Translations and Connections: Lesson 4

Translations and
Connections
Lesson 4
© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-1

Transport Protocols

Sessions in an IP World
In an IP world, a network session is a transaction

between two end systems. It is carried out primarily over
two transport layer protocols:
 TCP
 UDP

TCP
 TCP is a connection-oriented, reliable-delivery, robust, and high-

performance transport layer protocol.
 TCP features:
– Sequencing and acknowledgment of data
– A defined state machine (open connection, data flow,
retransmit, close connection)
– Congestion detection and avoidance mechanisms

TCP Initialization: Inside to Outside
Private Network The security appliance first Public Network
Source Address 10.0.0.11 checks access control lists 192.168.0.20
(ACLs). It then checks for a
Destination Address 172.30.0.50 translation slot. If one is not 172.30.0.50
found, it creates one after
Source Port 1026 verifying NAT, global, and 1026
Destination Port 23 AAA, if any. If OK, a 23
connection is created.
Initial Sequence No. 49091 49769
ACK
10.0.0.11 Flag SYN Security Appliance SYN 172.30.0.50
No. 1 No. 2
Start the embryonic
No Data
connection counter.
No. 4 172.30.0.50 172.30.0.50

No. 3
10.0.0.11 192.168.0.20
The security appliance utilizes
23 the stateful packet inspection 23
algorithm:
1026 1026
 Source IP, source port,
IP Header 92513 destination IP, destination 92513
port check
TCP Header 49092 49770
 Sequence number check
SYN-ACK  Translation check SYN-ACK

TCP Initialization: Inside to Outside
(Cont.)
Private Network Public Network

Source Address 10.0.0.11 192.168.0.20
The security appliance
Destination Address 172.30.0.50 resets the embryonic 172.30.0.50
counter for this client.
Source Port 1026 1026
It then increases the
Destination Port 23 connection counter for 23
Initial Sequence No. 49092

this host. 49770
ACK 92514 92514

Security Appliance
Flag ACK ACK
10.0.0.11 172.30.0.50
No. 5 No. 6
The security appliance
Data Flows
strictly enforces the
stateful packet
inspection algorithm.
IP Header
TCP Header

UDP
 Connectionless protocol
 Efficient protocol for some services
 Resourceful, but difficult to secure

UDP (Cont.)
Private Network The security appliance first Public Network

checks access control lists
Source Address 10.0.0.11 (ACLs). It then checks for a 192.168.0.20
Destination Address 172.30.0.50 translation slot. If one is not 172.30.0.50

found, it creates one after
Source Port 1028 verifying NAT, global, and 1028
AAA, if any. If OK, a
Destination Port 45000 connection is created. 45000
10.0.0.11 Security Appliance 172.30.0.50

No. 1 No. 2
All UDP responses arrive from
outside and within UDP user-
configurable timeout (default is
2 minutes).
No. 4 No. 3
172.30.0.50 The security appliance follows 172.30.0.50
the stateful packet inspection
10.0.0.11 algorithm: 192.168.0.20
45000  Source IP, source port, 45000

destination IP, destination
1028 port check 1028
 Translation check
IP Header
UDP Header

Network Address
Translation

Addressing Scenarios
NAT
192.168.6.9 10.0.0.11
Internet
10.0.0.11
10.0.0.4
 NAT was created to overcome several addressing problems that

occurred with the expansion of the Internet:
– To mitigate global address depletion
– To use RFC 1918 addresses internally
– To conserve the internal address plan
 NAT also increases security by hiding the internal topology.

