security interface.

• ARPs in both directions. (You can control ARP traffic using ARP inspection, but you cannot control

it by access rule.)

• BPDUs in both directions.

For other traffic, you need to use either an extended access rule (IPv4 and IPv6) or an EtherType rule (non-IP).

ACLs have an implicit deny at the end of the list, so unless you explicitly permit it, traffic cannot pass. For example, if you want to allow all users to access a network through the ASA except for particular addresses, then you need to deny the particular addresses and then permit all others.

For EtherType ACLs, the implicit deny at the end of the ACL does not affect IP traffic or ARPs; for example, if you allow EtherType 8037, the implicit deny at the end of the ACL does not now block any IP traffic that you previously allowed with an extended ACL (or implicitly allowed from a high security interface to a low security interface). However, if you explicitly deny all traffic with an EtherType rule, then IP and ARP traffic is denied; only physical protocol traffic, such as auto-negotiation, is still allowed.

If you configure a global access rule, then the implicit deny comes after the global rule is processed. See the following order of operations:

1. Interface access rule.

2. Global access rule.

3. Implicit deny.

NAT and Access Rules

Access rules always use the real IP addresses when determining an access rule match, even if you configure NAT. For example, if you configure NAT for an inside server, 10.1.1.5, so that it has a publicly routable IP address on the outside, 209.165.201.5, then the access rule to allow the outside traffic to access the inside server needs to reference the server’s real IP address (10.1.1.5), and not the mapped address (209.165.201.5).

Extended Access Rules

This section describes information about extended access rules.

• Extended Access Rules for Returning Traffic, page 3-5

• Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules,

page 3-5

• Management Access Rules, page 3-5

3-4

Cisco ASA Series Firewall CLI Configuration Guide

Page 41

Chapter 3 Access Rules

Controlling Network Access

Extended Access Rules for Returning Traffic

For TCP and UDP connections for both routed and transparent mode, you do not need an access rule to allow returning traffic because the ASA allows all returning traffic for established, bidirectional connections.

For connectionless protocols such as ICMP, however, the ASA establishes unidirectional sessions, so you either need access rules to allow ICMP in both directions (by applying ACLs to the source and destination interfaces), or you need to enable the ICMP inspection engine. The ICMP inspection engine treats ICMP sessions as bidirectional connections. To control ping, specify echo-reply (0) (ASA to host) or echo (8) (host to ASA).

Allowing Broadcast and Multicast Traffic through the Transparent Firewall Using Access Rules

In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an access rule, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP relay). Transparent firewall mode can allow any IP traffic through.

Note Because these special types of traffic are connectionless, you need to apply an access rule to both

interfaces, so returning traffic is allowed through.

The following table lists common traffic types that you can allow through the transparent firewall.

Table 3-1 Transparent Firewall Special Traffic

Traffic Type Protocol or Port Notes

DHCP UDP ports 67 and 68 If you enable the DHCP server, then the ASA

EIGRP Protocol 88 —

OSPF Protocol 89 —

Multicast streams The UDP ports vary depending

RIP (v1 or v2) UDP port 520 —

Management Access Rules

You can configure access rules that control management traffic destined to the ASA. Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than a management access rule applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box ACL.

Alternatively, you can use ICMP rules to control ICMP traffic to the device. Use regular extended access rules to control ICMP traffic through the device.

on the application.

does not pass DHCP packets.

Multicast streams are always destined to a Class D address (224.0.0.0 to 239.x.x.x).

Cisco ASA Series Firewall CLI Configuration Guide

3-5

Page 42

Controlling Network Access

EtherType Rules

This section describes EtherType rules.

• Supported EtherTypes and Other Traffic, page 3-6

• EtherType Rules for Returning Traffic, page 3-6

• Allowing MPLS, page 3-6

Supported EtherTypes and Other Traffic

An EtherType rule controls the following:

• EtherType identified by a 16-bit hexadecimal number, including common types IPX and MPLS

unicast or multicast.

• Ethernet V2 frames.

• BPDUs, which are permitted by default. BPDUs are SNAP-encapsulated, and the ASA is designed

to specifically handle BPDUs.

• Trunk port (Cisco proprietary) BPDUs. Trunk BPDUs have VLAN information inside the payload,

so the ASA modifies the payload with the outgoing VLAN if you allow BPDUs.

• Intermediate System to Intermediate System (IS-IS).

Chapter 3 Access Rules

The following types of traffic are not supported:

• 802.3-formatted frames—These frames are not handled by the rule because they use a length field

as opposed to a type field.

EtherType Rules for Returning Traffic

Because EtherTypes are connectionless, you need to apply the rule to both interfaces if you want traffic to pass in both directions.

Allowing MPLS

If you allow MPLS, ensure that Label Distribution Protocol and Tag Distribution Protocol TCP connections are established through the ASA by configuring both MPLS routers connected to the ASA to use the IP address on the ASA interface as the router-id for LDP or TDP sessions. (LDP and TDP allow MPLS routers to negotiate the labels (addresses) used to forward packets.)

On Cisco IOS routers, enter the appropriate command for your protocol, LDP or TDP. The interface is the interface connected to the ASA.

hostname(config)# mpls ldp router-id interface force

hostname(config)# tag-switching tdp router-id interface force

3-6

Cisco ASA Series Firewall CLI Configuration Guide

Page 43

Chapter 3 Access Rules

Guidelines for Access Control

IPv6 Guidelines

Supports IPv6. The source and destination addresses can include any mix of IPv4 and IPv6 addresses.

Per-User ACL Guidelines

• The per-user ACL uses the value in the timeout uauth command, but it can be overridden by the

AAA per-user session timeout value.

• If traffic is denied because of a per-user ACL, syslog message 109025 is logged. If traffic is

permitted, no syslog message is generated. The log option in the per-user ACL has no effect.

Additional Guidelines and Limitations

• You can reduce the memory required to search access rules by enabling object group search, but this

is at the expense rule of lookup performance. When enabled, object group search does not expand network objects, but instead searches access rules for matches based on those group definitions. You can set this option using the object-group-search access-control command.

• You can improve system performance and reliability by using the transactional commit model for

access groups. See the basic settings chapter in the general operations configuration guide for more information. Use the asp rule-engine transactional-commit access-group command.

• In ASDM, rule descriptions are based on the access list remarks that come before the rule in the

ACL; for new rules you create in ASDM, any descriptions are also configured as remarks before the related rule. However, the packet tracer in ASDM matches the remark that is configured after the matching rule in the CLI.

Guidelines for Access Control

• Normally, you cannot reference an object or object group that does not exist in an ACL or object

group, or delete one that is currently referenced. You also cannot reference an ACL that does not exist in an access-group command (to apply access rules). However, you can change this default behavior so that you can “forward reference” objects or ACLs before you create them. Until you create the objects or ACLs, any rules or access groups that reference them are ignored. To enable forward referencing, use the forward-reference enable command.

Configure Access Control

The following topics explain how to configure access control.

• Configure an Access Group, page 3-7

• Configure ICMP Access Rules, page 3-8

Configure an Access Group

Before you can create an access group, create the ACL. See the general operations configuration guide for more information.

To bind an ACL to an interface or to apply it globally, use the following command:

access-group access_list { {in | out} interface interface_name [per-user-override | control-plane] | global}

Cisco ASA Series Firewall CLI Configuration Guide

3-7

Page 44

Configure Access Control

Example:

hostname(config)# access-group outside_access in interface outside

For an interface-specific access group:

Chapter 3 Access Rules

• Specify the extended or EtherType ACL name. You can configure one access-group command per

ACL type per interface per direction, and one control plane ACL. The control plane ACL must be an extended ACL.

• The in keyword applies the ACL to inbound traffic. The out keyword applies the ACL to the

outbound traffic.

• Specify the interface name.

• The per-user-override keyword (for inbound ACLs only) allows dynamic user ACLs that are

downloaded for user authorization to override the ACL assigned to the interface. For example, if the interface ACL denies all traffic from 10.0.0.0, but the dynamic ACL permits all traffic from 10.0.0.0, then the dynamic ACL overrides the interface ACL for that user.

By default, VPN remote access traffic is not matched against interface ACLs. However, if you use the no sysopt connection permit-vpn command to turn off this bypass, the behavior depends on whether there is a vpn-filter applied in the group policy and whether you set the per-user-override option:

–

No per-user-override, no vpn-filter—Traffic is matched against the interface ACL.

–

No per-user-override, vpn-filter—Traffic is matched first against the interface ACL, then against the VPN filter.

–

per-user-override, vpn-filter—Traffic is matched against the VPN filter only.

• The control-plane keyword specifies if the rule is for to-the-box traffic.

For a global access group, specify the global keyword to apply the extended ACL to the inbound direction of all interfaces.

Examples

The following example shows how to use the access-group command:

hostname(config)# access-list outside_access permit tcp any host 209.165.201.3 eq 80 hostname(config)# access-group outside_access interface outside

The access-list command lets any host access the host address using port 80. The access-group command specifies that the access-list command applies to traffic entering the outside interface.

Configure ICMP Access Rules

By default, you can send ICMP packets to any ASA interface using either IPv4 or IPv6, with these exceptions:

• The ASA does not respond to ICMP echo requests directed to a broadcast address.

3-8

• The ASA only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot

send ICMP traffic through an interface to a far interface.

To protect the device from attacks, you can use ICMP rules to limit ICMP access to ASA interfaces to particular hosts, networks, or ICMP types. ICMP rules function like access rules, where the rules are ordered, and the first rule that matches a packet defines the action.

Cisco ASA Series Firewall CLI Configuration Guide

Page 45

Chapter 3 Access Rules

Step 1 Create rules for ICMP traffic.

Configure Access Control

If you configure any ICMP rule for an interface, an implicit deny ICMP rule is added to the end of the ICMP rule list, changing the default behavior. Thus, if you want to simply deny a few message types, you must include a permit any rule at the end of the ICMP rule list to allow the remaining message types.

We recommend that you always grant permission for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP path MTU discovery, which can halt IPsec and PPTP traffic. Additionally ICMP packets in IPv6 are used in the IPv6 neighbor discovery process. See RFC 1195 and RFC 1435 for details about path MTU discovery.

Procedure

icmp {permit | deny} {host ip_address | ip_address mask | any} [icmp_type] interface_name

If you do not specify an icmp_type, the rule applies to all types. You can enter the number or the name. To control ping, specify echo-reply (0) (ASA-to-host) or echo (8) (host-to-ASA).

For the address, you can apply the rule to any address, to a single host, or to a network (ip_address mask).

Step 2 Create rules for ICMPv6 (IPv6) traffic.

ipv6 icmp {permit | deny} {host ipv6_address | ipv6-network/prefix-length | any} [icmp_type] interface_name

If you do not specify an icmp_type, the rule applies to all types.

For the address, you can apply the rule to any address, to a single host, or to a network (ipv6-network/prefix-length).

Step 3 (Optional.) Set rate limits on ICMP Unreachable messages so that the ASA will appear on trace route

output.

icmp unreachable rate-limit rate burst-size size

Example

hostname(config)# icmp unreachable rate-limit 50 burst-size 1

The rate limit can be 1-100, with 1 being the default. The burst size is meaningless, but must be 1-10.

Increasing the rate limit, along with enabling the set connection decrement-ttl command in a service policy, is required to allow a traceroute through the ASA that shows the ASA as one of the hops. For example, the following policy decrements the time-to-live (TTL) value for all traffic through the ASA.

class-map global-class

match any

policy-map global_policy

class global-class set connection decrement-ttl

Examples

The following example shows how to allow all hosts except the one at 10.1.1.15 to use ICMP to the inside interface:

hostname(config)# icmp deny host 10.1.1.15 inside hostname(config)# icmp permit any inside

Cisco ASA Series Firewall CLI Configuration Guide

3-9

Page 46

Monitoring Access Rules

The following example shows how to allow the host at 10.1.1.15 to use only ping to the inside interface:

hostname(config)# icmp permit host 10.1.1.15 inside

The following example shows how to deny all ping requests and permit all packet-too-big messages (to support path MTU discovery) at the outside interface:

hostname(config)# ipv6 icmp deny any echo-reply outside hostname(config)# ipv6 icmp permit any packet-too-big outside

The following example shows how to permit host 2000:0:0:4::2 or hosts on prefix 2001::/64 to ping the outside interface:

hostname(config)# ipv6 icmp permit host 2000:0:0:4::2 echo-reply outside hostname(config)# ipv6 icmp permit 2001::/64 echo-reply outside hostname(config)# ipv6 icmp permit any packet-too-big outside

Monitoring Access Rules

To monitor network access, enter the following commands:

Chapter 3 Access Rules

• clear access-list id counters

Clear the hit counts for the access list.

• show access-list [name]

Displays the access lists, including the line number for each ACE and hit counts. Include an ACL name or you will see all access lists.

• show running-config access-group

Displays the current ACL bound to the interfaces.

Evaluating Syslog Messages for Access Rules

Use a syslog event viewer, such as the one in ASDM, to view messages related to access rules.

If you use default logging, you see syslog message 106023 for explicitly denied flows only. Traffic that matches the “implicit deny” entry that ends the rule list is not logged.

If the ASA is attacked, the number of syslog messages for denied packets can be very large. We recommend that you instead enable logging using syslog message 106100, which provides statistics for each rule (including permit rules) and enables you to limit the number of syslog messages produced. Alternatively, you can disable all logging for a given rule.

