3-22
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter3 Information About NAT (ASA 8.3 and Later)
Routing NAT Packets
Routing NAT Packets
The ASA needs to be the destination for any packets sent to the mapped address. The ASA also needs to
determine the egress interface for any packets it receives destined for mapped addresses. This section
describes how the ASA handles accepting and delivering packets with NAT, and includes the following
topics:
Mapped Addresses and Routing, page3-22
Transparent Mode Routing Requirements for Remote Networks, page3-24
Determining the Egress Interface, page3-24

Mapped Addresses and Routing

When you translate the real address to a mapped address, the mapped address you choose determines
how to configure routing, if necessary, for the mapped address.
See additional guidelines about mapped IP addresses in Chapter4, “Configuring Network O bject NAT
(ASA 8.3 and Later),” and Chapter5, “Configuring Twice NAT (ASA 8.3 and Later).”
See the following mapped address types:
Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface, the ASA uses proxy ARP to
answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped
address. This solution simplifies routing because the ASA does not have to be the gateway for any
additional networks. This solution is ideal if the outside network contains an adequate number of
free addresses, a consideration if you are using a 1:1 translation like dynamic NAT or static NAT.
Dynamic PAT greatly extends the number of translations you can use with a small number of
addresses, so even if the available addresses on the outside network is small, this method can be
used. For PAT, you can even use the IP address of the mapped interface.
Note If you configure the mapped interface to be any interface, and you specify a mapped address
on the same network as one of the mapped interfaces, then if an ARP request for that mapped
address comes in on a different interface, then you need to manually configure an ARP entry
for that network on the ingress interface, specifying its MAC address (see Configuration >
Device Management > Advanced > ARP > ARP Static Table). Typically, if you specify any
interface for the mapped interface, then you use a unique network for the mapped addresses,
so this situation would not occur.
Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The upstream router needs a static route for the mapped addresses
that points to the ASA. Alternatively for routed mode, you can configure a static route on the ASA
for the mapped addresses, and then redistribute the route using your routing protocol. For
transparent mode, if the real host is directly-connected, configure the static route on the upstream
router to point to the ASA: in 8.3, specify the global management IP address; in 8.4(1) and later,
specify the bridge group IP address. For remote hosts in transparent mode, in the static route on the
upstream router, you can alternatively specify the downstream router IP address.
The same address as the real address (identity NAT).