Access Through the Security Appliance
Less Secure More Secure
Allowed
(unless explicitly denied)
g0/3 Partnernet
Security Level 50
g0/2 DMZ g0/4 Intranet
Security Level 30 Security Level 70
Internet
g0/0 outside g0/1 inside
Security Level 0 Security Level 100
Less Secure More Secure

Denied
(unless explicitly allowed via
static and access list)

Inside Address Translation
NAT
192.168.6.20 10.0.0.4
Internet
10.0.0.4
Outside global
Dynamic
IP address pool 10.0.0.4
Translation
192.168.6.20-254
Outside Global Inside

Web
Static IP Address IP Address
Server
Translation 192.168.6.10 10.0.0.11
10.0.0.11
Inside NAT translates the addresses of hosts on a higher security level to a less
secure interface:
 Dynamic translation
 Static translation

Dynamic Inside NAT
NAT
192.168.0.20 10.0.0.11
Internet 10.0.0.11
10.0.0.4
asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0

asa1(config)# global (outside) 1 192.168.0.20-192.168.0.254
netmask 255.255.255.0
 Configures dynamic translations for the 10.0.0.0/24 network

Two Interfaces with NAT
10.2.0.0 /24
Global Pool
192.168.0.17-32
192.168.0.0
Internet
Global Pool
192.168.0.3-16
10.0.0.0/24

netmask 255.255.255.0
netmask 255.255.255.0
 Enables all hosts on the inside networks to start outbound connections
 Uses a separate global pool for each internal network
Three Interfaces with NAT
DMZ Global Pool
172.16.0.20-254
Global Pool Inside

192.168.0.20-254
Internet
192.168.0.0 10.0.0.0
Outside

asa1(config)# nat (dmz) 1 172.16.0.0 255.255.255.0
netmask 255.255.255.0
asa1(config)# global (dmz) 1 172.16.0.20-172.16.0.254
netmask 255.255.255.0
 Inside users can start outbound connections to both the DMZ and the Internet.
 The nat (dmz) command enables DMZ services to access the Internet.
 The global (dmz) command enables inside users to access the DMZ web server.

Port Address
Translation

Port Address Translation
PAT
192.168.0.20 10.0.0.11
Port 1024
Internet
10.0.0.11
192.168.0.20 10.0.0.4
Port 1025
10.0.0.4
 PAT is a combination of an IP address and a

source port number.
 Many different sessions can be multiplexed
over a single global IP address.
 Sessions are kept distinct by the use of different port
numbers.
PAT Example
asa1(config)# route (outside) 0.0.0.0 0.0.0.0 192.168.0.1
asa1(config)# global (outside) 1 192.168.0.3 netmask
255.255.255.255
 Outside IP addresses are typically

registered with InterNIC. .1
Global Address 192.168.0.0
 Source addresses of hosts in network 192.168.0.3 .2
10.0.0.0 are translated to 192.168.0.3
for outgoing access.
.1 10.0.0.0
 A single IP address (192.168.0.3) is
assigned to the global pool.
 The source port is dynamically changed 10.0.2.0
10.0.1.0
to a unique number that is greater than
1023.
Engineering Sales

PAT Using Outside Interface Address
asa1(config)# interface g0/1
asa1(config-if)# ip address inside 10.0.0.1
255.255.255.0
asa1(config)# interface g0/0
asa1(config-if)# ip address outside dhcp
asa1(config)# global (outside) 1 interface
Global .1
 The outside interface is configured as a DHCP Address 192.168.0.0
DHCP client. (192.168.0.2) .2
 The interface option of the global command
enables use of a DHCP address as the PAT
address. .1 10.0.0.0
 The source addresses of hosts in network
10.0.0.0 are translated into a DHCP address
for outgoing access, in this case, 192.168.0.2. 10.0.2.0
10.0.1.0
 The source port is changed to a unique
number greater than 1023.
Engineering Sales

Mapping Subnets to PAT Addresses
asa1(config)# global (outside) 1 192.168.0.8 netmask 255.255.255.255
 Each internal subnet is mapped to a

192 .168.0.9
different PAT address. .1
 Source addresses of hosts in network 192 .168.0.8 192.168.0.0

