Why Use NAT?
Each computer and device within an IP network is assigned a
unique IP address that identifies the host. Because of a shortage of public IPv4
addresses, most of these IP addresses are private, not routable anywhere outside
of the private company network. RFC 1918 defines the private IP addresses you
can use internally that should not be advertised:
•
10.0.0.0 through
10.255.255.255
•
172.16.0.0
through 172.31.255.255
•
192.168.0.0
through 192.168.255.255
One of the main functions of NAT is to enable private IP
networks to connect to the Internet. NAT replaces a private IP address with a
public IP address, translating the private addresses in the internal private
network into legal, routable addresses that can be used on the public Internet.
In this way, NAT conserves public addresses because it can be configured to
advertise only one public address for the entire network to the outside world.
Other functions of NAT include:
•
Security—Keeping
internal IP addresses hidden discourages direct attacks.
•
IP routing
solutions—Overlapping IP addresses are not a problem when you use NAT.
•
Flexibility—You
can change internal IP addressing schemes without affecting the public addresses
available externally; for example, for a server accessible to the Internet, you
can maintain a fixed IP address for Internet use, but internally, you can change
the server address.
Note NAT is not
required. If you do not configure NAT for a given set of traffic, that traffic
will not be translated, but will have all of the security policies applied as
normal.
NAT Terminology
This document uses the following terminology:
•
Real
address/host/network/interface—The real address is the address that is defined
on the host, before it is translated. In a typical NAT scenario where you want
to translate the inside network when it accesses the outside, then the inside
network would be the "real" network. Note that you can translate any network
connected to the adaptive security appliance, not just an inside network,
Therefore if you configure NAT to translate outside addresses, "real" can refer
to the outside network when it accesses the inside network.
•
Mapped
address/host/network/interface—The mapped address is the address that the real
address is translated to. In a typical NAT scenario where you want to translate
the inside network when it accesses the outside, then the outside network would
be the "mapped" network.
•
Bidirectional
initiation—Static NAT allows connections to be initiated
bidirectionally, meaning both to the host and from the
host.
•
Source and
destination NAT—For any given packet, both the source and destination IP
addresses are compared to the NAT rules, and one or both can be
translated/untranslated.
NAT Types
You can implement NAT using the following methods:
•
Static NAT—A
consistent mapping between a real and mapped IP address. Allows bidirectional
traffic initiation.
•
Dynamic NAT—A
group of real IP addresses are mapped to a (usually smaller) group of mapped IP
addresses, on a first come, first served basis. Only the real host can initiate
traffic.
•
Dynamic Port
Address Translation (PAT)—A group of real IP addresses are mapped to a single IP
address using a unique source port of that IP address.
•
Identity
NAT—Static NAT lets you translate a real address to itself, essentially
bypassing NAT. You might want to configure NAT this way when you want to
translate a large group of addresses, but then want to exempt a smaller subset
of addresses.
This section includes the following topics:
Static NAT
This section describes static NAT and includes the following
topics:
Information About Static NAT
Static NAT creates a fixed translation of a real address to a
mapped address. Because the mapped address is the same for each consecutive
connection, static NAT allows bidirectional connection initiation, both to and
from the host (if an access rule exists that allows it). With dynamic NAT and
PAT, on the other hand, each host uses a different address or port for each
subsequent translation, so bidirectional initiation is not supported.
Figure 26-1 shows a
typical static NAT scenario. The translation is always active so both real and
remote hosts can initiate connections.
Figure 26-1 Static NAT
Information About Static NAT with Port Translation
Static NAT with port translation lets you specify a real and
mapped protocol (TCP or UDP) and port.
This section includes the following topics:
Information About Static NAT with Port Address Translation
When you specify the port with static NAT, you can choose to
map the port to the same value or to a different value. Using the same value
lets you translate ipA/port1 to ipX/port1 while translating ipA/port2 to
ipY/port2.
Figure 26-2 shows a
typical static NAT with port translation scenario showing both a port that is
mapped to itself and a port that is mapped to a different value. The translation
is always active so both translated and remote hosts can initiate connections.
Figure 26-2 Typical Static NAT with Port Translation
Scenario
Note For applications
that require application inspection for secondary channels (for example, FTP and
VoIP), the adaptive security appliance automatically translates the secondary
ports.
