02-Configuring Translations and Connaection Limits

Translations and
Connections
2011 Pham Dinh Thong. All rights reserved.
Firewall v1.02-1
Transport Protocols
Firewall v1.02-2
Sessions in an IP World
In an IP world, a network session is a transaction
between two end systems. It is carried out primarily over
two transport layer protocols:
TCP
UDP
Firewall v1.02-3
TCP
TCP is a connection-oriented, reliable-delivery, robust, and highperformance transport layer protocol.
TCP features:
Sequencing and acknowledgment of data

A defined state machine (open connection, data flow,
retransmit, close connection)
Congestion detection and avoidance mechanisms
Firewall v1.02-4
TCP Initialization: Inside to Outside

Private Network
Source Address
Destination Address
Source Port
Destination Port
Initial Sequence No.
10.0.0.11
172.30.0.50
1026
23
The security appliance first

checks access control lists
(ACLs). It then checks for a
translation slot. If one is not
found, it creates one after
verifying NAT, global, and
AAA, if any. If OK, a
connection is created.
49091
Public Network
192.168.0.20
172.30.0.50
1026
23
49769
ACK
10.0.0.11
No. 1
Flag
SYN
172.30.0.50
10.0.0.11
23
1026
IP Header
92513
TCP Header
49092
SYN-ACK
SYN
No. 2
172.30.0.50
Start the embryonic

connection counter.
No Data
No. 4
Security Appliance
172.30.0.50
The security appliance utilizes

the stateful packet inspection
algorithm:
Source IP, source port,
destination IP, destination
port check
Sequence number check
Translation check
No. 3
192.168.0.20
23
1026
92513
49770
SYN-ACK
Firewall v1.02-5
TCP Initialization: Inside to Outside

(Cont.)
Private Network
10.0.0.11
Source Address
Destination Address
172.30.0.50
1026
Source Port
Destination Port
23
49092
Initial Sequence No.

ACK
92514
Flag
ACK
Public Network
The security appliance
resets the embryonic
counter for this client.
It then increases the
connection counter for
this host.
Security Appliance
192.168.0.20
172.30.0.50
1026
23
49770
92514
ACK
10.0.0.11
No. 6
No. 5
Data Flows
172.30.0.50
The security appliance

strictly enforces the
stateful packet
inspection algorithm.
IP Header
TCP Header
Firewall v1.02-6
UDP
Connectionless protocol
Efficient protocol for some services
Resourceful, but difficult to secure
Firewall v1.02-7
UDP (Cont.)
Private Network
Source Address
Destination Address
10.0.0.11
10.0.0.11
172.30.0.50
Source Port
1028
Destination Port
45000
The security appliance first

checks access control lists
(ACLs). It then checks for a
translation slot. If one is not
found, it creates one after
verifying NAT, global, and
AAA, if any. If OK, a
connection is created.
Public Network
192.168.0.20
172.30.0.50
1028
45000
Security Appliance
No. 1
No. 2
All UDP responses arrive from

outside and within UDP userconfigurable timeout (default is
2 minutes).
No. 4
172.30.0.50
10.0.0.11
45000
1028
The security appliance follows

the stateful packet inspection
algorithm:
Source IP, source port,
destination IP, destination
port check
Translation check
172.30.0.50
No. 3
172.30.0.50
192.168.0.20
45000
1028
IP Header
UDP Header
Firewall v1.02-8
Network Address
Translation
Firewall v1.02-9
Addressing Scenarios
NAT
192.168.6.9
Internet
10.0.0.11
10.0.0.11
10.0.0.4
NAT was created to overcome several addressing problems that

occurred with the expansion of the Internet:
To mitigate global address depletion

To use RFC 1918 addresses internally
To conserve the internal address plan
NAT also increases security by hiding the internal topology.
Firewall v1.02-10
Access Through the Security Appliance