.2
10.0.1.0 are translated to 192.168.0.8 for
outgoing access.
 Source addresses of hosts in network .1 10.0.0.0
10.0.2.0 are translated to 192.168.0.9 for

outgoing access.
10.0.1.0 10.0.2.0
 The source port is changed to a unique
number greater than 1023.
Engineering Sales
Backing Up PAT Addresses by Using
Multiple PATs
192 .168.0.9
 Source addresses of hosts in .1
network 10.0.1.0 are translated 192 .168.0.8 192.168.0.0
to 192.168.0.8 for outgoing .2
access.
 Address 192.168.0.9 will be used .1 10.0.0.0
only when the port pool from
192.168.0.8 is at maximum
capacity. 10.0.1.0 10.0.2.0
Engineering Sales

Augmenting a Global Pool with PAT
asa1(config)# global (outside) 1 192.168.0.20-192.168.0.253 netmask
255.255.255.0
NAT
192 .168.0.20
 When hosts on the 10.0.0.0 network .1
PAT
access the outside network through the 192 .168.0.254 192.168.0.0
security appliance, they are assigned .2
public addresses from the 192.168.0.20–

192.168.0.253 range. .1 10.0.0.0
 When the addresses from the global pool
are exhausted, PAT begins with the next
available IP address, in this case, 10.0.1.0 10.0.2.0
192.168.0.254.
Engineering Sales

Identity NAT
DMZ Internet
Server
192.168.0.9
192.168.0.9
10.0.0.15
Internet
Outside Inside
With NAT control enabled:

 All packets traversing a security appliance require a translation rule.
 Identity NAT is used to create a transparent mapping.
 IP addresses on the higher security interface translate to themselves
on all lower security interfaces.

Identity NAT: nat 0 Command
DMZ
192.168.0.9 Internet
Server
192.168.0.9 Inside
Internet
Outside
 NAT 0 ensures that the Internet server is translated to its own address
on the outside.
 Security levels remain in effect with nat 0.
asa1(config)# nat (dmz) 0 192.168.0.9 255.255.255.255

Static Command

Global NAT and Static NAT
Inside
Sam Jones
Outside 10.0.0.12
Internet
Global Bob Smith
Pool 10.0.0.11
NAT
 For dynamic NAT and PAT address assignments
 Inside end user receives an address from a pool of available addresses
 Used mostly for outbound end-user connections
Web Server FTP Server

172.16.1.9 172.16.1.10
Fixed Sam Jones

Fixed 10.0.0.12
Internet
Static Outside Inside Bob Smith
10.0.0.11
 For NAT “permanent” address assignments
 Used mostly for server connections

static Command: Parameters
DMZ
172.16.1.9 172.16.1.10
192.168.1.3 Sam Jones

192.168.1.4 10.0.0.12
Internet
Outside Inside
Bob Smith
10.0.0.11
Interfaces
 Real interface—DMZ
 Mapped interface—Outside
IP Addresses
 Real IP address—172.16.1.9
 Mapped IP address—192.168.1.3
static Command
DMZ
Web Server
172.16.1.9
192.168.1.3
Internet
Outside Inside
ciscoasa(config)#
static (real_interface,mapped_interface) {mapped_ip |

interface} real_ip [netmask mask]
 Creates a permanent mapping between a real IP address and a mapped IP address
asa1(config)# static (dmz,outside) 192.168.1.3 172.16.1.9

netmask 255.255.255.255
 Packets sent to 192.168.1.3 on the outside are translated to 172.16.1.9 on the DMZ.
 The web server IP address is permanently mapped to IP address 192.168.1.3.
Net Static
DMZ
172.16.1.9 172.16.1.10
192.168.10.9
10.0.0.12
192.168.10.10
Internet
Outside Inside
10.0.0.11
ciscoasa(config)#

interface} real_ip [netmask mask]
 Creates mappings between IP addresses on one subnet and an IP addresses on another
subnet
 Recommended when you want to translate multiple addresses with a single command
asa1(config)# static (dmz,outside) 192.168.10.0 172.16.1.0

