6-14
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter6 Configuring NAT (ASA 8.2 and Earlier)
NAT Overview
Order of NAT Rules Used to Match Real Addresses
The ASA matches real addresses to NAT rules in the following order:
1. NAT exemption—In order, until the first match.
2. Static NAT and Static PAT (regular and policy)—In order, until the first match. Static identity NAT
is included in this category.
3. Policy dynamic NAT—In order, until the first match. Overlapping addresses are allowed.
4. Regular dynamic NAT—Best match. Regular identity NAT is included in this category. The order of
the NAT rules does not matter; the NAT rule that best matches the real address is used. For example,
you can create a general rule to translate all addresses (0.0.0.0) on an interface. If you want to
translate a subset of your network (10.1.1.1) to a different address, then you can create a rule to
translate only 10.1.1.1. When 10.1.1.1 makes a connection, the specific rule for 10.1.1.1 is used
because it matches the real address best. We do not recommend using overlapping rules; they use
more memory and can slow the performance of the ASA.
Mapped Address Guidelines
When you translate the real address to a mapped address, you can use the following mapped addresses:
Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface (through which traffic exits the
ASA), the ASA uses proxy ARP to answer any requests for mapped addresses, and thus intercepts
traffic destined for a real address. This solution simplifies routing, because the ASA does not have
to be the gateway for any additional networks. However, this approach does put a limit on the
number of available addresses used for translations.
For PAT, you can even use the IP address of the mapped interface.
Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The ASA uses proxy ARP to answer any requests for mapped
addresses, and thus intercepts traffic destined for a real address. If you use OSPF, and you advertise
routes on the mapped interface, then the ASA advertises the mapped addresses. If the mapped
interface is passive (not advertising routes) or you are using static routing, then you need to add a
static route on the upstream router that sends traffic destined for the mapped addresses to the ASA.
DNS and NAT
You might need to configure the ASA to modify DNS replies by replacing the address in the reply with
an address that matches the NAT configuration. You can configure DNS modification when you
configure each translation.
For example, a DNS server is accessible from the outside interface. A server, ftp.cisco.com, is on the
inside interface. You configure the ASA to statically translate the ftp.cisco.com real address (10.1.3.14)
to a mapped address (209.165.201.10) that is visible on the outside network (see Figure6-12). In this
case, you want to enable DNS reply modification on this static statement so that inside users who have
access to ftp.cisco.com using the real address receive the real address from the DNS server, and not the
mapped address.