When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry to track the number of packets received within a specific interval. The ASA generates a syslog message at the first hit and at the end of each interval, identifying the total number of hits during the interval and the time stamp for the last hit. At the end of each interval, the ASA resets the hit count to 0. If no packets match the ACE during an interval, the ASA deletes the flow entry. When you configure logging for a rule, you can control the interval and even the severity level of the log message, per rule.

A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source port might differ for a new connection between the same two hosts, you might not see the same flow increment because a new flow was created for the connection.

3-10

Cisco ASA Series Firewall CLI Configuration Guide

Page 47

Chapter 3 Access Rules

Configuration Examples for Permitting or Denying Network Access

Permitted packets that belong to established connections do not need to be checked against ACLs; only the initial packet is logged and included in the hit count. For connectionless protocols, such as ICMP, all packets are logged, even if they are permitted, and all denied packets are logged.

See the syslog messages guide for detailed information about these messages.

Tip When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry

to track the number of packets received within a specific interval. The ASA has a maximum of 32 K logging flows for ACEs. A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, the ASA places a limit on the number of concurrent deny flows; the limit is placed on deny flows only (not on permit flows) because they can indicate an attack. When the limit is reached, the ASA does not create a new deny flow for logging until the existing flows expire, and issues message 106101. You can control the frequency of this message using the access-list alert-interval secs command, and the maximum number of deny flows cached using the access-list deny-flow-max number command.

Configuration Examples for Permitting or Denying Network Access

This section includes typical configuration examples for permitting or denying network access.

The following example adds a network object for inside server 1, performs static NAT for the server, and enables access from the outside for inside server 1.

hostname(config)# object network inside-server1 hostname(config)# host 10.1.1.1 hostname(config)# nat (inside,outside) static 209.165.201.12

hostname(config)# access-list outside_access extended permit tcp any object inside-server1

eq www hostname(config)# access-group outside_access in interface outside

The following example allows all hosts to communicate between the inside and hr networks but only specific hosts to access the outside network:

hostname(config)# access-list ANY extended permit ip any any hostname(config)# access-list OUT extended permit ip host 209.168.200.3 any hostname(config)# access-list OUT extended permit ip host 209.168.200.4 any

hostname(config)# access-group ANY in interface inside hostname(config)# access-group ANY in interface hr hostname(config)# access-group OUT out interface outside

For example, the following sample ACL allows common EtherTypes originating on the inside interface:

hostname(config)# access-list ETHER ethertype permit ipx hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside

The following example allows some EtherTypes through the ASA, but it denies all others:

hostname(config)# access-list ETHER ethertype permit 0x1234 hostname(config)# access-list ETHER ethertype permit mpls-unicast hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside

Cisco ASA Series Firewall CLI Configuration Guide

3-11

Page 48

History for Access Rules

The following example denies traffic with EtherType 0x1256 but allows all others on both interfaces:

hostname(config)# access-list nonIP ethertype deny 1256 hostname(config)# access-list nonIP ethertype permit any hostname(config)# access-group ETHER in interface inside hostname(config)# access-group ETHER in interface outside

The following example uses object groups to permit specific traffic on the inside interface:

! hostname (config)# object-group service myaclog hostname (config-service)# service-object tcp source range 2000 3000 hostname (config-service)# service-object tcp source range 3000 3010 destinatio$ hostname (config-service)# service-object ipsec hostname (config-service)# service-object udp destination range 1002 1006 hostname (config-service)# service-object icmp echo

hostname(config)# access-list outsideacl extended permit object-group myaclog interface

inside any

History for Access Rules

Chapter 3 Access Rules

Platform

Feature Name

Releases Description

Interface access rules 7.0(1) Controlling network access through the ASA using ACLs.

We introduced the following command: access-group.

Global access rules 8.3(1) Global access rules were introduced.

We modified the following command: access-group.

Support for Identity Firewall 8.4(2) You can now use identity firewall users and groups for the

source and destination. You can use an identity firewall ACL with access rules, AAA rules, and for VPN authentication.

We modified the following commands: access-list extended.

EtherType ACL support for IS-IS traffic 8.4(5), 9.1(2) In transparent firewall mode, the ASA can now pass IS-IS

traffic using an EtherType ACL.

We modified the following command: access-list ethertype {permit | deny} isis.

Support for TrustSec 9.0(1) You can now use TrustSec security groups for the source

and destination. You can use an identity firewall ACL with access rules.

We modified the following commands: access-list extended.

3-12

Cisco ASA Series Firewall CLI Configuration Guide

Page 49

Chapter 3 Access Rules

History for Access Rules

Platform

Feature Name

Unified ACL for IPv4 and IPv6 9.0(1) ACLs now support IPv4 and IPv6 addresses. You can even

Releases Description

specify a mix of IPv4 and IPv6 addresses for the source and destination. The any keyword was changed to represent IPv4 and IPv6 traffic. The any4 and any6 keywords were added to represent IPv4-only and IPv6-only traffic, respectively. The IPv6-specific ACLs are deprecated. Existing IPv6 ACLs are migrated to extended ACLs. See the release notes for more information about migration.

We modified the following commands: access-list extended, access-list webtype.

We removed the following commands: ipv6 access-list, ipv6 access-list webtype, ipv6-vpn-filter

Extended ACL and object enhancement to filter ICMP traffic by ICMP code

Transactional Commit Model on Access Group Rule Engine

Configuration session for editing ACLs and objects.

Forward referencing of objects and ACLs in access rules.

9.0(1) ICMP traffic can now be permitted/denied based on ICMP code.

We introduced or modified the following commands: access-list extended, service-object, service.

9.1(5) When enabled, a rule update is applied after the rule compilation is completed; without affecting the rule matching performance.

We introduced the following commands: asp rule-engine

transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit.

9.3(2) You can now edit ACLs and objects in an isolated configuration session. You can also forward reference objects and ACLs, that is, configure rules and access groups for objects or ACLs that do not yet exist.

We introduced the clear config-session, clear session,

configure session, forward-reference, and show config-session commands.

Cisco ASA Series Firewall CLI Configuration Guide

3-13

Page 50

History for Access Rules

Chapter 3 Access Rules

3-14

Cisco ASA Series Firewall CLI Configuration Guide

Page 51

ART

Network Address Translation

Page 52

Page 53

CHA PTER

Network Address Translation (NAT

The following topics explain Network Address Translation (NAT) and how to configure it.

• Why Use NAT?, page 4-1

• NAT Basics, page 4-2

• Guidelines for NAT, page 4-6

• Dynamic NAT, page 4-12

• Dynamic PAT, page 4-18

• Static NAT, page 4-27

• Identity NAT, page 4-37

• Monitoring NAT, page 4-40

• History for NAT, page 4-41

Why Use NAT?

Each computer and device within an IP network is assigned a unique IP address that identifies the host. Because of a shortage of public IPv4 addresses, most of these IP addresses are private, not routable anywhere outside of the private company network. RFC 1918 defines the private IP addresses you can use internally that should not be advertised:

• 10.0.0.0 through 10.255.255.255

• 172.16.0.0 through 172.31.255.255

• 192.168.0.0 through 192.168.255.255

One of the main functions of NAT is to enable private IP networks to connect to the Internet. NAT replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet. In this way, NAT conserves public addresses because it can be configured to advertise at a minimum only one public address for the entire network to the outside world.

Other functions of NAT include:

• Security—Keeping internal IP addresses hidden discourages direct attacks.

• IP routing solutions—Overlapping IP addresses are not a problem when you use NAT.

Cisco ASA Series Firewall CLI Configuration Guide

4-1

Page 54

NAT Basics

Note NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be

NAT Basics

Chapter 4 Network Address Translation (NAT

• Flexibility—You can change internal IP addressing schemes without affecting the public addresses

available externally; for example, for a server accessible to the Internet, you can maintain a fixed IP address for Internet use, but internally, you can change the server address.

• Translating between IPv4 and IPv6 (Routed mode only) —If you want to connect an IPv6 network

to an IPv4 network, NAT lets you translate between the two types of addresses.

translated, but will have all of the security policies applied as normal.

The following topics explain some of the basics of NAT.

• NAT Terminology, page 4-2

• NAT Types, page 4-3

• Network Object NAT and Twice NAT, page 4-3

• NAT Rule Order, page 4-5

• NAT Interfaces, page 4-6

NAT Terminology

This document uses the following terminology:

• Real address/host/network/interface—The real address is the address that is defined on the host,

• Mapped address/host/network/interface—The mapped address is the address that the real address is

• Bidirectional initiation—Static NAT allows connections to be initiated bidirectionally, meaning

• Source and destination NAT—For any given packet, both the source and destination IP addresses are

before it is translated. In a typical NAT scenario where you want to translate the inside network when it accesses the outside, the inside network would be the “real” network. Note that you can translate any network connected to the ASA, not just an inside network, Therefore if you configure NAT to translate outside addresses, “real” can refer to the outside network when it accesses the inside network.

translated to. In a typical NAT scenario where you want to translate the inside network when it accesses the outside, the outside network would be the “mapped” network.

Note During address translation, IP addresses residing on the ASA’s interfaces are not translated.

both to the host and from the host.

compared to the NAT rules, and one or both can be translated/untranslated. For static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in commands and descriptions throughout this guide even though a given connection might originate at the “destination” address.

4-2

Cisco ASA Series Firewall CLI Configuration Guide

Page 55

Chapter 4 Network Address Translation (NAT

NAT Types

You can implement NAT using the following methods:

• Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP

addresses, on a first come, first served basis. Only the real host can initiate traffic. See Dynamic

NAT, page 4-12.

• Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP

address using a unique source port of that IP address. See Dynamic PAT, page 4-18.

• Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional

traffic initiation. See Static NAT, page 4-27.

• Identity NAT—A real address is statically translated to itself, essentially bypassing NAT. You might

want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses. See Identity NAT, page 4-37.

Network Object NAT and Twice NAT

NAT Basics

The ASA can implement address translation in two ways: network object NAT and twice NAT.

We recommend using network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might be more reliable for applications such as Voice over IP (VoIP). (For VoIP, because twice NAT is applicable only between two objects, you might see a failure in the translation of indirect addresses that do not belong to either of the objects.)

• Network Object NAT, page 4-3

• Twice NAT, page 4-3

• Comparing Network Object NAT and Twice NAT, page 4-4

Network Object NAT

All NAT rules that are configured as a parameter of a network object are considered to be network object NAT rules. Network object NAT is a quick and easy way to configure NAT for a network object, which

can be a single IP address, a range of addresses, or a subnet.

After you configure the network object, you can then identify the mapped address for that object, either as an inline address or as another network object or network object group.

When a packet enters the ASA, both the source and destination IP addresses are checked against the network object NAT rules. The source and destination address in the packet can be translated by separate rules if separate matches are made. These rules are not tied to each other; different combinations of rules can be used depending on the traffic.

Because the rules are never paired, you cannot specify that sourceA/destinationA should have a different translation than sourceA/destinationB. Use twice NAT for that kind of functionality (twice NAT lets you identify the source and destination address in a single rule).

Twice NAT

Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that sourceA/destinationA can have a different translation than sourceA/destinationB.

Cisco ASA Series Firewall CLI Configuration Guide

4-3

Page 56

NAT Basics

Note For static NAT, the rule is bidirectional, so be aware that “source” and “destination” are used in

commands and descriptions throughout this guide even though a given connection might originate at the “destination” address. For example, if you configure static NAT with port address translation, and specify the source address as a Telnet server, and you want all traffic going to that Telnet server to have the port translated from 2323 to 23, then in the command, you must specify the source ports to be translated (real: 23, mapped: 2323). You specify the source ports because you specified the Telnet server address as the source address.

The destination address is optional. If you specify the destination address, you can either map it to itself (identity NAT), or you can map it to a different address. The destination mapping is always a static mapping.

Twice NAT also lets you use service objects for static NAT with port translation; network object NAT only accepts inline definition.

Comparing Network Object NAT and Twice NAT

The main differences between these two NAT types are:

• How you define the real address.

Chapter 4 Network Address Translation (NAT

–

Network object NAT—You define NAT as a parameter for a network object. A network object names an IP host, range, or subnet so you can then use the object in the NAT configuration instead of the actual IP addresses. The network object IP address serves as the real address. This method lets you easily add NAT to network objects that might already be used in other parts of your configuration.

–

Twice NAT—You identify a network object or network object group for both the real and mapped addresses. In this case, NAT is not a parameter of the network object; the network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means that twice NAT is more scalable.

• How source and destination NAT is implemented.

–

Network object NAT— Each rule can apply to either the source or destination of a packet. So two rules might be used, one for the source IP address, and one for the destination IP address. These two rules cannot be tied together to enforce a specific translation for a source/destination combination.

–

Twice NAT—A single rule translates both the source and destination. A matching packet only matches the one rule, and further rules are not checked. Even if you do not configure the optional destination address for twice NAT, a matching packet still only matches one twice NAT rule. The source and destination are tied together, so you can enforce different translations depending on the source/destination combination. For example, sourceA/destinationA can have a different translation than sourceA/destinationB.

• Order of NAT Rules.

–

Network object NAT—Automatically ordered in the NAT table.

–

Twice NAT—Manually ordered in the NAT table (before or after network object NAT rules).

4-4

Cisco ASA Series Firewall CLI Configuration Guide

Page 57

Chapter 4 Network Address Translation (NAT

NAT Rule Order

Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. For example, if a match is found in section 1, sections 2 and 3 are not evaluated. The following table shows the order of rules within each section.