Less Secure
Allowed
More Secure
(unless explicitly denied)
g0/3 Partnernet
Security Level 50
g0/2 DMZ
Security Level 30
g0/4 Intranet
Security Level 70
Internet
g0/0 outside
Security Level 0
Less Secure
g0/1 inside
Security Level 100
Denied
More Secure
(unless explicitly allowed via

static and access list)
Firewall v1.02-11
Inside Address Translation

NAT
192.168.6.20
10.0.0.4
Internet
10.0.0.4
Dynamic
Translation
Outside global
IP address pool
192.168.6.20-254
Outside Global
IP Address
Static
Translation 192.168.6.10
10.0.0.4
Inside
IP Address
10.0.0.11
Web
Server
10.0.0.11
Inside NAT translates the addresses of hosts on a higher security level to a less
secure interface:
Dynamic translation
Static translation
Firewall v1.02-12
Dynamic Inside NAT

NAT
192.168.0.20
10.0.0.11
Internet
10.0.0.11
10.0.0.4
asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0

asa1(config)# global (outside) 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0
Configures dynamic translations for the 10.0.0.0/24 network
Firewall v1.02-13
Two Interfaces with NAT

10.2.0.0 /24
Global Pool
192.168.0.17-32
Internet
192.168.0.0
Global Pool
192.168.0.3-16
10.0.0.0/24

netmask 255.255.255.0
netmask 255.255.255.0
Enables all hosts on the inside networks to start outbound connections
Uses a separate global pool for each internal network
Firewall v1.02-14
Three Interfaces with NAT

DMZ
Global Pool
172.16.0.20-254
Inside
Global Pool
192.168.0.20-254
Internet
192.168.0.0
10.0.0.0
Outside
asa1(config)# nat (dmz) 1 172.16.0.0 255.255.255.0
netmask 255.255.255.0
asa1(config)# global (dmz) 1 172.16.0.20-172.16.0.254
netmask 255.255.255.0
Inside users can start outbound connections to both the DMZ and the Internet.
The nat (dmz) command enables DMZ services to access the Internet.
The global (dmz) command enables inside users to access the DMZ web server.
Firewall v1.02-15
Port Address
Translation
Firewall v1.02-16
Port Address Translation

PAT
192.168.0.20
10.0.0.11
Port 1024
Internet
192.168.0.20
10.0.0.4
10.0.0.11
Port 1025
10.0.0.4
PAT is a combination of an IP address and a

source port number.
Many different sessions can be multiplexed
over a single global IP address.
Sessions are kept distinct by the use of different port
numbers.
Firewall v1.02-17
PAT Example
asa1(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
asa1(config)# global (outside) 1 192.168.0.3 netmask
255.255.255.255
Outside IP addresses are typically

registered with InterNIC.
Source addresses of hosts in network

10.0.0.0 are translated to 192.168.0.3
for outgoing access.
.1
Global Address
192.168.0.3
.1
A single IP address (192.168.0.3) is

assigned to the global pool.
The source port is dynamically changed

to a unique number that is greater than
1023.
10.0.0.0
10.0.2.0
10.0.1.0
Engineering
192.168.0.0
.2
Sales
Firewall v1.02-18
PAT Using Outside Interface Address

asa1(config)# interface g0/1
asa1(config-if)# ip address inside 10.0.0.1
255.255.255.0
asa1(config)# interface g0/0
asa1(config-if)# ip address outside dhcp
asa1(config)# global (outside) 1 interface
The outside interface is configured as a

DHCP client.
.1
Global
DHCP Address 192.168.0.0
(192.168.0.2) .2
The interface option of the global command

enables use of a DHCP address as the PAT
address.
The source addresses of hosts in network
10.0.0.0 are translated into a DHCP address
for outgoing access, in this case, 192.168.0.2.
The source port is changed to a unique
number greater than 1023.
.1
10.0.2.0
10.0.1.0
Engineering
10.0.0.0
Sales
Firewall v1.02-19
Mapping Subnets to PAT Addresses

asa1(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.255
Each internal subnet is mapped to a

different PAT address.
The source port is changed to a unique
number greater than 1023.
192 .168.0.9
.1
192 .168.0.8
192.168.0.0
.2
.1
10.0.1.0
Engineering
10.0.0.0
10.0.2.0
Sales
Firewall v1.02-20
Backing Up PAT Addresses by Using