netmask 255.255.255.0
 Translates host IP addresses on the 172.16.1.0 subnet to IP addresses on the
192.168.10.0 subnet
Static PAT: Port Redirection
DMZ
ftp 192.168.0.9 172.16.1.9 172.16.1.10
192.168.0.9/www
192.168.0.9/ftp
Internet
Outside Inside
ciscoasa(config)#
static (real_interface,mapped_interface) {tcp |
udp} {mapped_ip | interface} mapped_port
{real_ip real_port [netmask mask]}
 Used to create a permanent translation between a mapped IP address and
port number and a specific real IP address and port number
– 192.168.0.9/www redirected to 172.16.1.9/www
– 192.168.0.9/ftp redirected to 172.16.1.10/ftp

static PAT Command: Port Redirection
DMZ
ftp 192.168.0.9 FTP1 Server FTP2 Server
172.16.1.9 172.16.1.10
192.168.0.9/FTP
192.168.0.9/2121
Internet
Outside Inside
asa1(config)# static (dmz,outside) tcp 192.168.0.9 ftp

172.16.1.9 ftp netmask 255.255.255.255
asa1(config)# static (dmz,outside) tcp 192.168.0.9 2121
172.16.1.10 ftp netmask 255.255.255.255
 Redirects packet destined for 192.168.0.9/FTP to 172.16.1.9 (first FTP server)
 Redirects packet destined for 192.168.0.9/2121 to 172.16.1.10 (second FTP server)

Translation Behavior

Security Appliance Translation Function
Outside Inside
Internet
10.0.0.11
192.168.0.20 10.0.0.11
192.168.10.11
NAT
10.0.0.4
 Security appliance translation rules are configured between pairs of interfaces.

 With NAT control enabled, a packet cannot be switched across the security
appliance if it does not match a translation slot in the translation table. The
exception is NAT 0, which does not create a translation entry.
 If there is no translation slot, the security appliance tries to create a translation
slot from its translation rules.
 If no translation slot match is found, the packet is dropped.

Matching Outbound Packet Addresses
 A packet arrives at an inside interface:
– The security appliance consults the access rules first.
– The security appliance makes a routing decision to determine the outbound interface.
 The source address is checked against the local addresses in the translation table:
– If found, the source address is translated according to the translation slot.
 Otherwise, the security appliance looks for a match to the local address in the following
order:
– nat0 access-list (NAT exemption): In order, until first match
– static (static NAT): In order, until first match
– static {tcp | udp} (static PAT): In order, until first match
– nat nat_id access-list (policy NAT): In order, until first match
– nat (regular NAT): Best match
 If no match is found, the packet is dropped.

SYN Cookies and
Connection Limits

Connection Limits
Administrator can set the following connection limits:

 Emb_lim: Maximum number of embryonic connections per host. An
embryonic connection is a connection request that has not completed a
TCP three-way handshake between the source and the destination.
 TCP_max_conns: Maximum number of simultaneous TCP connections
that each real IP host is allowed to use. Idle connections are closed after
the time specified by the timeout conn command.
 udp_max_conns: Maximum number of simultaneous UDP connections
that each real IP host is allowed to use.

TCP Three-Way Handshake
Normal SYN, SRC: 172.26.26.45, DST: 10.0.0.2
SYN-ACK Target
ACK 10.0.0.2
172.26.26.45
DoS Internet
Attack
SYN, SRC: 172.16.16.20, DST: 10.0.0.3
SYN, SRC: 172.16.16.20, DST: 10.0.0.3 Target
10.0.0.3
SYN, SRC: 172.16.16.20, DST: 10.0.0.3
Embryonic K
172.26.26.46 -AC K
Connection N
SY N-AC K
SY N-AC
? SY
?
?
Spoofed Host
172.16.16.20
SYN Cookies
SYN
Normal SYN-ACK (Cookie)
ACK (Cookie)
SYN
SYN-ACK
ACK
Internet
The security appliance responds to the SYN itself, which includes a cookie in the
TCP header of the SYN-ACK. The security appliance keeps no state information.
 The cookie is a hash of parts of the TCP header and a secret key encoded into the initial sequence
number (ISN) field the appliance responds with in its SYN/ACK.
 A legitimate client completes the handshake by sending the ACK back with the cookie.
 If the cookie is authentic, the security appliance proxies the TCP session.

