Cisco Systems ASA 5580 Manual De Usuario
3-20
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 3 Information About NAT
Routing NAT Packets
Mapped Addresses and Routing
When you translate the real address to a mapped address, the mapped address you choose determines
how to configure routing, if necessary, for the mapped address.
how to configure routing, if necessary, for the mapped address.
See additional guidelines about mapped IP addresses in
and
See the following mapped address types:
•
Addresses on the same network as the mapped interface.
If you use addresses on the same network as the mapped interface, the ASA uses proxy ARP to
answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped
address. This solution simplifies routing because the ASA does not have to be the gateway for any
additional networks. This solution is ideal if the outside network contains an adequate number of
free addresses, a consideration if you are using a 1:1 translation like dynamic NAT or static NAT.
Dynamic PAT greatly extends the number of translations you can use with a small number of
addresses, so even if the available addresses on the outside network is small, this method can be
used. For PAT, you can even use the IP address of the mapped interface.
answer any ARP requests for the mapped addresses, thus intercepting traffic destined for a mapped
address. This solution simplifies routing because the ASA does not have to be the gateway for any
additional networks. This solution is ideal if the outside network contains an adequate number of
free addresses, a consideration if you are using a 1:1 translation like dynamic NAT or static NAT.
Dynamic PAT greatly extends the number of translations you can use with a small number of
addresses, so even if the available addresses on the outside network is small, this method can be
used. For PAT, you can even use the IP address of the mapped interface.
Note
If you configure the mapped interface to be any interface, and you specify a mapped address
on the same network as one of the mapped interfaces, then if an ARP request for that mapped
address comes in on a different interface, then you need to manually configure an ARP entry
for that network on the ingress interface, specifying its MAC address (see the arp
command). Typically, if you specify any interface for the mapped interface, then you use a
unique network for the mapped addresses, so this situation would not occur.
on the same network as one of the mapped interfaces, then if an ARP request for that mapped
address comes in on a different interface, then you need to manually configure an ARP entry
for that network on the ingress interface, specifying its MAC address (see the arp
command). Typically, if you specify any interface for the mapped interface, then you use a
unique network for the mapped addresses, so this situation would not occur.
•
Addresses on a unique network.
If you need more addresses than are available on the mapped interface network, you can identify
addresses on a different subnet. The upstream router needs a static route for the mapped addresses
that points to the ASA. Alternatively for routed mode, you can configure a static route on the ASA
for the mapped addresses, and then redistribute the route using your routing protocol. For
transparent mode, if the real host is directly-connected, configure the static route on the upstream
router to point to the ASA: specify the bridge group IP address. For remote hosts in transparent
mode, in the static route on the upstream router, you can alternatively specify the downstream router
IP address.
addresses on a different subnet. The upstream router needs a static route for the mapped addresses
that points to the ASA. Alternatively for routed mode, you can configure a static route on the ASA
for the mapped addresses, and then redistribute the route using your routing protocol. For
transparent mode, if the real host is directly-connected, configure the static route on the upstream
router to point to the ASA: specify the bridge group IP address. For remote hosts in transparent
mode, in the static route on the upstream router, you can alternatively specify the downstream router
IP address.
•
The same address as the real address (identity NAT).
The default behavior for identity NAT has proxy ARP enabled, matching other static NAT rules. You
can disable proxy ARP if desired. Note: You can also disable proxy ARP for regular static NAT if
desired, in which case you need to be sure to have proper routes on the upstream router.
can disable proxy ARP if desired. Note: You can also disable proxy ARP for regular static NAT if
desired, in which case you need to be sure to have proper routes on the upstream router.
Normally for identity NAT, proxy ARP is not required, and in some cases can cause connectivity
issues. For example, if you configure a broad identity NAT rule for “any” IP address, then leaving
proxy ARP enabled can cause problems for hosts on the network directly-connected to the mapped
interface. In this case, when a host on the mapped network wants to communicate with another host
on the same network, then the address in the ARP request matches the NAT rule (which matches
“any” address). The ASA will then proxy ARP for the address, even though the packet is not actually
destined for the ASA. (Note that this problem occurs even if you have a twice NAT rule; although
the NAT rule must match both the source and destination addresses, the proxy ARP decision is made
only on the “source” address). If the ASA ARP response is received before the actual host ARP
response, then traffic will be mistakenly sent to the ASA (see
issues. For example, if you configure a broad identity NAT rule for “any” IP address, then leaving
proxy ARP enabled can cause problems for hosts on the network directly-connected to the mapped
interface. In this case, when a host on the mapped network wants to communicate with another host
on the same network, then the address in the ARP request matches the NAT rule (which matches
“any” address). The ASA will then proxy ARP for the address, even though the packet is not actually
destined for the ASA. (Note that this problem occurs even if you have a twice NAT rule; although
the NAT rule must match both the source and destination addresses, the proxy ARP decision is made
only on the “source” address). If the ASA ARP response is received before the actual host ARP
response, then traffic will be mistakenly sent to the ASA (see