Multiple PATs
Source addresses of hosts in

network 10.0.1.0 are translated
to 192.168.0.8 for outgoing
access.
Address 192.168.0.9 will be used
only when the port pool from
192.168.0.8 is at maximum
capacity.
192 .168.0.9
.1
192 .168.0.8
192.168.0.0
.2
.1
10.0.2.0
10.0.1.0
Engineering
10.0.0.0
Sales
Firewall v1.02-21
Augmenting a Global Pool with PAT

asa1(config)# global (outside) 1 192.168.0.20-192.168.0.253 netmask
255.255.255.0
When hosts on the 10.0.0.0 network

access the outside network through the
security appliance, they are assigned
public addresses from the 192.168.0.20
192.168.0.253 range.
When the addresses from the global pool
are exhausted, PAT begins with the next
available IP address, in this case,
192.168.0.254.
NAT
192 .168.0.20
.1
PAT
192 .168.0.254
192.168.0.0
.2
.1
10.0.2.0
10.0.1.0
Engineering
10.0.0.0
Sales
Firewall v1.02-22
Identity NAT
DMZ
Internet
Server
192.168.0.9
192.168.0.9
10.0.0.15
Internet
Outside
Inside
With NAT control enabled:
All packets traversing a security appliance require a translation rule.

Identity NAT is used to create a transparent mapping.
IP addresses on the higher security interface translate to themselves
on all lower security interfaces.
Firewall v1.02-23
Identity NAT: nat 0 Command

DMZ
192.168.0.9
192.168.0.9
Internet
Server
Inside
Internet
Outside
NAT 0 ensures that the Internet server is translated to its own address
on the outside.
Security levels remain in effect with nat 0.
asa1(config)# nat (dmz) 0 192.168.0.9 255.255.255.255
Firewall v1.02-24
Static Command
Firewall v1.02-25
Global NAT and Static NAT

Inside
Internet
Sam Jones
10.0.0.12
Outside
Global
Pool
NAT
Bob Smith
10.0.0.11
For dynamic NAT and PAT address assignments

Inside end user receives an address from a pool of available addresses
Used mostly for outbound end-user connections
Web Server
172.16.1.9
FTP Server
172.16.1.10
Fixed
Fixed
Internet
Static
Outside
For NAT permanent address assignments

Used mostly for server connections
Sam Jones
10.0.0.12
Inside
Bob Smith
10.0.0.11
Firewall v1.02-26
static Command: Parameters

DMZ
Web Server
172.16.1.9
Internet
FTP Server
172.16.1.10
192.168.1.3
192.168.1.4
Outside
Sam Jones
10.0.0.12
Inside
Bob Smith
10.0.0.11
Interfaces
Real interfaceDMZ
Mapped interfaceOutside
IP Addresses
Real IP address172.16.1.9
Mapped IP address192.168.1.3
Firewall v1.02-27
static Command
DMZ
Web Server
172.16.1.9
192.168.1.3
Internet
Outside
Inside
ciscoasa(config)#
static (real_interface,mapped_interface) {mapped_ip |

interface} real_ip [netmask mask]
Creates a permanent mapping between a real IP address and a mapped IP address
asa1(config)# static (dmz,outside) 192.168.1.3 172.16.1.9

netmask 255.255.255.255
Packets sent to 192.168.1.3 on the outside are translated to 172.16.1.9 on the DMZ.
The web server IP address is permanently mapped to IP address 192.168.1.3.
Firewall v1.02-28
Net Static
DMZ
Web Server
172.16.1.9
Internet
FTP Server
172.16.1.10
192.168.10.9
192.168.10.10
Outside
10.0.0.12
Inside
10.0.0.11
ciscoasa(config)#

interface} real_ip [netmask mask]
Creates mappings between IP addresses on one subnet and an IP addresses on another
subnet
Recommended when you want to translate multiple addresses with a single command
asa1(config)# static (dmz,outside) 192.168.10.0 172.16.1.0

netmask 255.255.255.0
Translates host IP addresses on the 172.16.1.0 subnet to IP addresses on the
192.168.10.0 subnet
Firewall v1.02-29
Static PAT: Port Redirection