Embryonic Connection Limit
ciscoasa (config)#

interface} {real_ip [netmask mask]} | {access-list
access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp
udp_max_conns] [norandomseq [nailed]]
ciscoasa (config)#
nat (if_name) nat_id real_ip [mask [dns] [outside] [[tcp]

max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
 Setting the embryonic connections (emb_lim) enables TCP proxying via SYN cookies.
– A value of 0 disables protection (default).
– When the embryonic connection limit is exceeded, all connections are proxied.
asa1(config)# nat (inside) 1 0 0 0 25

asa1(config)# static (inside,outside) 192.168.0.11
172.16.0.2 0 25

TCP/UDP Maximum Connection Limit
ciscoasa(config)#
interface} {real_ip [netmask mask]} | {access-list
access_list_name} [dns] [[tcp] max_conns [emb_lim]] [udp
udp_max_conns] [norandomseq [nailed]]
ciscoasa(config)#
nat (if_name) nat_id real_ip [mask [dns] [outside] [[tcp]
max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]
 Maximum number of simultaneous TCP or UDP connections that the local IP hosts
are allowed.
– A value of 0 disables protection (default).
– Idle connections are closed after the time specified in the timeout command.
asa1(config)# nat (inside) 1 0.0.0.0 0.0.0.0 200 25

asa1(config)# static (inside,outside) 192.168.0.11
172.16.0.2 0 0 udp 100
Connections and
Translations

Connections vs. Translations
192.168.10.11
Telnet Connections
HTTP
Translation
192.168.0.20 10.0.0.11
Internet
10.0.0.11
192.168.10.5
Outside Inside
Mapped Pool Local
Translation 192.168.0.20 10.0.0.11 10.0.0.4
Connection 192.168.10.11:23 10.0.0.11:1026
Connection 192.168.10.11:80 10.0.0.11:1027
 Translations: NAT—Mapped address to real address

PAT—Mapped address and port to real address and port
 Connections: Host address and port to host address and port

show conn Command
Connection
10.0.0.11
192.168.10.11 Internet
10.0.0.4
ciscoasa#
show conn
 Enables you to view all active connections
asa1#show conn
2 in use, 2 most used
asa1# show conn
TCP out 192.168.10.11:80 in 10.0.0.11:2824 idle 0:00:03
bytes 2320 flags UIO
TCP out 192.168.10.11:80 in 10.0.0.11:2823 idle 0:00:03
bytes 3236 flags UIO

show conn detail Command
Connection
Internet
192.168.10.11 10.0.0.11
asa1# show conn detail

Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, C - CTIQBE media, D - DNS, d - dump,
E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, k - Skinny media,
M - SMTP data, m - SIP media, O - outbound data, P - inside back conn,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP RPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up
TCP outside:192.168.10.11/80 inside:10.0.0.11/2824 flags UIO
TCP outside:192.168.10.11/80 inside:10.0.0.11/2823 flags UIO

show local-host Command
Connection
10.0.0.11
192.168.10.11 Internet
asa1# show local-host

Interface dmz: 0 active, 0 maximum active, 0 denied
Interface inside: 1 active, 5 maximum active, 0 denied
local host: < 10.0.0.11 >,
TCP flow count/limit = 2/300
TCP embryonic count to host = 0
TCP intercept watermark = 25
UDP flow count/limit = 0/unlimited
Conn:
TCP out 192.168.10.11 :80 in 10.0.0.11 :2824 idle 0:00:05 bytes 466 flags UIO
TCP out 192.168.10.11 :80 in 10.0.0.11 :2823 idle 0:00:05 bytes 1402 flags UIO
Interface outside: 1 active, 1 maximum active, 0 denied