Static NAT with Identity Port Translation
The following static NAT with port translation example
provides a single address for remote users to access FTP, HTTP, and SMTP. These
servers are actually different devices on the real network, but for each server,
you can specify static NAT with port translation rules that use the same mapped
IP address, but different ports. (See
Figure 26-3. See the
"Single Address for FTP, HTTP, and SMTP (Static NAT with Port
Translation)" section for details on how to configure this example.)
Figure 26-3 Static NAT with Port Translation
Static NAT with Port Translation for Non-Standard Ports
You can also use static NAT with port translation to
translate a well-known port to a non-standard port or vice versa. For example,
if inside web servers use port 8080, you can allow outside users to connect to
port 80, and then undo translation to the original port 8080. Similarly, to
provide extra security, you can tell web users to connect to non-standard port
6785, and then undo translation to port 80.
Static Interface NAT with Port Translation
You can configure static NAT to map a real address to an
interface address/port combination. For example, if you want to redirect Telnet
access to the adaptive security appliance outside port to an inside IP address
(for example, a router interface), then you can map the inside IP address on
port 23 to the interface address on port 23. (Note that Telnet is not allowed to
the lowest security interface normally; static NAT with interface port
translation redirects the disallowed Telnet session instead of denying it).
Information About One-to-Many Static NAT
Typically, you configure static NAT with a one-to-one
mapping. However, in some cases, you might want to configure a single real
address to several mapped addresses (one-to-many). When you configure
one-to-many static NAT, when the real host initiates traffic, it always uses the
first mapped address. However, for traffic initiated to the host, you can
initiate traffic to any of the mapped addresses, and they will be untranslated
to the single real address.
Figure 26-4 shows a
typical one-to-many static NAT scenario. The first translation is always active
so both translated and remote hosts can initiate connections, but the subsequent
mappings are unidirectional to the real host.
Figure 26-4 One-to-Many Static NAT
For example, you have a load balancer at 10.1.2.27; depending
on the URL requested, it redirects traffic to the correct web server. (See
Figure 26-5. See the
"Inside Load Balancer with
Multiple Mapped Addresses (Static NAT, One-to-Many)" section for details on
how to configure this example.)
Figure 26-5 One-to-Many Static NAT
Information About Other Mapping Scenarios (Not Recommended)
The adaptive security appliance has the flexibility to allow
any kind of static mapping scenario: one-to-one, one-to-many, but also
few-to-many, many-to-few, and many-to-one mappings. These other mapping options,
however, might result in unintended consequences. We recommend using only
one-to-one or one-to-many mappings.
Functionally, few-to-many is the same as one-to-many; but
because the configuration is more complicated, we recommend creating a
one-to-many configuration for each real address that requires it. For example,
for a few-to-many scenario, the few real addresses are mapped to the many mapped
addresses in order (A to 1, B to 2, C to 3). When all real addresses are mapped,
the next mapped address is mapped to the first real address, and so on until all
mapped addresses are mapped (A to 4, B to 5, C to 6). This results in multiple
mapped addresses for each real address. Just like a one-to-many configuration,
only the first mappings are bidirectional; subsequent mappings allow traffic to
be initiated to the real host, but all traffic from the real host uses only the first mapped address for
the source.
Figure 26-6 shows a
typical few-to-many static NAT scenario. The first translation for each real
address is always active so both translated and remote hosts can initiate
connections, but the subsequent mappings are unidirectional to the real hosts.
Figure 26-6 Few-to-Many Static NAT
For a many-to-few or many-to-one configuration, where you
have more real addresses than mapped addresses, you run out of mapped addresses
before you run out of real addresses. Only the mappings between the lowest real
IP addresses and the mapped pool result in bidirectional initiation. The
remaining higher real addresses can initiate traffic, but traffic cannot be
initiated to them (returning traffic for a connection is directed to the correct
real address because of the unique 5-tuple (source IP, destination IP, source
port, destination port, protocol) for the connection).
Note Many-to-few or
many-to-one NAT is not PAT. If two real hosts use the same source port number
and go to the same outside server and the same TCP destination port, and both
hosts are translated to the same IP address, then both connections will be reset
because of an address conflict (the 5-tuple is not unique).
Figure 26-7 shows a
typical many-to-few static NAT scenario. The translations between the lowest
real addresses and the mapped addresses are always active so both translated and
remote hosts can initiate connections, but the mappings for higher IP addresses
are unidirectional from the real hosts.
Figure 26-7 Many-to-Few Static NAT
Instead of using a static rule this way, we suggest that you
create a one-to-one rule for the traffic that needs bidirectional initiation,
and then create a dynamic rule for the rest of your addresses.