DMZ
ftp 192.168.0.9
Web Server
172.16.1.9
FTP Server
172.16.1.10
192.168.0.9/www
192.168.0.9/ftp
Internet
Outside
Inside
ciscoasa(config)#
static (real_interface,mapped_interface) {tcp |

udp} {mapped_ip | interface} mapped_port
{real_ip real_port [netmask mask]}
Used to create a permanent translation between a mapped IP address and
port number and a specific real IP address and port number
192.168.0.9/www redirected to 172.16.1.9/www
192.168.0.9/ftp redirected to 172.16.1.10/ftp
Firewall v1.02-30
static PAT Command: Port Redirection

DMZ
ftp 192.168.0.9
Internet
FTP1 Server
172.16.1.9
FTP2 Server
172.16.1.10
192.168.0.9/FTP
192.168.0.9/2121
Outside
Inside
asa1(config)# static (dmz,outside) tcp 192.168.0.9 ftp

172.16.1.9 ftp netmask 255.255.255.255
asa1(config)# static (dmz,outside) tcp 192.168.0.9 2121
172.16.1.10 ftp netmask 255.255.255.255
Redirects packet destined for 192.168.0.9/FTP to 172.16.1.9 (first FTP server)
Redirects packet destined for 192.168.0.9/2121 to 172.16.1.10 (second FTP server)
Firewall v1.02-31
Translation Behavior
Firewall v1.02-32
Security Appliance Translation Function

Outside
Inside
Internet
192.168.10.11
10.0.0.11
192.168.0.20
10.0.0.11
NAT
10.0.0.4
Security appliance translation rules are configured between pairs of interfaces.

With NAT control enabled, a packet cannot be switched across the security
appliance if it does not match a translation slot in the translation table. The
exception is NAT 0, which does not create a translation entry.
If there is no translation slot, the security appliance tries to create a translation
slot from its translation rules.
If no translation slot match is found, the packet is dropped.
Firewall v1.02-33
Matching Outbound Packet Addresses

A packet arrives at an inside interface:
The security appliance consults the access rules first.
The security appliance makes a routing decision to determine the
outbound interface.
The source address is checked against the local addresses in the translation
table:
If found, the source address is translated according to the translation slot.
Otherwise, the security appliance looks for a match to the local address in the
following order:
nat0 access-list (NAT exemption): In order, until first match

static (static NAT): In order, until first match
static {tcp | udp} (static PAT): In order, until first match
nat nat_id access-list (policy NAT): In order, until first match
nat (regular NAT): Best match

If no match is found, the packet is dropped.
Firewall v1.02-34
SYN Cookies and

Connection Limits
Firewall v1.02-35
Connection Limits
Administrator can set the following connection limits:
Emb_lim: Maximum number of embryonic connections per host. An
embryonic connection is a connection request that has not completed a
TCP three-way handshake between the source and the destination.
TCP_max_conns: Maximum number of simultaneous TCP connections
that each real IP host is allowed to use. Idle connections are closed after
the time specified by the timeout conn command.
udp_max_conns: Maximum number of simultaneous UDP connections
that each real IP host is allowed to use.
Firewall v1.02-36
TCP Three-Way Handshake

Normal
SYN, SRC: 172.26.26.45, DST: 10.0.0.2

SYN-ACK
ACK
Target
10.0.0.2
172.26.26.45
Internet
DoS
Attack
SYN, SRC: 172.16.16.20, DST: 10.0.0.3