local host: < 192.168.10.11 >,
TCP flow count/limit = 2/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP out 192.168.10.11 :80 in insidehost:2824 idle 0:00:05 bytes 466 flags UIO
TCP out 192.168.10.11 :80 in insidehost:2823 idle 0:00:05 bytes 1402 flags UIO

show xlate Command
Translation
192.168.0.20 10.0.0.11
Internet
10.0.0.11
192.168.10.11
10.0.0.4
ciscoasa#
show xlate
 Enables you to view translation slot information
asa1#show xlate
Global 192.168.0.20 Local 10.0.0.11

show xlate detail Command
Translation
192.168.0.20 10.0.0.11
Internet
192.168.10.11 10.0.0.11
asa1# show xlate detail

Flags: D - DNS, d - dump, I - identity, i - dynamic, n -
no random, r - portmap, s - static
NAT from inside:10.0.0.11 to outside:192.168.0.20 flags i

Summary

Summary
 The security appliance manages the TCP and UDP protocols through the use of a
translation table (for NAT sessions) and a connection table (for TCP and UDP
sessions).
 The static command creates a permanent translation.
 Mapping between local and global address pools is done dynamically with the nat
command.
 The nat and global commands work together to hide internal IP addresses.
 The security appliance supports PAT.
 Configuring multiple interfaces requires a greater attention to detail, but it can be
done with standard security appliance commands.
 SYN cookies, which you enable by setting embryonic connection limits in the nat or
static command, provide a means of checking the validity of incoming TCP
sessions.

Lab Visual Objective
Web
FTP
.50
172.26.26.0
.150
Pods 1–5 .1 .1 Pods 6–10
192.168.P.0 RBB 192.168.Q.0

.2
.2
Bastion Host: Bastion Host:
.2 .1 .1 .2
Web ASA ASA Web
FTP 172.16.P.0 172.16.Q.0 FTP
.1 .1
10.0.P.0 10.0.Q.0
.10 .100 .100 .10
Web RTS RTS Web
FTP FTP
Web Web Local: 10.0.Q.11

Local: 10.0.P.11
FTP FTP
Student PC Student PC


Translations and Connections: Lesson 4

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Translations and Connections: Lesson 4

Uploaded by

Copyright:

Available Formats

Translations and

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-1

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-2

In an IP world, a network session is a transaction

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-3

 TCP is a connection-oriented, reliable-delivery, robust, and high-

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-4

No. 4 172.30.0.50 172.30.0.50

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-5

Private Network Public Network

Initial Sequence No. 49092

ACK 92514 92514

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-6

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-7

Private Network The security appliance first Public Network

Destination Address 172.30.0.50 translation slot. If one is not 172.30.0.50

10.0.0.11 Security Appliance 172.30.0.50

45000  Source IP, source port, 45000

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-8

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-9

 NAT was created to overcome several addressing problems that

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-10

Less Secure More Secure

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-11

Outside Global Inside

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-12

asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-13

asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0

Global Pool Inside

asa1(config)# nat (inside) 1 10.0.0.0 255.255.255.0

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-15

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-16

 PAT is a combination of an IP address and a

 Outside IP addresses are typically

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-18

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-19

 Each internal subnet is mapped to a

 Source addresses of hosts in network 192 .168.0.8 192.168.0.0

10.0.2.0 are translated to 192.168.0.9 for

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-21

public addresses from the 192.168.0.20–

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-22

With NAT control enabled:

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-23

asa1(config)# nat (dmz) 0 192.168.0.9 255.255.255.255

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-24

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-25

Web Server FTP Server

Fixed Sam Jones

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-26

192.168.1.3 Sam Jones

static (real_interface,mapped_interface) {mapped_ip |

asa1(config)# static (dmz,outside) 192.168.1.3 172.16.1.9

static (real_interface,mapped_interface) {mapped_ip |

asa1(config)# static (dmz,outside) 192.168.10.0 172.16.1.0

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-30

asa1(config)# static (dmz,outside) tcp 192.168.0.9 ftp

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-31

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-32

 Security appliance translation rules are configured between pairs of interfaces.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-33

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—4-34