Table 4-1 NAT Rule Table

Table Section Rule Type Order of Rules within the Section

Section 1 Twice NAT Applied on a first match basis, in the order they appear in the

Section 2 Network object NAT If a match in section 1 is not found, section 2 rules are applied

NAT Basics

configuration. Because the first match is applied, you must ensure that specific rules come before more general rules, or the specific rules might not be applied as desired. By default, twice NAT rules are added to section 1.

Note If you configure EasyVPN remote, the ASA

dynamically adds invisible NAT rules to the end of this section. Be sure that you do not configure a twice NAT rule in this section that might match your VPN traffic, instead of matching the invisible rule. If VPN does not work due to NAT failure, consider adding twice NAT rules to section 3 instead.

in the following order, as automatically determined by the ASA:

1. Static rules.

2. Dynamic rules.

Within each rule type, the following ordering guidelines are used:

1. Quantity of real IP addresses—From smallest to largest.

For example, an object with one address will be assessed before an object with 10 addresses.

2. For quantities that are the same, then the IP address number

is used, from lowest to highest. For example, 10.1.1.0 is assessed before 11.1.1.0.

3. If the same IP address is used, then the name of the network

object is used, in alphabetical order. For example, abracadabra is assessed before catwoman.

Section 3 Twice NAT If a match is still not found, section 3 rules are applied on a first

match basis, in the order they appear in the configuration. This section should contain your most general rules. You must also ensure that any specific rules in this section come before general rules that would otherwise apply. You can specify whether to add a twice NAT rule to section 3 when you add the rule.

For section 2 rules, for example, you have the following IP addresses defined within network objects:

192.168.1.0/24 (static)

Cisco ASA Series Firewall CLI Configuration Guide

4-5

Page 58

Guidelines for NAT

Outside

Mktg

10.1.2.0 10.1.2.010.1.2.0

Security Appliance

Eng HR

10.1.2.0 209.165.201.1:xxxx

any

248768

NAT Interfaces

Chapter 4 Network Address Translation (NAT

192.168.1.0/24 (dynamic)

10.1.1.0/24 (static)

192.168.1.1/32 (static)

172.16.1.0/24 (dynamic) (object def)

172.16.1.0/24 (dynamic) (object abc)

The resultant ordering would be:

192.168.1.1/32 (static)

10.1.1.0/24 (static)

192.168.1.0/24 (static)

172.16.1.0/24 (dynamic) (object abc)

172.16.1.0/24 (dynamic) (object def)

192.168.1.0/24 (dynamic)

In routed mode, you can configure a NAT rule to apply to any interface (in other words, all interfaces), or you can identify specific real and mapped interfaces. You can also specify any interface for the real address, and a specific interface for the mapped address, or vice versa.

For example, you might want to specify any interface for the real address and specify the outside interface for the mapped address if you use the same private addresses on multiple interfaces, and you want to translate them all to the same global pool when accessing the outside.

Figure 4-1 Specifying Any Interface

In transparent mode, you must choose specific source and destination interfaces.

Guidelines for NAT

Cisco ASA Series Firewall CLI Configuration Guide

4-6

The following topics provide detailed guidelines for implementing NAT.

• Firewall Mode Guidelines for NAT, page 4-7

• IPv6 NAT Guidelines, page 4-7

Page 59

Chapter 4 Network Address Translation (NAT

• IPv6 NAT Recommendations, page 4-7

• Additional Guidelines for NAT, page 4-8

• Network Object NAT Guidelines for Mapped Address Objects, page 4-9

• Twice NAT Guidelines for Real and Mapped Address Objects, page 4-10

• Twice NAT Guidelines for Service Objects for Real and Mapped Ports, page 4-11

Firewall Mode Guidelines for NAT

NAT is supported in routed and transparent firewall mode. However, transparent mode has the following restrictions:

• In transparent mode, you must specify the real and mapped interfaces; you cannot specify “any” as

the interface.

• In transparent mode, you cannot configure interface PAT, because the transparent mode interfaces

do not have IP addresses. You also cannot use the management IP address as a mapped address.

• In transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating

between two IPv6 networks, or between two IPv4 networks is supported.

Guidelines for NAT

IPv6 NAT Guidelines

NAT supports IPv6 with the following guidelines and restrictions.

• For routed mode, you can also translate between IPv4 and IPv6.

• For transparent mode, translating between IPv4 and IPv6 networks is not supported. Translating

between two IPv6 networks, or between two IPv4 networks is supported.

• For transparent mode, a PAT pool is not supported for IPv6.

• For static NAT, you can specify an IPv6 subnet up to /64. Larger subnets are not supported.

• When using FTP with NAT46, when an IPv4 FTP client connects to an IPv6 FTP server, the client

must use either the extended passive mode (EPSV) or extended port mode (EPRT); PASV and PORT commands are not supported with IPv6.

IPv6 NAT Recommendations

You can use NAT to translate between IPv6 networks, and also to translate between IPv4 and IPv6 networks (routed mode only). We recommend the following best practices:

• NAT66 (IPv6-to-IPv6)—We recommend using static NAT. Although you can use dynamic NAT or

PAT, IPv6 addresses are in such large supply, you do not have to use dynamic NAT. If you do not want to allow returning traffic, you can make the static NAT rule unidirectional (twice NAT only).

• NAT46 (IPv4-to-IPv6)—We recommend using static NAT. Because the IPv6 address space is so

much larger than the IPv4 address space, you can easily accommodate a static translation. If you do not want to allow returning traffic, you can make the static NAT rule unidirectional (twice NAT only). When translating to an IPv6 subnet (/96 or lower), the resulting mapped address is by default an IPv4-embedded IPv6 address, where the 32-bits of the IPv4 address is embedded after the IPv6 prefix. For example, if the IPv6 prefix is a /96 prefix, then the IPv4 address is appended in the last 32-bits of the address. For example, if you map 192.168.1.0/24 to 201b::0/96, then 192.168.1.4 will

Cisco ASA Series Firewall CLI Configuration Guide

4-7

Page 60

Guidelines for NAT

be mapped to 201b::0.192.168.1.4 (shown with mixed notation). If the prefix is smaller, such as /64, then the IPv4 address is appended after the prefix, and a suffix of 0s is appended after the IPv4 address. You can also optionally translate the addresses net-to-net, where the first IPv4 address maps to the first IPv6 address, the second to the second, and so on.

• NAT64 (IPv6-to-IPv4)—You may not have enough IPv4 addresses to accommodate the number of

IPv6 addresses. We recommend using a dynamic PAT pool to provide a large number of IPv4 translations.

Additional Guidelines for NAT

• (Network object NAT only.) You can only define a single NAT rule for a given object; if you want

to configure multiple NAT rules for an object, you need to create multiple objects with different names that specify the same IP address, for example, object network obj-10.10.10.1-01, object network obj-10.10.10.1-02, and so on.

• (Twice NAT only.) You cannot configure FTP destination port translation when the source IP address

is a subnet (or any other application that uses a secondary connection); the FTP data channel establishment does not succeed. For example, the following configuration does not work:

object network MyInsNet subnet 10.1.2.0 255.255.255.0 object network MapInsNet subnet 209.165.202.128 255.255.255.224 object network Server1 host 209.165.200.225 object network Server1_mapped host 10.1.2.67 object service REAL_ftp service tcp destination eq ftp object service MAPPED_ftp service tcp destination eq 2021 object network MyOutNet subnet 209.165.201.0 255.255.255.224

Chapter 4 Network Address Translation (NAT

4-8

nat (inside,outside) source static MyInsNet MapInsNet destination static Server1_mapped Server1 service MAPPED_ftp REAL_ftp

• If you change the NAT configuration, and you do not want to wait for existing translations to time

out before the new NAT configuration is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use

translations.

Note If you remove a dynamic NAT or PAT rule, and then add a new rule with mapped addresses

that overlap the addresses in the removed rule, then the new rule will not be used until all connections associated with the removed rule time out or are cleared using the clear xlate command. This safeguard ensures that the same address is not assigned to multiple hosts.

• Objects and object groups used in NAT cannot be undefined; they must include IP addresses.

• You cannot use an object group with both IPv4 and IPv6 addresses; the object group must include

only one type of address.

• (Twice NAT only.) When using the any keyword in a NAT rule, the definition of “any” traffic (IPv4

vs. IPv6) depends on the rule. Before the ASA performs NAT on a packet, the packet must be IPv6-to-IPv6 or IPv4-to-IPv4; with this prerequisite, the ASA can determine the value of any in a NAT rule. For example, if you configure a rule from “any” to an IPv6 server, and that server was

Cisco ASA Series Firewall CLI Configuration Guide

Page 61

Chapter 4 Network Address Translation (NAT

mapped from an IPv4 address, then any means “any IPv6 traffic.” If you configure a rule from “any” to “any,” and you map the source to the interface IPv4 address, then any means “any IPv4 traffic” because the mapped interface address implies that the destination is also IPv4.

• You can use the same mapped object or group in multiple NAT rules.

• The mapped IP address pool cannot include:

–

The mapped interface IP address. If you specify “any” interface for the rule, then all interface IP addresses are disallowed. For interface PAT (routed mode only), use the interface keyword instead of the IP address.

–

(Transparent mode) The management IP address.

–

(Dynamic NAT) The standby interface IP address when VPN is enabled.

–

Existing VPN pool addresses.

• Avoid using overlapping addresses in static and dynamic NAT policies. For example, with

overlapping addresses, a PPTP connection can fail to get established if the secondary connection for PPTP hits the static instead of dynamic xlate.

• For application inspection limitations with NAT or PAT, see Default Inspections and NAT

Limitations, page 6-6.

• The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You

can disable proxy ARP if desired. See Routing NAT Packets, page 5-11 for more information.

• If you specify an optional interface, then the ASA uses the NAT configuration to determine the

egress interface, but you have the option to always use a route lookup instead. See Routing NAT

Packets, page 5-11 for more information.

Guidelines for NAT

• You can improve system performance and reliability by using the transactional commit model for

NAT. See the basic settings chapter in the general operations configuration guide for more information. Use the asp rule-engine transactional-commit nat command.

Network Object NAT Guidelines for Mapped Address Objects

For dynamic NAT, you must use an object or group for the mapped addresses. For the other NAT types, you can use an object or group, or you have the option of using inline addresses. Network object groups are particularly useful for creating a mapped address pool with discontinuous IP address ranges or multiple hosts or subnets. Use the object network and object-group network commands to create the objects.

Consider the following guidelines when creating objects for mapped addresses.

• A network object group can contain objects or inline addresses of either IPv4 or IPv6 addresses. The

group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.

• See Additional Guidelines for NAT, page 4-8 for information about disallowed mapped IP

addresses.

• Dynamic NAT:

–

You cannot use an inline address; you must configure a network object or group.

–

The object or group cannot contain a subnet; the object must define a range; the group can include hosts and ranges.

–

If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and then the host IP addresses are used as a PAT fallback.

• Dynamic PAT (Hide):

Cisco ASA Series Firewall CLI Configuration Guide

4-9

Page 62

Chapter 4 Network Address Translation (NAT

Guidelines for NAT

–

Instead of using an object, you can optionally configure an inline host address or specify the interface address.

–

If you use an object, the object or group cannot contain a subnet. The object must define a host, or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges.

• Static NAT or Static NAT with port translation:

–

Instead of using an object, you can configure an inline address or specify the interface address (for static NAT-with-port-translation).

–

If you use an object, the object or group can contain a host, range, or subnet.

• Identity NAT

–

Instead of using an object, you can configure an inline address.

–

If you use an object, the object must match the real addresses you want to translate.

Twice NAT Guidelines for Real and Mapped Address Objects

For each NAT rule, configure up to four network objects or groups for:

• Source real address

• Source mapped address

• Destination real address

• Destination mapped address

Objects are required unless you specify the any keyword inline to represent all traffic, or for some types of NAT, the interface keyword to represent the interface address. Network object groups are particularly useful for creating a mapped address pool with discontinuous IP address ranges or multiple hosts or subnets. Use the object network and object-group network commands to create the objects.

Consider the following guidelines when creating objects for twice NAT.

• A network object group can contain objects or inline addresses of either IPv4 or IPv6 addresses. The

group cannot contain both IPv4 and IPv6 addresses; it must contain one type only.

• See Additional Guidelines for NAT, page 4-8 for information about disallowed mapped IP

addresses.

• Source Dynamic NAT:

–

You typically configure a larger group of real addresses to be mapped to a smaller group.

–

The mapped object or group cannot contain a subnet; the object must define a range; the group can include hosts and ranges.

–

If a mapped network object contains both ranges and host IP addresses, then the ranges are used for dynamic NAT, and the host IP addresses are used as a PAT fallback.

• Source Dynamic PAT (Hide):

–

If you use an object, the object or group cannot contain a subnet. The object must define a host, or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges.

4-10

• Source Static NAT or Static NAT with port translation:

–

The mapped object or group can contain a host, range, or subnet.

–

The static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired.

Cisco ASA Series Firewall CLI Configuration Guide

Page 63

Chapter 4 Network Address Translation (NAT

• Source Identity NAT

–

The real and mapped objects must match. You can use the same object for both, or you can create separate objects that contain the same IP addresses.

• Destination Static NAT or Static NAT with port translation (the destination translation is always

static):

–

Although the main feature of twice NAT is the inclusion of the destination IP address, the destination address is optional. If you do specify the destination address, you can configure static translation for that address or just use identity NAT for it. You might want to configure twice NAT without a destination address to take advantage of some of the other qualities of twice NAT, including the use of network object groups for real addresses, or manually ordering of rules. For more information, see Comparing Network Object NAT and Twice NAT, page 4-4.