SYN, SRC: 172.16.16.20, DST: 10.0.0.3
SYN, SRC: 172.16.16.20, DST: 10.0.0.3
172.26.26.46
Target
10.0.0.3
Embryonic
Connection
Spoofed Host
172.16.16.20
Firewall v1.02-37
SYN Cookies
Normal
SYN
SYN-ACK (Cookie)
ACK (Cookie)
SYN
SYN-ACK
ACK
Internet
The security appliance responds to the SYN itself, which includes a cookie in the
TCP header of the SYN-ACK. The security appliance keeps no state information.
The cookie is a hash of parts of the TCP header and a secret key encoded into the initial sequence
number (ISN) field the appliance responds with in its SYN/ACK.
A legitimate client completes the handshake by sending the ACK back with the cookie.
If the cookie is authentic, the security appliance proxies the TCP session.
Firewall v1.02-38
Embryonic Connection Limit

ciscoasa (config)#

interface} {real_ip [netmask mask]} | {access-list
access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp
udp_max_conns] [norandomseq [nailed]]
ciscoasa (config)#
nat (if_name) nat_id real_ip [mask [dns] [outside] [[tcp]

max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
Setting the embryonic connections (emb_lim) enables TCP proxying via SYN cookies.
A value of 0 disables protection (default).
When the embryonic connection limit is exceeded, all connections are proxied.
asa1(config)# nat (inside) 1 0 0 0 25

asa1(config)# static (inside,outside) 192.168.0.11
172.16.0.2 0 25
Firewall v1.02-39
TCP/UDP Maximum Connection Limit

ciscoasa(config)#

interface} {real_ip [netmask mask]} | {access-list
access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp
udp_max_conns] [norandomseq [nailed]]
ciscoasa(config)#
nat (if_name) nat_id real_ip [mask [dns] [outside] [[tcp]

max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
Maximum number of simultaneous TCP or UDP connections that the local IP hosts
are allowed.
A value of 0 disables protection (default).
Idle connections are closed after the time specified in the timeout command.
asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 200 25

asa1(config)# static (inside,outside) 192.168.0.11
172.16.0.2 0 0 udp 100
Firewall v1.02-40
Connections and
Translations
Firewall v1.02-41
Connections vs. Translations

192.168.10.11
Telnet
Connections
HTTP
Translation
10.0.0.11
192.168.0.20
Internet
10.0.0.11
192.168.10.5
Outside
Mapped Pool
Inside
Local
Translation
192.168.0.20
10.0.0.11
Connection
192.168.10.11:23
10.0.0.11:1026
Connection
192.168.10.11:80
10.0.0.11:1027
10.0.0.4
Translations: NATMapped address to real address

PATMapped address and port to real address and port
Connections: Host address and port to host address and port
Firewall v1.02-42
show conn Command

Connection
10.0.0.11
192.168.10.11
Internet
10.0.0.4
ciscoasa#
show conn
Enables you to view all active connections
asa1#show conn
2 in use, 2 most used
asa1# show conn
TCP out 192.168.10.11:80 in 10.0.0.11:2824 idle 0:00:03
bytes 2320 flags UIO
TCP out 192.168.10.11:80 in 10.0.0.11:2823 idle 0:00:03
bytes 3236 flags UIO
Firewall v1.02-43
show conn detail Command

Connection
Internet
192.168.10.11
10.0.0.11
asa1# show conn detail

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, k - Skinny media,
M - SMTP data, m - SIP media, O - outbound data, P - inside back conn,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
TCP outside:192.168.10.11/80 inside:10.0.0.11/2824 flags UIO
TCP outside:192.168.10.11/80 inside:10.0.0.11/2823 flags UIO
Firewall v1.02-44
show local-host Command

Connection
192.168.10.11
Internet
10.0.0.11
asa1# show local-host

Interface dmz: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 5 maximum active, 0 denied
local host: < 10.0.0.11 >,
TCP flow count/limit = 2/300
TCP embryonic count to host = 0
TCP intercept watermark = 25
UDP flow count/limit = 0/unlimited
Conn:
TCP out 192.168.10.11 :80 in 10.0.0.11 :2824 idle 0:00:05 bytes 466 flags UIO
TCP out 192.168.10.11 :80 in 10.0.0.11 :2823 idle 0:00:05 bytes 1402 flags UIO
Interface outside: 1 active, 1 maximum active, 0 denied
local host: < 192.168.10.11 >,
TCP flow count/limit = 2/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP out 192.168.10.11 :80 in insidehost:2824 idle 0:00:05 bytes 466 flags UIO
TCP out 192.168.10.11 :80 in insidehost:2823 idle 0:00:05 bytes 1402 flags UIO
Firewall v1.02-45
show xlate Command