Dynamic NAT
This section describes dynamic NAT and includes the following
topics:
Information About Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of
mapped addresses that are routable on the destination network. The mapped pool
typically includes fewer addresses than the real group. When a host you want to
translate accesses the destination network, the adaptive security appliance
assigns the host an IP address from the mapped pool. The translation is created
only when the real host initiates the connection. The translation is in place
only for the duration of the connection, and a given user does not keep the same
IP address after the translation times out. Users on the destination network,
therefore, cannot initiate a reliable connection to a host that uses dynamic
NAT, even if the connection is allowed by an access rule.
Figure 26-8 shows a
typical dynamic NAT scenario. Only real hosts can create a NAT session, and
responding traffic is allowed back.
Figure 26-8 Dynamic NAT
Figure 26-9 shows a
remote host attempting to initiate a connection to a mapped address. This
address is not currently in the translation table; therefore, the adaptive
security appliance drops the packet.
Figure 26-9 Remote Host Attempts to Initiate a Connection
to a Mapped Address
Note For the duration
of the translation, a remote host can initiate a connection to the translated
host if an access rule allows it. Because the address is unpredictable, a
connection to the host is unlikely. Nevertheless, in this case you can rely on
the security of the access rule.
Dynamic NAT Disadvantages and Advantages
Dynamic NAT has these disadvantages:
•
If the mapped
pool has fewer addresses than the real group, you could run out of addresses if
the amount of traffic is more than expected.
Use PAT if this event occurs often because PAT provides over
64,000 translations using ports of a single address.
•
You have to use
a large number of routable addresses in the mapped pool; if the destination
network requires registered addresses, such as the Internet, you might encounter
a shortage of usable addresses.
The advantage of dynamic NAT is that some protocols cannot
use PAT. PAT does not work with the following:
•
IP protocols
that do not have a port to overload, such as GRE version 0.
•
Some multimedia
applications that have a data stream on one port, the control path on another
port, and are not open standard.
See the
"When to Use Application Protocol Inspection" section for more
information about NAT and PAT support.
Dynamic PAT
This section describes dynamic PAT and includes the following
topics:
Information About Dynamic PAT
Dynamic PAT translates multiple real addresses to a single
mapped IP address by translating the real address and source port to the mapped
address and a unique port above 1024. Each connection requires a separate
translation session because the source port differs for each connection. For
example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.
Figure 26-10 shows a
typical dynamic PAT scenario. Only real hosts can create a NAT session, and
responding traffic is allowed back. The mapped address is the same for each
translation, but the port is dynamically assigned.
Figure 26-10 Dynamic PAT
After the connection expires, the port translation also
expires after 30 seconds of inactivity. The timeout is not configurable. Users
on the destination network cannot reliably initiate a connection to a host that
uses PAT (even if the connection is allowed by an access rule).
Note For the duration
of the translation, a remote host can initiate a connection to the translated
host if an access rule allows it. Because the port address (both real and
mapped) is unpredictable, a connection to the host is unlikely. Nevertheless, in
this case you can rely on the security of the access rule.
Dynamic PAT Disadvantages and Advantages
Dynamic PAT lets you use a single mapped address, thus
conserving routable addresses. You can even use the adaptive security appliance
interface IP address as the PAT address.
Dynamic PAT does not work with some multimedia applications
that have a data stream that is different from the control path. See the
"When to Use Application
Protocol Inspection" section for more information about NAT and PAT support.
Identity NAT
You might have a NAT configuration in which you need to
translate an IP address to itself. For example, if you create a broad rule that
applies NAT to every network, but want to exclude one network from NAT, you can
create a static NAT rule to translate an address to itself. Identity NAT is
necessary for remote access VPN, where you need to exempt the client traffic
from NAT.
Note Identity NAT does
not perform proxy ARP nor does it allow the specified interface to override the
route lookup for a packet.
Figure 26-11 shows a
typical identity NAT scenario.
Figure 26-11 Identity NAT
NAT in Routed and Transparent Mode
You can configure NAT in both routed and transparent firewall
mode. This section describes typical usage for each firewall mode and includes
the following topics:
NAT in Routed Mode
Figure 26-12 shows a
typical NAT example in routed mode, with a private network on the inside.
Figure 26-12 NAT Example: Routed Mode
1. When the inside
host at 10.1.2.27 sends a packet to a web server, the real source address of the
packet, 10.1.2.27, is changed to a mapped address, 209.165.201.10.