–

For identity NAT, the real and mapped objects must match. You can use the same object for both, or you can create separate objects that contain the same IP addresses.

–

The static mapping is typically one-to-one, so the real addresses have the same quantity as the mapped addresses. You can, however, have different quantities if desired.

–

For static interface NAT with port translation (routed mode only), you can specify the interface keyword instead of a network object/group for the mapped address.

Guidelines for NAT

Twice NAT Guidelines for Service Objects for Real and Mapped Ports

You can optionally configure service objects for:

• Source real port (Static only) or Destination real port

• Source mapped port (Static only) or Destination mapped port

Use the object service command to create the objects.

Consider the following guidelines when creating objects for twice NAT.

• NAT only supports TCP or UDP. When translating a port, be sure the protocols in the real and

mapped service objects are identical (both TCP or both UDP).

• The “not equal” (neq) operator is not supported.

• For identity port translation, you can use the same service object for both the real and mapped ports.

• Source Dynamic NAT—Source Dynamic NAT does not support port translation.

• Source Dynamic PAT (Hide)—Source Dynamic PAT does not support port translation.

• Source Static NAT, Static NAT with port translation, or Identity NAT—A service object can contain

both a source and destination port; however, you should specify either the source or the destination port for both service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. For example, if you want to translate the port for the source host, then configure the source service.

• Destination Static NAT or Static NAT with port translation (the destination translation is always

static)—For non-static source NAT, you can only perform port translation on the destination. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored.

Cisco ASA Series Firewall CLI Configuration Guide

4-11

Page 64

Dynamic NAT

10.1.1.1 209.165.201.1

Inside Outside

10.1.1.2 209.165.201.2

130032

Security Appliance

Dynamic NAT

The following topics explain dynamic NAT and how to configure it.

• About Dynamic NAT, page 4-12

• Configure Dynamic Network Object NAT, page 4-14

• Configure Dynamic Twice NAT, page 4-16

About Dynamic NAT

Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool typically includes fewer addresses than the real group. When a host you want to translate accesses the destination network, the ASA assigns the host an IP address from the mapped pool. The translation is created only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out. Users on the destination network, therefore, cannot initiate a reliable connection to a host that uses dynamic NAT, even if the connection is allowed by an access rule.

Chapter 4 Network Address Translation (NAT

Note For the duration of the translation, a remote host can initiate a connection to the translated host if an

access rule allows it. Because the address is unpredictable, a connection to the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.

The following figure shows a typical dynamic NAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back.

Figure 4-2 Dynamic NAT

4-12

Cisco ASA Series Firewall CLI Configuration Guide

Page 65

Chapter 4 Network Address Translation (NAT

Web Server

www.example.com

Outside

Inside

209.165.201.2

10.1.2.1

10.1.2.27

Security Appliance

209.165.201.10

132217

The following figure shows a remote host attempting to initiate a connection to a mapped address. This address is not currently in the translation table; therefore, the ASA drops the packet.

Figure 4-3 Remote Host Attempts to Initiate a Connection to a Mapped Address

Dynamic NAT

Dynamic NAT Disadvantages and Advantages

Dynamic NAT has these disadvantages:

• If the mapped pool has fewer addresses than the real group, you could run out of addresses if the

amount of traffic is more than expected.

Use PAT or a PAT fall-back method if this event occurs often because PAT provides over 64,000 translations using ports of a single address.

• You have to use a large number of routable addresses in the mapped pool, and routable addresses

may not be available in large quantities.

The advantage of dynamic NAT is that some protocols cannot use PAT. PAT does not work with the following:

• IP protocols that do not have a port to overload, such as GRE version 0.

• Some multimedia applications that have a data stream on one port, the control path on another port,

and are not open standard.

See Default Inspections and NAT Limitations, page 6-6 for more information about NAT and PAT support.

Cisco ASA Series Firewall CLI Configuration Guide

4-13

Page 66

Dynamic NAT

Configure Dynamic Network Object NAT

This section describes how to configure network object NAT for dynamic NAT.

Procedure

Step 1 Create a host or range network object (object network command), or a network object group

(object-group network command), for the mapped addresses.

• The object or group cannot contain a subnet; the object must define a range; the group can include

hosts and ranges.

• If a mapped network object contains both ranges and host IP addresses, then the ranges are used for

dynamic NAT, and then the host IP addresses are used as a PAT fallback.

Step 2 Create or edit the network object for which you want to configure NAT.

object network obj_name

Example

hostname(config)# object network my-host-obj1

Chapter 4 Network Address Translation (NAT

Step 3 (Skip when editing an object that has the right address.) Define the real IPv4 or IPv6 addresses that you

want to translate.

• host {IPv4_address | IPv6_address}—The IPv4 or IPv6 address of a single host. For example,

10.1.1.1 or 2001:DB8::0DB8:800:200C:417A.

• subnet {IPv4_address IPv4_mask | IPv6_address/IPv6_prefix}—The address of a network. For

IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60.

• range start_address end_address—A range of addresses. You can specify IPv4 or IPv6 ranges. Do

not include masks or prefixes.

Example

hostname(config-network-object)# host 10.2.2.2

Step 4 Configure dynamic NAT for the object IP addresses. You can only define a single NAT rule for a given

object.

nat [(real_ifc,mapped_ifc)] dynamic mapped_obj [interface [ipv6]] [dns]

Example

hostname(config-network-object)# nat (inside,outside) dynamic MAPPED_IPS interface

Where:

• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)

interfaces. Be sure to include the parentheses. In routed mode, if you do not specify the real and mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of the interfaces, for example (any,outside).

• Mapped IP address—Specify the network object or network object group that includes the mapped

IP addresses.

4-14

Cisco ASA Series Firewall CLI Configuration Guide

Page 67

Chapter 4 Network Address Translation (NAT

• Interface PAT fallback—(Optional) The interface keyword enables interface PAT fallback. After the

mapped IP addresses are used up, then the IP address of the mapped interface is used. If you specify ipv6, then the IPv6 address of the interface is used. For this option, you must configure a specific interface for the mapped_ifc. (You cannot specify interface in transparent mode).

• DNS—(Optional) The dns keyword translates DNS replies. Be sure DNS inspection is enabled (it

is enabled by default). See DNS and NAT, page 5-21 for more information.

Examples

The following example configures dynamic NAT that hides the 192.168.2.0 network behind a range of outside addresses 10.2.2.1 through 10.2.2.10:

hostname(config)# object network my-range-obj hostname(config-network-object)# range 10.2.2.1 10.2.2.10 hostname(config)# object network my-inside-net hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0 hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj

The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network

10.76.11.0 are mapped first to the nat-range1 pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address (10.10.10.21). In the unlikely event that the PAT translations are also used up, dynamic PAT is performed using the outside interface address.

hostname(config)# object network nat-range1 hostname(config-network-object)# range 10.10.10.10 10.10.10.20

Dynamic NAT

hostname(config-network-object)# object network pat-ip1 hostname(config-network-object)# host 10.10.10.21

hostname(config-network-object)# object-group network nat-pat-grp hostname(config-network-object)# network-object object nat-range1 hostname(config-network-object)# network-object object pat-ip1

hostname(config-network-object)# object network my_net_obj5 hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0 hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface

The following example configures dynamic NAT with dynamic PAT backup to translate IPv6 hosts to IPv4. Hosts on inside network 2001:DB8::/96 are mapped first to the IPv4_NAT_RANGE pool (209.165.201.1 to 209.165.201.30). After all addresses in the IPv4_NAT_RANGE pool are allocated, dynamic PAT is performed using the IPv4_PAT address (209.165.201.31). In the event that the PAT translations are also used up, dynamic PAT is performed using the outside interface address.

hostname(config)# object network IPv4_NAT_RANGE hostname(config-network-object)# range 209.165.201.1 209.165.201.30

hostname(config-network-object)# object network IPv4_PAT hostname(config-network-object)# host 209.165.201.31

hostname(config-network-object)# object-group network IPv4_GROUP hostname(config-network-object)# network-object object IPv4_NAT_RANGE hostname(config-network-object)# network-object object IPv4_PAT

hostname(config-network-object)# object network my_net_obj5 hostname(config-network-object)# subnet 2001:DB8::/96 hostname(config-network-object)# nat (inside,outside) dynamic IPv4_GROUP interface

Cisco ASA Series Firewall CLI Configuration Guide

4-15

Page 68

Dynamic NAT

Configure Dynamic Twice NAT

This section describes how to configure twice NAT for dynamic NAT.

Procedure

Step 1 Create host or range network objects (object network command), or network object groups

(object-group network command), for the source real addresses, the source mapped addresses, the destination real addresses, and the destination mapped addresses.

• If you want to translate all source traffic, you can skip adding an object for the source real addresses,

and instead specify the any keyword in the nat command.

• If you want to configure destination static interface NAT with port translation only, you can skip

adding an object for the destination mapped addresses, and instead specify the interface keyword in the nat command.

If you do create objects, consider the following guidelines:

• You typically configure a larger group of real addresses to be mapped to a smaller group.

• The object or group cannot contain a subnet; the object must define a range; the group can include

hosts and ranges.

Chapter 4 Network Address Translation (NAT

• If a mapped network object contains both ranges and host IP addresses, then the ranges are used for

dynamic NAT, and then the host IP addresses are used as a PAT fallback.

Step 2 (Optional.) Create service objects for the destination real ports and the destination mapped ports.

For dynamic NAT, you can only perform port translation on the destination. A service object can contain both a source and destination port, but only the destination port is used in this case. If you specify the source port, it will be ignored.

Step 3 Configure dynamic NAT.

nat [(real_ifc,mapped_ifc)] [line |{after-auto [line]}] source dynamic {real_obj | any}

{mapped_obj [interface [ipv6]]} [destination static {mapped_obj | interface [ipv6]} real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc]

Example

hostname(config)# nat (inside,outside) source dynamic MyInsNet NAT_POOL destination static Server1_mapped Server1 service MAPPED_SVC REAL_SVC

Where:

• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)

• Section and Line—(Optional.) By default, the NAT rule is added to the end of section 1 of the NAT

table (see NAT Rule Order, page 4-5). If you want to add the rule into section 3 instead (after the network object NAT rules), then use the after-auto keyword. You can insert a rule anywhere in the applicable section using the line argument.

• Source addresses:

4-16

–

Real—Specify a network object, group, or the any keyword.

Cisco ASA Series Firewall CLI Configuration Guide

Page 69

Chapter 4 Network Address Translation (NAT

–

Mapped—Specify a different network object or group. You can optionally configure the following fallback method:

Interface PAT fallback—(Routed mode only) The interface keyword enables interface PAT fallback. If you specify ipv6, then the IPv6 address of the interface is used. After the mapped IP addresses are used up, then the IP address of the mapped interface is used. For this option, you must configure a specific interface for the mapped_ifc.

• Destination addresses (Optional):

–

Mapped—Specify a network object or group, or for static interface NAT with port translation only, specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword. For this option, you must configure a specific interface for the real_ifc. See Static Interface NAT with Port

Translation, page 4-29 for more information.

–

Real—Specify a network object or group. For identity NAT, simply use the same object or group for both the real and mapped addresses.

• Destination port—(Optional.) Specify the service keyword along with the mapped and real service

objects. For identity port translation, simply use the same service object for both the real and mapped ports.

• DNS—(Optional; for a source-only rule.) The dns keyword translates DNS replies. Be sure DNS

inspection is enabled (it is enabled by default). You cannot configure the dns keyword if you configure a destination address. See DNS and NAT, page 5-21 for more information.

• Unidirectional—(Optional.) Specify unidirectional so the destination addresses cannot initiate

traffic to the source addresses.

Dynamic NAT

• Inactive—(Optional.) To make this rule inactive without having to remove the command, use the

inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.

• Description—Optional.) Provide a description up to 200 characters using the description keyword.

Examples

The following example configures dynamic NAT for inside network 10.1.1.0/24 when accessing servers on the 209.165.201.1/27 network as well as servers on the 203.0.113.0/24 network:

hostname(config)# object network INSIDE_NW hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0

hostname(config)# object network MAPPED_1 hostname(config-network-object)# range 209.165.200.225 209.165.200.254

hostname(config)# object network MAPPED_2 hostname(config-network-object)# range 209.165.202.129 209.165.200.158

hostname(config)# object network SERVERS_1 hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224

hostname(config)# object network SERVERS_2 hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0

hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination

static SERVERS_1 SERVERS_1 hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2

Cisco ASA Series Firewall CLI Configuration Guide

4-17

Page 70

Dynamic PAT

Chapter 4 Network Address Translation (NAT

The following example configures dynamic NAT for an IPv6 inside network 2001:DB8:AAAA::/96 when accessing servers on the IPv4 209.165.201.1/27 network as well as servers on the 203.0.113.0/24 network:

hostname(config)# object network INSIDE_NW hostname(config-network-object)# subnet 2001:DB8:AAAA::/96

hostname(config)# object network MAPPED_1 hostname(config-network-object)# range 209.165.200.225 209.165.200.254

hostname(config)# object network MAPPED_2 hostname(config-network-object)# range 209.165.202.129 209.165.200.158

hostname(config)# object network SERVERS_1 hostname(config-network-object)# subnet 209.165.201.0 255.255.255.224

hostname(config)# object network SERVERS_2 hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0

hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_1 destination

static SERVERS_1 SERVERS_1 hostname(config)# nat (inside,outside) source dynamic INSIDE_NW MAPPED_2 destination static SERVERS_2 SERVERS_2

Dynamic PAT

The following topics describe dynamic PAT.