Translation
192.168.0.20
10.0.0.11
Internet
10.0.0.11
192.168.10.11
10.0.0.4
ciscoasa#
show xlate
Enables you to view translation slot information
asa1#show xlate
Global 192.168.0.20 Local 10.0.0.11
Firewall v1.02-46
show xlate detail Command

Translation
192.168.0.20
10.0.0.11
Internet
192.168.10.11
10.0.0.11
asa1# show xlate detail

Flags: D - DNS, d - dump, I - identity, i - dynamic, n no random, r - portmap, s - static
NAT from inside:10.0.0.11 to outside:192.168.0.20 flags i
Firewall v1.02-47
Summary
Firewall v1.02-48
Summary
The security appliance manages the TCP and UDP protocols through
the use of a translation table (for NAT sessions) and a connection
table (for TCP and UDP sessions).
The static command creates a permanent translation.
Mapping between local and global address pools is done dynamically
with the nat command.
The nat and global commands work together to hide internal IP
addresses.
The security appliance supports PAT.

Configuring multiple interfaces requires a greater attention to detail,
but it can be done with standard security appliance commands.
SYN cookies, which you enable by setting embryonic connection
limits in the nat or static command, provide a means of checking the
validity of incoming TCP sessions.
Firewall v1.02-49

02-Configuring Translations and Connaection Limits

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

02-Configuring Translations and Connaection Limits

Hochgeladen von

Copyright:

Verfügbare Formate

Translations and

2011 Pham Dinh Thong. All rights reserved.

2011 Pham Dinh Thong. All rights reserved.

2011 Pham Dinh Thong. All rights reserved.

Sequencing and acknowledgment of data

2011 Pham Dinh Thong. All rights reserved.

TCP Initialization: Inside to Outside

The security appliance first

2011 Pham Dinh Thong. All rights reserved.

Start the embryonic

The security appliance utilizes

TCP Initialization: Inside to Outside

Initial Sequence No.

The security appliance

2011 Pham Dinh Thong. All rights reserved.

2011 Pham Dinh Thong. All rights reserved.

The security appliance first

All UDP responses arrive from

The security appliance follows

2011 Pham Dinh Thong. All rights reserved.

NAT was created to overcome several addressing problems that

To mitigate global address depletion

Access Through the Security Appliance

(unless explicitly denied)

(unless explicitly allowed via

Inside Address Translation

Dynamic Inside NAT

asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0

2011 Pham Dinh Thong. All rights reserved.

Two Interfaces with NAT

asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0

Three Interfaces with NAT

2011 Pham Dinh Thong. All rights reserved.

Port Address Translation

PAT is a combination of an IP address and a

Outside IP addresses are typically

Source addresses of hosts in network

A single IP address (192.168.0.3) is

The source port is dynamically changed

PAT Using Outside Interface Address

The outside interface is configured as a

The interface option of the global command

Mapping Subnets to PAT Addresses

Each internal subnet is mapped to a

Backing Up PAT Addresses by Using

Source addresses of hosts in

Augmenting a Global Pool with PAT

When hosts on the 10.0.0.0 network

With NAT control enabled:

All packets traversing a security appliance require a translation rule.

Identity NAT: nat 0 Command

asa1(config)# nat (dmz) 0 192.168.0.9 255.255.255.255

2011 Pham Dinh Thong. All rights reserved.

2011 Pham Dinh Thong. All rights reserved.

Global NAT and Static NAT

For dynamic NAT and PAT address assignments

For NAT permanent address assignments

static Command: Parameters

static (real_interface,mapped_interface) {mapped_ip |

asa1(config)# static (dmz,outside) 192.168.1.3 172.16.1.9

static (real_interface,mapped_interface) {mapped_ip |

asa1(config)# static (dmz,outside) 192.168.10.0 172.16.1.0

Static PAT: Port Redirection

static (real_interface,mapped_interface) {tcp |