2. When the server
responds, it sends the response to the mapped address, 209.165.201.10, and the
adaptive security appliance receives the packet.
3. The adaptive
security appliance then changes the translation of the mapped address,
209.165.201.10, back to the real address, 10.1.2.27, before sending it to the
host.
NAT in Transparent Mode
Using NAT in transparent mode eliminates the need for the
upstream or downstream routers to perform NAT for their networks.
NAT in transparent mode has the following requirements and
limitations:
•
When the mapped
addresses are not on the same network as the transparent firewall, then on the
upstream router you need to add a static route for the mapped addresses that
points to the downstream router (through the adaptive security appliance).
•
When you have
VoIP or DNS traffic with NAT and inspection enabled, to successfully translate
the IP address inside VoIP and DNS packets, the adaptive security appliance
needs to perform a route lookup. Unless the host is on a directly-connected
network, then you need to add a static route on the adaptive security appliance
for the real host address that is embedded in the packet.
•
Because the
transparent firewall does not have any interface IP addresses, you cannot use
interface PAT.
•
ARP inspection
is not supported. Moreover, if for some reason a host on one side of the
adaptive security appliance sends an ARP request to a host on the other side of
the adaptive security appliance, and the initiating host real address is mapped
to a different address on the same subnet, then the real address remains visible
in the ARP request.
Figure 26-13 shows a
typical NAT scenario in transparent mode, with the same network on the inside
and outside interfaces. The transparent firewall in this scenario is performing
the NAT service so that the upstream router does not have to perform NAT.
Figure 26-13 NAT Example: Transparent Mode
1. When the inside
host at 10.1.1.75 sends a packet to a web server, the real source address of the
packet, 10.1.1.75, is changed to a mapped address, 209.165.201.15.
2. When the server
responds, it sends the response to the mapped address, 209.165.201.15, and the
adaptive security appliance receives the packet because the upstream router
includes this mapped network in a static route directed through the adaptive
security appliance.
3. The adaptive
security appliance then undoes the translation of the mapped address,
209.165.201.15, back to the real address, 10.1.1.1.75. Because the real address
is directly-connected, the adaptive security appliance sends it directly to the
host.
4. For host
192.168.1.2, the same process occurs, except that the adaptive security
appliance looks up the route in its route table and sends the packet to the
downstream router at 10.1.1.3 based on the static route.
How NAT is Implemented
The adaptive security appliance can implement address
translation in two ways: network object NAT and twice NAT. This section includes the following topics:
Main Differences Between Network Object NAT and Twice NAT
The main differences between these two NAT types are:
•
How you define
the real address.
–
Network object
NAT—You define NAT as a parameter for a network object; the network object
definition itself provides the real address. This method lets you easily add NAT
to network objects. The objects can also be used in other parts of your
configuration, for example, for access rules or even in twice NAT rules.
–
Twice NAT—You
identify a network object or network object group for both the real and mapped
addresses. In this case, NAT is not a parameter of the network object; the
network object or group is a parameter of the NAT configuration. The ability to
use a network object
group for the real address means
that twice NAT is more scalable.
•
How source and
destination NAT is implemented.
–
Network object
NAT— Each rule can apply to either the source or destination of a packet. So two
rules might be used, one for the source IP address, and one for the destination
IP address. These two rules cannot be tied together to enforce a specific
translation for a source/destination combination.
–
Twice NAT—A
single rule translates both the source and destination. A matching packet only
matches the one rule, and further rules are not checked. Even if you do not
configure the optional destination address for twice NAT, a matching packet
still only matches one twice NAT rule. The source and destination are tied
together, so you can enforce different translations depending on the
source/destination combination. For example, sourceA/destinationA can have a
different translation than sourceA/destinationB.
•
Order of NAT
Rules.
–
Network object
NAT—Automatically ordered in the NAT table.
–
Twice
NAT—Manually ordered in the NAT table (before or after network object NAT
rules).
See the
"NAT Rule Order"
section for more information.
We recommend using network object NAT unless you need the
extra features that twice NAT provides. Network object NAT is easier to
configure, and might be more reliable for applications such as Voice over IP
(VoIP). (For VoIP, because twice NAT is applicable only between two objects, you
might see a failure in the translation of indirect addresses that do not belong
to either of the objects.)
Information About Network Object NAT
All NAT rules that are configured as a parameter of a network
object are considered to be network object NAT rules. Network object NAT is a
quick and easy way to configure NAT for a network object, which can be a single
IP address, a range of addresses, or a subnet.