• About Dynamic PAT, page 4-18

• Configure Dynamic Network Object PAT, page 4-20

• Configure Dynamic Twice PAT, page 4-22

• Configure Per-Session PAT or Multi-Session PAT, page 4-25

About Dynamic PAT

Dynamic PAT translates multiple real addresses to a single mapped IP address by translating the real address and source port to the mapped address and a unique port. If available, the real source port number is used for the mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. If you have a lot of traffic that uses the lower port ranges, you can specify a flat range of ports to be used instead of the three unequal-sized tiers.

Each connection requires a separate translation session because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

4-18

Cisco ASA Series Firewall CLI Configuration Guide

Page 71

Chapter 4 Network Address Translation (NAT

10.1.1.1:1025 209.165.201.1:2020

Inside Outside

10.1.1.1:1026 209.165.201.1:2021

10.1.1.2:1025 209.165.201.1:2022

130034

Security Appliance

The following figure shows a typical dynamic PAT scenario. Only real hosts can create a NAT session, and responding traffic is allowed back. The mapped address is the same for each translation, but the port is dynamically assigned.

Figure 4-4 Dynamic PAT

After the connection expires, the port translation also expires. For multi-session PAT, the PAT timeout is used, 30 seconds by default. For per-session PAT, the xlate is immediately removed. Users on the destination network cannot reliably initiate a connection to a host that uses PAT (even if the connection is allowed by an access rule).

Dynamic PAT

Note For the duration of the translation, a remote host can initiate a connection to the translated host if an

access rule allows it. Because the port address (both real and mapped) is unpredictable, a connection to the host is unlikely. Nevertheless, in this case you can rely on the security of the access rule.

Dynamic PAT Disadvantages and Advantages

Dynamic PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the ASA interface IP address as the PAT address.

Dynamic PAT does not work with some multimedia applications that have a data stream that is different from the control path. See Default Inspections and NAT Limitations, page 6-6 for more information about NAT and PAT support.

Dynamic PAT might also create a large number of connections appearing to come from a single IP address, and servers might interpret the traffic as a DoS attack. You can configure a PAT pool of addresses and use a round-robin assignment of PAT addresses to mitigate this situation.

PAT Pool Object Guidelines

When creating network objects for a PAT pool, follow these guidelines.

For a PAT pool

• If available, the real source port number is used for the mapped port. However, if the real port is not

available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool that can be used. (8.4(3) and later, not including 8.5(1) or 8.6(1)) If you have a lot of traffic that uses the lower port ranges, you can specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535.

• If you use the same PAT pool object in two separate rules, then be sure to specify the same options

for each rule. For example, if one rule specifies extended PAT and a flat range, then the other rule must also specify extended PAT and a flat range.

Cisco ASA Series Firewall CLI Configuration Guide

4-19

Page 72

Dynamic PAT

Chapter 4 Network Address Translation (NAT

For extended PAT for a PAT pool

• Many application inspections do not support extended PAT. See Default Inspections and NAT

Limitations, page 6-6 for a complete list of unsupported inspections.

• If you enable extended PAT for a dynamic PAT rule, then you cannot also use an address in the PAT

pool as the PAT address in a separate static NAT with port translation rule. For example, if the PAT pool includes 10.1.1.1, then you cannot create a static NAT-with-port-translation rule using 10.1.1.1 as the PAT address.

• If you use a PAT pool and specify an interface for fallback, you cannot specify extended PAT.

• For VoIP deployments that use ICE or TURN, do not use extended PAT. ICE and TURN rely on the

PAT binding to be the same for all destinations.

For round robin for a PAT pool

• If a host has an existing connection, then subsequent connections from that host will use the same

PAT IP address if ports are available. Note: This “stickiness” does not survive a failover. If the ASA fails over, then subsequent connections from a host may not use the initial IP address.

• Round robin, especially when combined with extended PAT, can consume a large amount of

memory. Because NAT pools are created for every mapped protocol/IP address/port range, round robin results in a large number of concurrent NAT pools, which use memory. Extended PAT results in an even larger number of concurrent NAT pools.

Configure Dynamic Network Object PAT

This section describes how to configure network object NAT for dynamic PAT.

Procedure

Step 1 (Optional.) Create a host or range network object (object network command), or a network object group

(object-group network command), for the mapped addresses.

• Instead of using an object, you can optionally configure an inline host address or specify the

interface address.

• If you use an object, the object or group cannot contain a subnet; the object must define a host, or

for a PAT pool, a range; the group (for a PAT pool) can include hosts and ranges.

Step 2 Create or edit the network object for which you want to configure NAT.

object network obj_name

Example

hostname(config)# object network my-host-obj1

Step 3 (Skip when editing an object that has the right address.) Define the real IPv4 or IPv6 addresses that you

want to translate.

• host {IPv4_address | IPv6_address}—The IPv4 or IPv6 address of a single host. For example,

10.1.1.1 or 2001:DB8::0DB8:800:200C:417A.

• subnet {IPv4_address IPv4_mask | IPv6_address/IPv6_prefix}—The address of a network. For

IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60.

4-20

Cisco ASA Series Firewall CLI Configuration Guide

Page 73

Chapter 4 Network Address Translation (NAT

• range start_address end_address—A range of addresses. You can specify IPv4 or IPv6 ranges. Do

not include masks or prefixes.

Example

hostname(config-network-object)# range 10.1.1.1 10.1.1.90

Step 4 Configure dynamic PAT for the object IP addresses. You can only define a single NAT rule for a given

object.

nat [(real_ifc,mapped_ifc)] dynamic {mapped_inline_host_ip | mapped_obj | pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]] | interface [ipv6]} [interface [ipv6]] [dns]

Example

hostname(config-network-object)# nat (any,outside) dynamic interface

Where:

• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)

• Mapped IP address—You can specify the mapped IP address as:

Dynamic PAT

–

mapped_inline_host_ip—An inline host address.

–

mapped_obj—An existing network object that is defined as a host address.

–

pat-pool—An existing network object or group that contains multiple addresses.

–

interface—(Routed mode only.) The IP address of the mapped interface is used as the mapped address. If you specify ipv6, then the IPv6 address of the interface is used. For this option, you must configure a specific interface for the mapped_ifc. You must use this keyword when you want to use the interface IP address; you cannot enter it inline or as an object.

• For a PAT pool, you can specify one or more of the following options:

–

Round robin—The round-robin keyword enables round-robin address allocation for a PAT pool. Without round robin, by default all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on.

–

Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.

–

Flat range—The flat keyword enables use of the entire 1024 to 65535 port range when allocating ports. When choosing the mapped port number for a translation, the ASA uses the real source port number if it is available. However, without this option, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword.

Cisco ASA Series Firewall CLI Configuration Guide

4-21

Page 74

Dynamic PAT

Chapter 4 Network Address Translation (NAT

• Interface PAT fallback—(Optional.) The interface keyword enables interface PAT fallback when

entered after a primary PAT address. After the primary PAT addresses are used up, then the IP address of the mapped interface is used. If you specify ipv6, then the IPv6 address of the interface is used. For this option, you must configure a specific interface for the mapped_ifc. (You cannot specify interface in transparent mode.)

• DNS—(Optional.) The dns keyword translates DNS replies. Be sure DNS inspection is enabled (it

is enabled by default). See DNS and NAT, page 5-21 for more information.

Examples

The following example configures dynamic PAT that hides the 192.168.2.0 network behind address

10.2.2.2:

hostname(config)# object network my-inside-net hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0 hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2

The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:

hostname(config)# object network my-inside-net hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0 hostname(config-network-object)# nat (inside,outside) dynamic interface

The following example configures dynamic PAT with a PAT pool to translate the inside IPv6 network to an outside IPv4 network:

hostname(config)# object network IPv4_POOL hostname(config-network-object)# range 203.0.113.1 203.0.113.254 hostname(config)# object network IPv6_INSIDE hostname(config-network-object)# subnet 2001:DB8::/96 hostname(config-network-object)# nat (inside,outside) dynamic pat-pool IPv4_POOL

Configure Dynamic Twice PAT

This section describes how to configure twice NAT for dynamic PAT.

Procedure

Step 1 Create host or range network objects (object network command), or network object groups

(object-group network command), for the source real addresses, the source mapped addresses, the destination real addresses, and the destination mapped addresses.

• If you want to translate all source traffic, you can skip adding an object for the source real addresses,

and instead specify the any keyword in the nat command.

• If you want to use the interface address as the mapped address, you can skip adding an object for

the source mapped addresses, and instead specify the interface keyword in the nat command.

• If you want to configure destination static interface NAT with port translation only, you can skip

adding an object for the destination mapped addresses, and instead specify the interface keyword in the nat command.

If you use an object, the object or group cannot contain a subnet. The object must define a host, or for a PAT pool, a range. The group (for a PAT pool) can include hosts and ranges.

4-22

Cisco ASA Series Firewall CLI Configuration Guide

Page 75

Chapter 4 Network Address Translation (NAT

Step 2 (Optional.) Create service objects for the destination real ports and the destination mapped ports.

Step 3 Configure dynamic PAT.

nat [(real_ifc,mapped_ifc)] [line |{after-auto [line]}] source dynamic {real-obj | any}

{mapped_obj [interface [ipv6]] | [pat-pool mapped_obj [round-robin] [extended] [flat [include-reserve]] [interface [ipv6]] | interface [ipv6]} [destination static {mapped_obj | interface [ipv6]} real_obj] [service mapped_dest_svc_obj real_dest_svc_obj] [dns] [unidirectional] [inactive] [description desc]

Example

hostname(config)# nat (inside,outside) source dynamic MyInsNet interface destination static Server1 Server1 description Interface PAT for inside addresses when going to server 1

Where:

• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)

Dynamic PAT

• Section and Line—(Optional.) By default, the NAT rule is added to the end of section 1 of the NAT

• Source addresses:

–

Real—Specify a network object, group, or the any keyword. Use the any keyword if you want to translate all traffic from the real interface to the mapped interface.

–

Mapped—Configure one of the following:

- Network object—Specify a network object that contains a host address.

- pat-pool—Specify the pat-pool keyword and a network object or group that contains multiple addresses.

- interface—(Routed mode only.) Specify the interface keyword alone to only use interface PAT. If you specify ipv6, then the IPv6 address of the interface is used. When specified with a PAT pool or network object, the interface keyword enables interface PAT fallback. After the PAT IP addresses are used up, then the IP address of the mapped interface is used. For this option, you must configure a specific interface for the mapped_ifc.

For a PAT pool, you can specify one or more of the following options:

-- Round robin—The round-robin keyword enables round-robin address allocation for a PAT pool. Without round robin, by default all ports for a PAT address will be allocated before the next PAT address is used. The round-robin method assigns an address/port from each PAT address in the pool before returning to use the first address again, and then the second address, and so on.

-- Extended PAT—The extended keyword enables extended PAT. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information. Normally, the destination port and address are not considered when

Cisco ASA Series Firewall CLI Configuration Guide

4-23

Page 76

Dynamic PAT

creating PAT translations, so you are limited to 65535 ports per PAT address. For example, with extended PAT, you can create a translation of 10.1.1.1:1027 when going to 192.168.1.7:23 as well as a translation of 10.1.1.1:1027 when going to 192.168.1.7:80.

-- Flat range—The flat keyword enables use of the entire 1024 to 65535 port range when allocating ports. When choosing the mapped port number for a translation, the ASA uses the real source port number if it is available. However, without this option, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 1 to 511, 512 to 1023, and 1024 to 65535. To avoid running out of ports at the low ranges, configure this setting. To use the entire range of 1 to 65535, also specify the include-reserve keyword.

• Destination addresses (Optional):

–

Mapped—Specify a network object or group, or for static interface NAT with port translation only (routed mode), specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword. For this option, you must configure a specific interface for the real_ifc. See Static Interface NAT

with Port Translation, page 4-29 for more information.

–

Real—Specify a network object or group. For identity NAT, simply use the same object or group for both the real and mapped addresses.

Chapter 4 Network Address Translation (NAT

• Destination port—(Optional.) Specify the service keyword along with the mapped and real service

objects. For identity port translation, simply use the same service object for both the real and mapped ports.

• DNS—(Optional; for a source-only rule.) The dns keyword translates DNS replies. Be sure DNS

inspection is enabled (it is enabled by default). You cannot configure the dns keyword if you configure a destination address. See DNS and NAT, page 5-21 for more information.

• Unidirectional—(Optional.) Specify unidirectional so the destination addresses cannot initiate

traffic to the source addresses.

• Inactive—(Optional.) To make this rule inactive without having to remove the command, use the

inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.

• Description—Optional.) Provide a description up to 200 characters using the description keyword.

