29-22
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter29 Informatio n About NAT
Routing NAT Packets
Mapped Addresses and Routing
When you translate the real address to a mapped address, the mapped address you choose determines
how to configure routing, if necessary, for the mapped address.
See additional guidelines about mapped IP addresses in Chapter30, “Configuring Network Object
NAT,” and Chapter31, “Configuring Twice NAT.
See the following mapped address types:
Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface, the ASA uses proxy ARP to
answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped
address. This solution simplifies routing because the ASA does not have to be the gateway for any
additional networks. This solution is ideal if the outside network contains an adequate number of
free addresses, a consideration if you are using a 1:1 translation like dynamic NAT or static NAT.
Dynamic PAT greatly extends the number of translations you can use with a small number of
addresses, so even if the available addresses on the outside network is small, this method can be
used. For PAT, you can even use the IP address of the mapped interface.
Note If you configure the mapped interface to be any interface, and you specify a mapped address
on the same network as one of the mapped interfaces, then if an ARP request for that mapped
address comes in on a different interface, then you need to manually configure an ARP entry
for that network on the ingress interface, specifying its MAC address (see the arp
command). Typically, if you specify any interface for the mapped interface, then you use a
unique network for the mapped addresses, so this situation would not occur.
Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The upstream router needs a static route for the mapped addresses
that points to the ASA. Alternatively for routed mode, you can configure a static route on the ASA
for the mapped addresses, and then redistribute the route using your routing protocol. For
transparent mode, if the real host is directly-connected, configure the static route on the upstream
router to point to the ASA: in 8.3, specify the global management IP address; in 8.4(1) and later,
specify the bridge group IP address. For remote hosts in transparent mode, in the static route on the
upstream router, you can alternatively specify the downstream router IP address.
The same address as the real address (identity NAT).
(8.3(1), 8.3(2), and 8.4(1)) The default behavior for identity NAT has proxy ARP disabled. You
cannot configure this setting.
(8.4(2) and later) The default behavior for identity NAT has proxy ARP enabled, matching other
static NAT rules. You can disable proxy ARP if desired. Note: You can also disable proxy ARP for
regular static NAT if desired, in which case you need to be sure to have proper routes on the upstream
router.
Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity
issues. For example, if you configure a broad identity NAT rule for “any” IP address, then leaving
proxy ARP enabled can cause problems for hosts on the network directly-connected to the mapped
interface. In this case, when a host on the mapped network wants to communicate with another host
on the same network, then the address in the ARP request matches the NAT rule (which matches
“any” address). The ASA will then proxy ARP for the address, even though the packet is not actually
destined for the ASA. (Note that this problem occurs even if you have a twice NAT rule; although