After you configure the network object, you can then identify
the mapped address for that object, either as an inline address or as another
network object or network object group.
When a packet enters the adaptive security appliance, both
the source and destination IP addresses are checked against the network object
NAT rules. The source and destination address in the packet can be translated by
separate rules if separate matches are made. These rules are not tied to each
other; different combinations of rules can be used depending on the traffic.
Because the rules are never paired, you cannot specify that
sourceA/destinationA should have a different translation than
sourceA/destinationB. Use twice NAT for that kind of functionality (twice NAT
lets you identify the source and destination address in a single rule).
To start configuring network object NAT, see
Chapter 28 "Configuring Network
Object NAT."
Information About Twice NAT
Twice NAT lets you identify both the source and destination
address in a single rule. Specifying both the source and destination addresses
lets you specify that sourceA/destinationA can have a different translation than
sourceA/destinationB.
The destination address is optional. If you specify the
destination address, you can either map it to itself (identity NAT), or you can
map it to a different address. The destination mapping is always a static
mapping.
Twice NAT also lets you use service objects for static NAT
with port translation; network object NAT only accepts inline definition.
To start configuring twice NAT, see
Chapter 29 "Configuring Twice
NAT."
Figure 26-14 shows a host
on the 10.1.2.0/24 network accessing two different servers. When the host
accesses the server at 209.165.201.11, the real address is translated to
209.165.202.129. When the host accesses the server at 209.165.200.225, the real
address is translated to 209.165.202.130. (See the
"Single Address for FTP, HTTP,
and SMTP (Static NAT with Port Translation)" section for details on how to
configure this example.)
Figure 26-14 Twice NAT with Different Destination
Addresses
Figure 26-15 shows the
use of source and destination ports. The host on the 10.1.2.0/24 network
accesses a single host for both web services and Telnet services. When the host
accesses the server for web services, the real address is translated to
209.165.202.129. When the host accesses the same server for Telnet services, the
real address is translated to 209.165.202.130.
Figure 26-15 Twice NAT with Different Destination Ports
Figure 26-16 shows a
remote host connecting to a translated host. The translated host has a twice
static NAT translation that translates the real address only for traffic to and
from the 209.165.201.0/27 network. A translation does not exist for the
209.165.200.224/27 network, so the translated host cannot connect to that
network, nor can a host on that network connect to the translated host.
Figure 26-16 Twice Static NAT with Destination Address
Translation
NAT Rule Order
Network object NAT rules and twice NAT rules are stored in a
single table that is divided into three sections. Section 1 rules are applied
first, then section 2, and finally section 3.
Table 26-1 shows the order of rules within each section.
Table 26-1 NAT Rule Table
Table Section
|
Rule Type
|
Order of Rules within the Section
|
Section 1
|
Twice NAT
|
Applied on a first match basis, in the order they appear in
the configuration. By default, twice NAT rules are added to section 1.
Note If you configure
VPN, the client dynamically adds invisible NAT rules to the end of this section.
Be sure that you do not configure a twice NAT rule in this section that might
match your VPN traffic, instead of matching the invisible rule. If VPN does not
work due to NAT failure, consider adding twice NAT rules to section 3 instead.
|
Section 2
|
Network object NAT
|
Section 2 rules are applied in the following order, as
automatically determined by the adaptive security appliance:
1. Static rules.
2. Dynamic rules.
Within each rule type, the following ordering guidelines are
used:
a. Quantity of real
IP addresses—From smallest to largest. For example, an object with one address
will be assessed before an object with 10 addresses.
b. For quantities
that are the same, then the IP address number is used, from lowest to highest.
For example, 10.1.1.0 is assessed before 11.1.1.0.
c. If the same IP
address is used, then the name of the network object is used, in alphabetical
order. For example, abracadabra is assessed before catwoman.
|
Section 3
|
Twice NAT
|
Section 3 rules are applied on a first match basis, in the
order they appear in the configuration. You can specify whether to add a twice
NAT rule to section 3 when you add the rule.
|
For section 2 rules for example, you have the following IP
addresses defined within network objects:
192.168.1.0/24 (static)
192.168.1.0/24 (dynamic)
10.1.1.0/24 (static)
192.168.1.1/32 (static)
172.16.1.0/24 (dynamic) (object def)
172.16.1.0/24 (dynamic) (object abc)
The resultant ordering would be:
192.168.1.1/32 (static)
10.1.1.0/24 (static)
192.168.1.0/24 (static)
172.16.1.0/24 (dynamic) (object abc)
172.16.1.0/24 (dynamic) (object def)
192.168.1.0/24 (dynamic)
NAT Interfaces
You can configure a NAT rule to apply to any interface, or
you can identify specific real and mapped interfaces. You can also specify any
interface for the real address, and a specific interface for the mapped address,
or vice versa.