Examples

The following example configures interface PAT for inside network 192.168.1.0/24 when accessing outside Telnet server 209.165.201.23, and Dynamic PAT using a PAT pool when accessing any server on the 203.0.113.0/24 network.

hostname(config)# object network INSIDE_NW hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0

hostname(config)# object network PAT_POOL hostname(config-network-object)# range 209.165.200.225 209.165.200.254

4-24

hostname(config)# object network TELNET_SVR hostname(config-network-object)# host 209.165.201.23

hostname(config)# object service TELNET hostname(config-service-object)# service tcp destination eq 23

hostname(config)# object network SERVERS hostname(config-network-object)# subnet 203.0.113.0 255.255.255.0

Cisco ASA Series Firewall CLI Configuration Guide

Page 77

Chapter 4 Network Address Translation (NAT

hostname(config)# nat (inside,outside) source dynamic INSIDE_NW interface destination static TELNET_SVR TELNET_SVR service TELNET TELNET hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool PAT_POOL destination static SERVERS SERVERS

The following example configures interface PAT for inside network 192.168.1.0/24 when accessing outside IPv6 Telnet server 2001:DB8::23, and Dynamic PAT using a PAT pool when accessing any server on the 2001:DB8:AAAA::/96 network.

hostname(config)# object network INSIDE_NW hostname(config-network-object)# subnet 192.168.1.0 255.255.255.0

hostname(config)# object network PAT_POOL hostname(config-network-object)# range 2001:DB8:AAAA::1 2001:DB8:AAAA::200

hostname(config)# object network TELNET_SVR hostname(config-network-object)# host 2001:DB8::23

hostname(config)# object service TELNET hostname(config-service-object)# service tcp destination eq 23

hostname(config)# object network SERVERS hostname(config-network-object)# subnet 2001:DB8:AAAA::/96

Dynamic PAT

hostname(config)# nat (inside,outside) source dynamic INSIDE_NW interface ipv6 destination static TELNET_SVR TELNET_SVR service TELNET TELNET hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool PAT_POOL destination static SERVERS SERVERS

Configure Per-Session PAT or Multi-Session PAT

By default, all TCP PAT traffic and all UDP DNS traffic uses per-session PAT. To use multi-session PAT for traffic, you can configure per-session PAT rules: a permit rule uses per-session PAT, and a deny rule uses multi-session PAT.

Per-session PAT improves the scalability of PAT and, for clustering, allows each member unit to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. This reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state. Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds.

For “hit-and-run” traffic, such as HTTP or HTTPS, per-session PAT can dramatically increase the connection rate supported by one address. Without per-session PAT, the maximum connection rate for one address for an IP protocol is approximately 2000 per second. With per-session PAT, the connection rate for one address for an IP protocol is 65535/average-lifetime.

For traffic that can benefit from multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule. These rules are available starting with version

9.0(1).

Before You Begin

By default, the following rules are installed:

xlate per-session permit tcp any4 any4 xlate per-session permit tcp any4 any6 xlate per-session permit tcp any6 any4 xlate per-session permit tcp any6 any6 xlate per-session permit udp any4 any4 eq domain

Cisco ASA Series Firewall CLI Configuration Guide

4-25

Page 78

Dynamic PAT

Step 1 Create a permit or deny per-session PAT rule. This rule is placed above the default rules, but below any

Chapter 4 Network Address Translation (NAT

xlate per-session permit udp any4 any6 eq domain xlate per-session permit udp any6 any4 eq domain xlate per-session permit udp any6 any6 eq domain

You cannot remove these rules, and they always exist after any manually-created rules. Because rules are evaluated in order, you can override the default rules. For example, to completely negate these rules, you could add the following:

xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain

Procedure

other manually-created rules. Be sure to create your rules in the order you want them applied.

xlate per-session {permit | deny} {tcp | udp} source_ip [operator src_port] destination_ip [operator dest_port]

Example

hostname(config)# xlate per-session deny tcp any4 209.165.201.3 eq 1720

For the source and destination IP addresses, you can configure the following:

• host ip_address—Specifies an IPv4 or IPv6 host address.

• ip_address mask—Specifies an IPv4 network address and subnet mask.

• ipv6-address/prefix-length—Specifies an IPv6 network address and prefix.

• any4 and any6—any4 specifies only IPv4 traffic; and any6 specifies any6 traffic.

The operator matches the port numbers used by the source or destination. The default is all ports. The permitted operators are:

• lt—less than

• gt—greater than

• eq—equal to

• neq—not equal to

• range—an inclusive range of values. When you use this operator, specify two port numbers, for

example, range 100 200.

Examples

The following example creates a deny rule for H.323 traffic, so that it uses multi-session PAT:

hostname(config)# xlate per-session deny tcp any4 209.165.201.7 eq 1720 hostname(config)# xlate per-session deny udp any4 209.165.201.7 range 1718 1719

4-26

Cisco ASA Series Firewall CLI Configuration Guide

Page 79

Chapter 4 Network Address Translation (NAT

10.1.1.1 209.165.201.1

Inside Outside

10.1.1.2 209.165.201.2

130035

Security Appliance

Static NAT

The following topics explain static NAT and how to implement it.

• About Static NAT, page 4-27

• Configure Static Network Object NAT or Static NAT-with-Port-Translation, page 4-32

• Configure Static Twice NAT or Static NAT-with-Port-Translation, page 4-34

About Static NAT

Static NAT creates a fixed translation of a real address to a mapped address. Because the mapped address is the same for each consecutive connection, static NAT allows bidirectional connection initiation, both to and from the host (if an access rule exists that allows it). With dynamic NAT and PAT, on the other hand, each host uses a different address or port for each subsequent translation, so bidirectional initiation is not supported.

The following figure shows a typical static NAT scenario. The translation is always active so both real and remote hosts can initiate connections.

Static NAT

Figure 4-5 Static NAT

Note You can disable bidirectionality if desired.

Static NAT with Port Translation

Static NAT with port translation lets you specify a real and mapped protocol (TCP or UDP) and port.

• About Static NAT with Port Address Translation, page 4-27

• Static NAT with Identity Port Translation, page 4-28

• Static NAT with Port Translation for Non-Standard Ports, page 4-29

• Static Interface NAT with Port Translation, page 4-29

About Static NAT with Port Address Translation

When you specify the port with static NAT, you can choose to map the port and/or the IP address to the same value or to a different value.

Cisco ASA Series Firewall CLI Configuration Guide

4-27

Page 80

Static NAT

10.1.1.1:23 209.165.201.1:23

Inside Outside

10.1.1.2:8080 209.165.201.2:80

130044

Security Appliance

Chapter 4 Network Address Translation (NAT

The following figure shows a typical static NAT with port translation scenario showing both a port that is mapped to itself and a port that is mapped to a different value; the IP address is mapped to a different value in both cases. The translation is always active so both translated and remote hosts can initiate connections.

Figure 4-6 Typical Static NAT with Port Translation Scenario

Note For applications that require application inspection for secondary channels (for example, FTP and VoIP),

the ASA automatically translates the secondary ports.

Static NAT with Identity Port Translation

The following static NAT with port translation example provides a single address for remote users to access FTP, HTTP, and SMTP. These servers are actually different devices on the real network, but for each server, you can specify static NAT with port translation rules that use the same mapped IP address, but different ports. For details on how to configure this example, see Single Address for FTP, HTTP, and

SMTP (Static NAT-with-Port-Translation), page 5-5.

4-28

Cisco ASA Series Firewall CLI Configuration Guide

Page 81

Chapter 4 Network Address Translation (NAT

Host

Outside

Inside

Undo Translation

10.1.2.27209.165.201.3:21

Undo Translation

10.1.2.28209.165.201.3:80

Undo Translation

10.1.2.29209.165.201.3:25

FTP server

10.1.2.27

HTTP server

10.1.2.28

SMTP server

10.1.2.29

130031

Figure 4-7 Static NAT with Port Translation

Static NAT

Static NAT with Port Translation for Non-Standard Ports

You can also use static NAT with port translation to translate a well-known port to a non-standard port or vice versa. For example, if inside web servers use port 8080, you can allow outside users to connect to port 80, and then undo translation to the original port 8080. Similarly, to provide extra security, you can tell web users to connect to non-standard port 6785, and then undo translation to port 80.

Static Interface NAT with Port Translation

You can configure static NAT to map a real address to an interface address/port combination. For example, if you want to redirect Telnet access for the ASA outside interface to an inside host, then you can map the inside host IP address/port 23 to the ASA interface address/port 23. (Note that although Telnet to the ASA is not allowed to the lowest security interface, static NAT with interface port translation redirects the Telnet session instead of denying it).

One-to-Many Static NAT

Typically, you configure static NAT with a one-to-one mapping. However, in some cases, you might want to configure a single real address to several mapped addresses (one-to-many). When you configure one-to-many static NAT, when the real host initiates traffic, it always uses the first mapped address. However, for traffic initiated to the host, you can initiate traffic to any of the mapped addresses, and they will be untranslated to the single real address.

Cisco ASA Series Firewall CLI Configuration Guide

4-29

Page 82

Static NAT

10.1.2.27

209.165.201.3

Inside Outside

209.165.201.4

209.165.201.5

Security Appliance

248771

Chapter 4 Network Address Translation (NAT

The following figure shows a typical one-to-many static NAT scenario. Because initiation by the real host always uses the first mapped address, the translation of real host IP/1st mapped IP is technically the only bidirectional translation.

Figure 4-8 One-to-Many Static NAT

For example, you have a load balancer at 10.1.2.27. Depending on the URL requested, it redirects traffic to the correct web server. For details on how to configure this example, see Inside Load Balancer with

Multiple Mapped Addresses (Static NAT, One-to-Many), page 5-4.

Figure 4-9 One-to-Many Static NAT Example

Host

Outside

Undo Translation

10.1.2.27209.165.201.3

Undo Translation

10.1.2.27209.165.201.4

Inside

Undo Translation

10.1.2.27209.165.201.5

Load Balancer

10.1.2.27

4-30

Cisco ASA Series Firewall CLI Configuration Guide

Web Servers

248633

Page 83

Chapter 4 Network Address Translation (NAT

10.1.2.27 209.165.201.3

Inside Outside

10.1.2.28 209.165.201.4

10.1.2.27 209.165.201.5

10.1.2.28 209.165.201.6

10.1.2.27 209.165.201.7

Security Appliance

248769

Other Mapping Scenarios (Not Recommended)

The ASA has the flexibility to allow any kind of static mapping scenario: one-to-one, one-to-many, but also few-to-many, many-to-few, and many-to-one mappings. We recommend using only one-to-one or one-to-many mappings. These other mapping options might result in unintended consequences.

Functionally, few-to-many is the same as one-to-many; but because the configuration is more complicated and the actual mappings may not be obvious at a glance, we recommend creating a one-to-many configuration for each real address that requires it. For example, for a few-to-many scenario, the few real addresses are mapped to the many mapped addresses in order (A to 1, B to 2, C to

3). When all real addresses are mapped, the next mapped address is mapped to the first real address, and so on until all mapped addresses are mapped (A to 4, B to 5, C to 6). This results in multiple mapped addresses for each real address. Just like a one-to-many configuration, only the first mappings are bidirectional; subsequent mappings allow traffic to be initiated to the real host, but all traffic from the real host uses only the first mapped address for the source.

The following figure shows a typical few-to-many static NAT scenario.

Figure 4-10 Few-to-Many Static NAT

Static NAT

For a many-to-few or many-to-one configuration, where you have more real addresses than mapped addresses, you run out of mapped addresses before you run out of real addresses. Only the mappings between the lowest real IP addresses and the mapped pool result in bidirectional initiation. The remaining higher real addresses can initiate traffic, but traffic cannot be initiated to them (returning traffic for a connection is directed to the correct real address because of the unique 5-tuple (source IP, destination IP, source port, destination port, protocol) for the connection).

Note Many-to-few or many-to-one NAT is not PAT. If two real hosts use the same source port number and go

to the same outside server and the same TCP destination port, and both hosts are translated to the same IP address, then both connections will be reset because of an address conflict (the 5-tuple is not unique).

Cisco ASA Series Firewall CLI Configuration Guide

4-31

Page 84

Chapter 4 Network Address Translation (NAT

10.1.2.27 209.165.201.3

Inside Outside

10.1.2.28 209.165.201.4

10.1.2.29

209.165.201.3

10.1.2.30

209.165.201.4

10.1.2.31

209.165.201.3

Security Appliance

248770

Static NAT

The following figure shows a typical many-to-few static NAT scenario.

Figure 4-11 Many-to-Few Static NAT

Instead of using a static rule this way, we suggest that you create a one-to-one rule for the traffic that needs bidirectional initiation, and then create a dynamic rule for the rest of your addresses.

Configure Static Network Object NAT or Static NAT-with-Port-Translation

This section describes how to configure a static NAT rule using network object NAT.

Procedure

Step 1 (Optional.) Create a network object (object network command), or a network object group

(object-group network command), for the mapped addresses.

• Instead of using an object, you can configure an inline address or specify the interface address (for

static NAT-with-port-translation).

• If you use an object, the object or group can contain a host, range, or subnet.

Step 2 Create or edit the network object for which you want to configure NAT.

object network obj_name

Example

hostname(config)# object network my-host-obj1

Step 3 (Skip when editing an object that has the right address.) Define the real IPv4 or IPv6 addresses that you

want to translate.

• host {IPv4_address | IPv6_address}—The IPv4 or IPv6 address of a single host. For example,

10.1.1.1 or 2001:DB8::0DB8:800:200C:417A.

• subnet {IPv4_address IPv4_mask | IPv6_address/IPv6_prefix}—The address of a network. For

IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60.

• range start_address end_address—A range of addresses. You can specify IPv4 or IPv6 ranges. Do

not include masks or prefixes.

Example

hostname(config-network-object)# subnet 10.2.1.0 255.255.255.0

4-32

Step 4 Configure static NAT for the object IP addresses. You can only define a single NAT rule for a given

object.

Cisco ASA Series Firewall CLI Configuration Guide

Page 85

Chapter 4 Network Address Translation (NAT

nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface [ipv6]} [net-to-net] [dns | service {tcp | udp} real_port mapped_port] [no-proxy-arp]

Example

hostname(config-network-object)# nat (inside,outside) static MAPPED_IPS service tcp 80 8080

Where:

• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)

• Mapped IP address—You can specify the mapped IP address as one of the following. Typically, you

configure the same number of mapped addresses as real addresses for a one-to-one mapping. You can, however, have a mismatched number of addresses. See Static NAT, page 4-27.

–

mapped_inline_host_ip—An inline IP address. The netmask, prefix, or range for the mapped network is the same as that of the real network. For example, if the real network is a host, then this address will be a host address. In the case of a range, then the mapped addresses include the same number of addresses as the real range. For example, if the real address is defined as a range from 10.1.1.1 through 10.1.1.6, and you specify 172.20.1.1 as the mapped address, then the mapped range will include 172.20.1.1 through 172.20.1.6.

Static NAT

–

mapped_obj—An existing network object or group.

–

interface—(Static NAT-with-port-translation only; routed mode only.) The IP address of the mapped interface is used as the mapped address. If you specify ipv6, then the IPv6 address of the interface is used. For this option, you must configure a specific interface for the mapped_ifc. You must use this keyword when you want to use the interface IP address; you cannot enter it inline or as an object. Be sure to also configure the service keyword.

• Net-to-net—(Optional.) For NAT 46, specify net-to-net to translate the first IPv4 address to the first

IPv6 address, the second to the second, and so on. Without this option, the IPv4-embedded method is used. For a one-to-one translation, you must use this keyword.

• DNS—(Optional.) The dns keyword translates DNS replies. Be sure DNS inspection is enabled (it

is enabled by default). See DNS and NAT, page 5-21 for more information.

• Port translation—(Static NAT-with-port-translation only.) Specify service with either tcp or udp

and the real and mapped ports. You can enter either a port number or a well-known port name (such as ftp).

• No Proxy ARP—(Optional.) Specify no-proxy-arp to disable proxy ARP for incoming packets to

the mapped IP addresses. For information on the conditions which might require the disabling of proxy ARP, see Mapped Addresses and Routing, page 5-12.

Examples

The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside with DNS rewrite enabled.

hostname(config)# object network my-host-obj1 hostname(config-network-object)# host 10.1.1.1 hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns

The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside using a mapped object.

Cisco ASA Series Firewall CLI Configuration Guide

4-33

Page 86

Static NAT

Chapter 4 Network Address Translation (NAT

hostname(config)# object network my-mapped-obj hostname(config-network-object)# host 10.2.2.2

hostname(config-network-object)# object network my-host-obj1 hostname(config-network-object)# host 10.1.1.1 hostname(config-network-object)# nat (inside,outside) static my-mapped-obj

The following example configures static NAT-with-port-translation for 10.1.1.1 at TCP port 21 to the outside interface at port 2121.

hostname(config)# object network my-ftp-server hostname(config-network-object)# host 10.1.1.1 hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121

The following example maps an inside IPv4 network to an outside IPv6 network.

hostname(config)# object network inside_v4_v6 hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0 hostname(config-network-object)# nat (inside,outside) static 2001:DB8::/96

The following example maps an inside IPv6 network to an outside IPv6 network.

hostname(config)# object network inside_v6 hostname(config-network-object)# subnet 2001:DB8:AAAA::/96 hostname(config-network-object)# nat (inside,outside) static 2001:DB8:BBBB::/96

Configure Static Twice NAT or Static NAT-with-Port-Translation

This section describes how to configure a static NAT rule using twice NAT.

Procedure

Step 1 Create host or range network objects (object network command), or network object groups

(object-group network command), for the source real addresses, the source mapped addresses, the destination real addresses, and the destination mapped addresses.

• If you want to configure source static interface NAT with port translation only, you can skip adding

an object for the source mapped addresses, and instead specify the interface keyword in the nat command.

• If you want to configure destination static interface NAT with port translation only, you can skip

adding an object for the destination mapped addresses, and instead specify the interface keyword in the nat command.

If you do create objects, consider the following guidelines:

• The mapped object or group can contain a host, range, or subnet.

• The static mapping is typically one-to-one, so the real addresses have the same quantity as the

mapped addresses. You can, however, have different quantities if desired. For more information, see

Static NAT, page 4-27.

Step 2 (Optional.) Create service objects for the:

• Source or Destination real ports

• Source or Destination mapped ports

4-34

Cisco ASA Series Firewall CLI Configuration Guide

Page 87

Chapter 4 Network Address Translation (NAT

A service object can contain both a source and destination port; however, you should specify either the source or the destination port for both service objects. You should only specify both the source and destination ports if your application uses a fixed source port (such as some DNS servers); but fixed source ports are rare. For example, if you want to translate the port for the source host, then configure the source service.

Step 3 Configure static NAT.

nat [(real_ifc,mapped_ifc)] [line |{after-object [line]}] source static real_ob [mapped_obj | interface [ipv6]]

[destination static {mapped_obj | interface [ipv6]} real_obj] [service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj] [net-to-net] [dns] [unidirectional | no-proxy-arp] [inactive] [description desc]

Example

hostname(config)# nat (inside,dmz) source static MyInsNet MyInsNet_mapped destination static Server1 Server1 service REAL_SRC_SVC MAPPED_SRC_SVC

Where:

• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)

Static NAT

• Section and Line—(Optional.) By default, the NAT rule is added to the end of section 1 of the NAT

• Source addresses:

–

Real—Specify a network object or group. Do not use the any keyword, which would be used for identity NAT.

–

Mapped—Specify a different network object or group. For static interface NAT with port translation only, you can specify the interface keyword (routed mode only). If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword (in this case, the service objects should include only the source port). For this option, you must configure a specific interface for the mapped_ifc. See Static Interface NAT

with Port Translation, page 4-29 for more information.

• Destination addresses (Optional):

–

Mapped—Specify a network object or group, or for static interface NAT with port translation only, specify the interface keyword. If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword (in this case, the service objects should include only the destination port). For this option, you must configure a specific interface for the real_ifc.

–

Real—Specify a network object or group. For identity NAT, simply use the same object or group for both the real and mapped addresses.

• Ports—(Optional.) Specify the service keyword along with the real and mapped service objects. For

Cisco ASA Series Firewall CLI Configuration Guide

4-35

Page 88

Static NAT

Chapter 4 Network Address Translation (NAT

port/mapped destination port; the second service object contains the mapped source port/real destination port. For identity port translation, simply use the same service object for both the real and mapped ports (source and/or destination ports, depending on your configuration).

• Net-to-net—(Optional.) For NAT 46, specify net-to-net to translate the first IPv4 address to the first

IPv6 address, the second to the second, and so on. Without this option, the IPv4-embedded method is used. For a one-to-one translation, you must use this keyword.

• DNS—(Optional; for a source-only rule.) The dns keyword translates DNS replies. Be sure DNS

inspection is enabled (it is enabled by default). You cannot configure the dns keyword if you configure a destination address. See DNS and NAT, page 5-21 for more information.

• Unidirectional—(Optional.) Specify unidirectional so the destination addresses cannot initiate

traffic to the source addresses.

• No Proxy ARP—(Optional.) Specify no-proxy-arp to disable proxy ARP for incoming packets to

the mapped IP addresses. See Mapped Addresses and Routing, page 5-12 for more information.

• Inactive—(Optional.) To make this rule inactive without having to remove the command, use the

inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.

• Description—Optional.) Provide a description up to 200 characters using the description keyword.

Examples

The following example shows the use of static interface NAT with port translation. Hosts on the outside access an FTP server on the inside by connecting to the outside interface IP address with destination port 65000 through 65004. The traffic is untranslated to the internal FTP server at 192.168.10.100:6500 through 65004. Note that you specify the source port range in the service object (and not the destination port) because you want to translate the source address and port as identified in the command; the destination port is “any.” Because static NAT is bidirectional, “source” and “destination” refers primarily to the command keywords; the actual source and destination address and port in a packet depends on which host sent the packet. In this example, connections are originated from outside to inside, so the “source” address and port of the FTP server is actually the destination address and port in the originating packet.

hostname(config)# object service FTP_PASV_PORT_RANGE hostname(config-service-object)# service tcp source range 65000 65004

hostname(config)# object network HOST_FTP_SERVER hostname(config-network-object)# host 192.168.10.100

hostname(config)# nat (inside,outside) source static HOST_FTP_SERVER interface

service FTP_PASV_PORT_RANGE FTP_PASV_PORT_RANGE

The following example shows a static translation of one IPv6 network to another IPv6 when accessing an IPv6 network, and the dynamic PAT translation to an IPv4 PAT pool when accessing the IPv4 network:

hostname(config)# object network INSIDE_NW hostname(config-network-object)# subnet 2001:DB8:AAAA::/96

hostname(config)# object network MAPPED_IPv6_NW hostname(config-network-object)# subnet 2001:DB8:BBBB::/96

4-36

hostname(config)# object network OUTSIDE_IPv6_NW hostname(config-network-object)# subnet 2001:DB8:CCCC::/96

hostname(config)# object network OUTSIDE_IPv4_NW hostname(config-network-object)# subnet 10.1.1.0 255.255.255.0

Cisco ASA Series Firewall CLI Configuration Guide

Page 89

Chapter 4 Network Address Translation (NAT

209.165.201.1 209.165.201.1

Inside Outside

209.165.201.2 209.165.201.2

130036

Security Appliance

hostname(config)# object network MAPPED_IPv4_POOL hostname(config-network-object)# range 10.1.2.1 10.1.2.254

hostname(config)# nat (inside,outside) source static INSIDE_NW MAPPED_IPv6_NW

destination static OUTSIDE_IPv6_NW OUTSIDE_IPv6_NW hostname(config)# nat (inside,outside) source dynamic INSIDE_NW pat-pool MAPPED_IPv4_POOL destination static OUTSIDE_IPv4_NW OUTSIDE_IPv4_NW

Identity NAT

You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.

The following figure shows a typical identity NAT scenario.

Figure 4-12 Identity NAT

Identity NAT

The following topics explain how to configure identity NAT.

• Configure Identity Network Object NAT, page 4-37

• Configure Identity Twice NAT, page 4-39

Configure Identity Network Object NAT

This section describes how to configure an identity NAT rule using network object NAT.

Procedure

Step 1 (Optional.) Create a network object (object network command), or a network object group

(object-group network command), for the mapped addresses.

• Instead of using an object, you can configure an inline address.

• If you use an object, the object must match the real addresses you want to translate.

Step 2 Create or edit the network object for which you want to configure NAT. The object must be a different

one than what you use for the mapped addresses, even though the contents must be the same in each object.

object network obj_name

Example

Cisco ASA Series Firewall CLI Configuration Guide

4-37

Page 90

Identity NAT

Chapter 4 Network Address Translation (NAT

hostname(config)# object network my-host-obj1

Step 3 (Skip when editing an object that has the right address.) Define the real IPv4 or IPv6 addresses that you

want to translate.

• host {IPv4_address | IPv6_address}—The IPv4 or IPv6 address of a single host. For example,

10.1.1.1 or 2001:DB8::0DB8:800:200C:417A.

• subnet {IPv4_address IPv4_mask | IPv6_address/IPv6_prefix}—The address of a network. For

IPv4 subnets, include the mask after a space, for example, 10.0.0.0 255.0.0.0. For IPv6, include the address and prefix as a single unit (no spaces), such as 2001:DB8:0:CD30::/60.

• range start_address end_address—A range of addresses. You can specify IPv4 or IPv6 ranges. Do

not include masks or prefixes.

Example

hostname(config-network-object)# subnet 10.2.1.0 255.255.255.0

Step 4 Configure identity NAT for the object IP addresses. You can only define a single NAT rule for a given

object.

nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj} [no-proxy-arp] [route-lookup]

Example

hostname(config-network-object)# nat (inside,outside) static MAPPED_IPS

Where:

• Interfaces—(Required for transparent mode) Specify the real (real_ifc) and mapped (mapped_ifc)

• Mapped IP addresses—Be sure to configure the same IP address for both the mapped and real

address. Use one of the following:

–

mapped_inline_host_ip—An inline IP address. The netmask, prefix, or range for the mapped network is the same as that of the real network. For example, if the real network is a host, then this address will be a host address. In the case of a range, then the mapped addresses include the same number of addresses as the real range. For example, if the real address is defined as a range from 10.1.1.1 through 10.1.1.6, and you specify 10.1.1.1 as the mapped address, then the mapped range will include 10.1.1.1 through 10.1.1.6.

–

mapped_obj—A network object or group that includes the same addresses as the real object.

• No Proxy ARP—(Optional.) Specify no-proxy-arp to disable proxy ARP for incoming packets to

the mapped IP addresses. For information on the conditions which might require the disabling of proxy ARP, see Mapped Addresses and Routing, page 5-12.

• Route lookup—(Routed mode only; interfaces specified.) Specify route-lookup to determine the

egress interface using a route lookup instead of using the interface specified in the NAT command. See Determining the Egress Interface, page 5-14 for more information.

4-38

Cisco ASA Series Firewall CLI Configuration Guide

Page 91

Chapter 4 Network Address Translation (NAT

Example

The following example maps a host address to itself using an inline mapped address:

hostname(config)# object network my-host-obj1 hostname(config-network-object)# host 10.1.1.1 hostname(config-network-object)# nat (inside,outside) static 10.1.1.1

The following example maps a host address to itself using a network object:

hostname(config)# object network my-host-obj1-identity hostname(config-network-object)# host 10.1.1.1

hostname(config-network-object)# object network my-host-obj1 hostname(config-network-object)# host 10.1.1.1 hostname(config-network-object)# nat (inside,outside) static my-host-obj1-identity

Configure Identity Twice NAT

This section describes how to configure an identity NAT rule using twice NAT.