For example, you might want to specify any interface for the
real address and specify the outside interface for the mapped address if you use
the same private addresses on multiple interfaces, and you want to translate
them all to the same global pool when accessing the outside (
Figure 26-17).
Figure 26-17 Specifying Any Interface
Mapped Address Guidelines
When you translate the real address to a mapped address, you
can use the following mapped addresses:
•
Addresses on the
same network as the mapped interface.
If you use addresses on the same network as the mapped
interface (through which traffic exits the adaptive security appliance), the
adaptive security appliance uses proxy ARP to answer any requests for mapped
addresses, and thus it intercepts traffic destined for a real address. This
solution simplifies routing because the adaptive security appliance does not
have to be the gateway for any additional networks. However, this approach does
put a limit on the number of available addresses used for translations.
For PAT, you can even use the IP address of the mapped
interface.
Note If you configure
the mapped interface to be any interface, but you specify a mapped address on
the same network as one of the interfaces, then if an ARP request for that
mapped address comes in on a
different interface, then
you need to manually configure an ARP entry for that network on the other
interface where you specify the interface MAC address (see the
arp command). Typically, if you specify any interface for the
mapped interface, then you use a unique network for the mapped addresses.
•
Addresses on a
unique network.
If you need more addresses than are available on the mapped
interface network, you can identify addresses on a different subnet. The
adaptive security appliance uses proxy ARP to answer any requests for mapped
addresses, and thus it intercepts traffic destined for a real address.
Note Identity NAT does
not perform proxy ARP nor does it allow the specified interface to override the
route lookup for a packet.
DNS and NAT
You might need to configure the adaptive security appliance
to modify DNS replies by replacing the address in the reply with an address that
matches the NAT configuration. You can configure DNS modification when you
configure each translation.
This feature rewrites the A record, or address record, in DNS
replies that match a NAT rule. For DNS replies traversing from a mapped
interface to any other interface, the A record is rewritten from the mapped
value to the real value. Inversely, for DNS replies traversing from any
interface to a mapped interface, the A record is rewritten from the real value
to the mapped value.
Note If you configure
a twice NAT rule, you cannot configure DNS modification if you specify the
source address as well as the destination address. These kinds of rules can
potentially have a different translation for a single address when going to A
vs. B. Therefore, the adaptive security appliance cannot accurately match the IP
address inside the DNS reply to the correct twice NAT rule; the DNS reply does
not contain information about which source/destination address combination was
in the packet that prompted the DNS request.
For example, a DNS server is accessible from the outside
interface. A server, ftp.cisco.com, is on the inside interface. You configure
the adaptive security appliance to statically translate the ftp.cisco.com real
address (10.1.3.14) to a mapped address (209.165.201.10) that is visible on the
outside network. (See
Figure 26-18.) In this
case, you want to enable DNS reply modification on this static rule so that
inside users who have access to ftp.cisco.com using the real address receive the
real address from the DNS server, and not the mapped address.
When an inside host sends a DNS request for the address of
ftp.cisco.com, the DNS server replies with the mapped address (209.165.201.10).
The adaptive security appliance refers to the static rule for the inside server
and translates the address inside the DNS reply to 10.1.3.14. If you do not
enable DNS reply modification, then the inside host attempts to send traffic to
209.165.201.10 instead of accessing ftp.cisco.com directly.
Figure 26-18 DNS Reply Modification
Note If a user on a
different network (for example, DMZ) also requests the IP address for
ftp.cisco.com from the outside DNS server, then the IP address in the DNS reply
is also modified for this user, even though the user is not on the Inside
interface referenced by the static rule.
Figure 26-19 shows a web
server and DNS server on the outside. The adaptive security appliance has a
static translation for the outside server. In this case, when an inside user
requests the address for ftp.cisco.com from the DNS server, the DNS server
responds with the real address, 209.165.20.10. Because you want inside users to
use the mapped address for ftp.cisco.com (10.1.2.56) you need to configure DNS
reply modification for the static translation.
Figure 26-19 DNS Reply Modification Using Outside NAT
Back to the top