Identity NAT

Procedure

Step 1 Create host or range network objects (object network command), or network object groups

(object-group network command), for the source real addresses (you will typically use the same object for the source mapped addresses), the destination real addresses, and the destination mapped addresses.

• If you want to perform identity NAT for all addresses, you can skip creating an object for the source

real addresses and instead use the keywords any any in the nat command.

• If you want to configure destination static interface NAT with port translation only, you can skip

adding an object for the destination mapped addresses, and instead specify the interface keyword in the nat command.

If you do create objects, consider the following guidelines:

• The mapped object or group can contain a host, range, or subnet.

• The real and mapped source objects must match. You can use the same object for both, or you can

create separate objects that contain the same IP addresses.

Step 2 (Optional.) Create service objects for the:

• Source or Destination real ports

• Source or Destination mapped ports

Step 3 Configure identity NAT.

nat [(real_ifc,mapped_ifc)] [line |{after-object [line]}] source static {nw_obj nw_obj | any any}

[destination static {mapped_obj | interface [ipv6]} real_obj] [service real_src_mapped_dest_svc_obj mapped_src_real_dest_svc_obj] [no-proxy-arp] [route-lookup] [inactive] [description desc]

Cisco ASA Series Firewall CLI Configuration Guide

4-39

Page 92

Monitoring NAT

Chapter 4 Network Address Translation (NAT

Example

hostname(config)# nat (inside,outside) source static MyInsNet MyInsNet destination static Server1 Server1

Where:

• Interfaces—(Required for transparent mode.) Specify the real (real_ifc) and mapped (mapped_ifc)

• Section and Line—(Optional.) By default, the NAT rule is added to the end of section 1 of the NAT

• Source addresses—Specify a network object, group, or the any keyword for both the real and

mapped addresses.

• Destination addresses (Optional):

–

Mapped—Specify a network object or group, or for static interface NAT with port translation only, specify the interface keyword (routed mode only). If you specify ipv6, then the IPv6 address of the interface is used. If you specify interface, be sure to also configure the service keyword (in this case, the service objects should include only the destination port). For this option, you must configure a specific interface for the real_ifc.

–

Real—Specify a network object or group. For identity NAT, simply use the same object or group for both the real and mapped addresses.

• Ports—(Optional.) Specify the service keyword along with the real and mapped service objects. For

source port translation, the objects must specify the source service. The order of the service objects in the command for source port translation is service real_obj mapped_obj. For destination port translation, the objects must specify the destination service. The order of the service objects for destination port translation is service mapped_obj real_obj. In the rare case where you specify both the source and destination ports in the object, the first service object contains the real source port/mapped destination port; the second service object contains the mapped source port/real destination port. For identity port translation, simply use the same service object for both the real and mapped ports (source and/or destination ports, depending on your configuration).

• No Proxy ARP—(Optional.) Specify no-proxy-arp to disable proxy ARP for incoming packets to

the mapped IP addresses. See Mapped Addresses and Routing, page 5-12 for more information.

• Route lookup—(Optional; routed mode only; interfaces specified.) Specify route-lookup to

determine the egress interface using a route lookup instead of using the interface specified in the NAT command. See Determining the Egress Interface, page 5-14 for more information.

• Inactive—(Optional.) To make this rule inactive without having to remove the command, use the

inactive keyword. To reactivate it, reenter the whole command without the inactive keyword.

• Description—Optional.) Provide a description up to 200 characters using the description keyword.

Monitoring NAT

4-40

To monitor object NAT, use the following commands:

• show nat

Cisco ASA Series Firewall CLI Configuration Guide

Page 93

Chapter 4 Network Address Translation (NAT

Shows NAT statistics, including hits for each NAT rule.

• show nat pool

Shows NAT pool statistics, including the addresses and ports allocated, and how many times they were allocated.

• show running-config nat

Shows the NAT configuration. You cannot see object NAT rules using show running-config object. When you use show running-config without modifiers, objects that include NAT rules are shown twice, first with the basic address configuration, then later in the configuration, the object with the NAT rule. The complete object, with the address and NAT rule, is not shown as a unit.

• show xlate

Shows current NAT session information.

History for NAT

Platform

Feature Name

Network Object NAT 8.3(1) Configures NAT for a network object IP address(es).

Twice NAT 8.3(1) Twice NAT lets you identify both the source and destination

Releases Description

We introduced or modified the following commands: nat (object network configuration mode), show nat, show xlate, show nat pool.

address in a single rule.

We modified or introduced the following commands: nat, show nat, show xlate, show nat pool.

Cisco ASA Series Firewall CLI Configuration Guide

4-41

Page 94

History for NAT

Feature Name

Identity NAT configurable proxy ARP and route lookup

Chapter 4 Network Address Translation (NAT

Platform Releases Description

8.4(2)/8.5(1) In earlier releases for identity NAT, proxy ARP was disabled, and a route lookup was always used to determine the egress interface. You could not configure these settings. In 8.4(2) and later, the default behavior for identity NAT was changed to match the behavior of other static NAT configurations: proxy ARP is enabled, and the NAT configuration determines the egress interface (if specified) by default. You can leave these settings as is, or you can enable or disable them discretely. Note that you can now also disable proxy ARP for regular static NAT.

For pre-8.3 configurations, the migration of NAT exempt rules (the nat 0 access-list command) to 8.4(2) and later now includes the following keywords to disable proxy ARP and to use a route lookup: no-proxy-arp and route-lookup. The unidirectional keyword that was used for migrating to

8.3(2) and 8.4(1) is no longer used for migration. When upgrading to 8.4(2) from 8.3(1), 8.3(2), and 8.4(1), all identity NAT configurations will now include the no-proxy-arp and route-lookup keywords, to maintain existing functionality. The unidirectional keyword is removed.

We modified the following command: nat static [no-proxy-arp] [route-lookup].

PAT pool and round robin address assignment 8.4(2)/8.5(1) You can now specify a pool of PAT addresses instead of a

single address. You can also optionally enable round-robin assignment of PAT addresses instead of first using all ports on a PAT address before using the next address in the pool. These features help prevent a large number of connections from a single PAT address from appearing to be part of a DoS attack and makes configuration of large numbers of PAT addresses easy.

We modifed the following commands: nat dynamic [pat-pool mapped_object [round-robin]] and nat source dynamic [pat-pool mapped_object [round-robin]].

Round robin PAT pool allocation uses the same IP address for existing hosts

8.4(3) When using a PAT pool with round robin allocation, if a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available.

We did not modify any commands.

This feature is not available in 8.5(1) or 8.6(1).

4-42

Cisco ASA Series Firewall CLI Configuration Guide

Page 95

Chapter 4 Network Address Translation (NAT

History for NAT

Platform

Feature Name

Flat range of PAT ports for a PAT pool 8.4(3) If available, the real source port number is used for the

Releases Description

mapped port. However, if the real port is not available, by default the mapped ports are chosen from the same range of ports as the real port number: 0 to 511, 512 to 1023, and 1024 to 65535. Therefore, ports below 1024 have only a small PAT pool.

If you have a lot of traffic that uses the lower port ranges, when using a PAT pool, you can now specify a flat range of ports to be used instead of the three unequal-sized tiers: either 1024 to 65535, or 1 to 65535.

We modifed the following commands: nat dynamic [pat-pool mapped_object [flat [include-reserve]]] and nat source dynamic [pat-pool mapped_object [flat [include-reserve]]].

This feature is not available in 8.5(1) or 8.6(1).

Extended PAT for a PAT pool 8.4(3) Each PAT IP address allows up to 65535 ports. If 65535

ports do not provide enough translations, you can now enable extended PAT for a PAT pool. Extended PAT uses 65535 ports per service, as opposed to per IP address, by including the destination address and port in the translation information.

We modifed the following command: nat dynamic [pat-pool mapped_object [extended]] and nat source

dynamic [pat-pool mapped_object [extended]].

This feature is not available in 8.5(1) or 8.6(1).

Cisco ASA Series Firewall CLI Configuration Guide

4-43

Page 96

History for NAT

Feature Name

Automatic NAT rules to translate a VPN peer’s local IP address back to the peer’s real IP address

Chapter 4 Network Address Translation (NAT

Platform Releases Description

8.4(3) In rare situations, you might want to use a VPN peer’s real IP address on the inside network instead of an assigned local IP address. Normally with VPN, the peer is given an assigned local IP address to access the inside network. However, you might want to translate the local IP address back to the peer’s real public IP address if, for example, your inside servers and network security is based on the peer’s real IP address.

You can enable this feature on one interface per tunnel group. Object NAT rules are dynamically added and deleted when the VPN session is established or disconnected. You can view the rules using the show nat command.

Because of routing issues, we do not recommend using this feature unless you know you need it; contact Cisco TAC to confirm feature compatibility with your network. See the following limitations:

• Only supports Cisco IPsec and AnyConnect Client.

• Return traffic to the public IP addresses must be routed

back to the ASA so the NAT policy and VPN policy can be applied.

• Does not support load-balancing (because of routing

issues).

• Does not support roaming (public IP changing).

We introduced the following command: nat-assigned-to-public-ip interface (tunnel-group general-attributes configuration mode).

NAT support for IPv6 9.0(1) NAT now supports IPv6 traffic, as well as translating

between IPv4 and IPv6. Translating between IPv4 and IPv6 is not supported in transparent mode.

We modified the following commands: nat (global and object network configuration modes), show nat, show nat pool, show xlate.

NAT support for reverse DNS lookups 9.0(1) NAT now supports translation of the DNS PTR record for

reverse DNS lookups when using IPv4 NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule.

4-44

Cisco ASA Series Firewall CLI Configuration Guide

Page 97

Chapter 4 Network Address Translation (NAT

History for NAT

Platform

Feature Name

Per-session PAT 9.0(1) The per-session PAT feature improves the scalability of PAT

Releases Description

and, for clustering, allows each member unit to own PAT connections; multi-session PAT connections have to be forwarded to and owned by the master unit. At the end of a per-session PAT session, the ASA sends a reset and immediately removes the xlate. This reset causes the end node to immediately release the connection, avoiding the TIME_WAIT state. Multi-session PAT, on the other hand, uses the PAT timeout, by default 30 seconds. For “hit-and-run” traffic, such as HTTP or HTTPS, the per-session feature can dramatically increase the connection rate supported by one address. Without the per-session feature, the maximum connection rate for one address for an IP protocol is approximately 2000 per second. With the per-session feature, the connection rate for one address for an IP protocol is 65535/average-lifetime.

By default, all TCP traffic and UDP DNS traffic use a per-session PAT xlate. For traffic that requires multi-session PAT, such as H.323, SIP, or Skinny, you can disable per-session PAT by creating a per-session deny rule.

We introduced the following commands: xlate per-session, show nat pool.

Transactional Commit Model on NAT Rule Engine

9.3(1) When enabled, a NAT rule update is applied after the rule compilation is completed; without affecting the rule matching performance.

We added the nat keyword to the following commands: asp

rule-engine transactional-commit, show running-config asp rule-engine transactional-commit, clear configure asp rule-engine transactional-commit.

Cisco ASA Series Firewall CLI Configuration Guide

4-45

Page 98

History for NAT

Chapter 4 Network Address Translation (NAT

4-46

Cisco ASA Series Firewall CLI Configuration Guide

Page 99

NAT Examples and Reference

The following topics provide examples for configuring NAT, plus information on advanced configuration and troubleshooting.

• Examples for Network Object NAT, page 5-1

• Examples for Twice NAT, page 5-6

• NAT in Routed and Transparent Mode, page 5-9

• Routing NAT Packets, page 5-11

• NAT for VPN, page 5-15

• DNS and NAT, page 5-21

Examples for Network Object NAT

CHA PTER

Following are some configuration examples for network object NAT.

• Providing Access to an Inside Web Server (Static NAT), page 5-1

• NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT), page 5-2

• Inside Load Balancer with Multiple Mapped Addresses (Static NAT, One-to-Many), page 5-4

• Single Address for FTP, HTTP, and SMTP (Static NAT-with-Port-Translation), page 5-5

Providing Access to an Inside Web Server (Static NAT)

The following example performs static NAT for an inside web server. The real address is on a private network, so a public address is required. Static NAT is necessary so hosts can initiate traffic to the web server at a fixed address.

Cisco ASA Series Firewall CLI Configuration Guide

5-1

Page 100

Examples for Network Object NAT

Outside

Inside

10.1.2.1

209.165.201.1

Security Appliance

myWebServ

10.1.2.27

209.165.201.12

10.1.2.27 209.165.201.10

248772

Undo Translation

Figure 5-1 Static NAT for an Inside Web Server

Chapter 5 NAT Examples and Reference

Step 1 Create a network object for the internal web server.

Step 2 Configure static NAT for the object:

NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)

Procedure

hostname(config)# object network myWebServ hostname(config-network-object)# host 10.1.2.27

hostname(config-network-object)# nat (inside,outside) static 209.165.201.10

The following example configures dynamic NAT for inside users on a private network when they access the outside. Also, when inside users connect to an outside web server, that web server address is translated to an address that appears to be on the inside network.

5-2

Cisco ASA Series Firewall CLI Configuration Guide