Home » Cisco Manuals » Bridges & Routers » Cisco 7604 » Manual Viewer

Cisco 7604 Configuration Guide - Page 314

Bypassing NAT when NAT Control is Enabled, Policy NAT

Add to My Manuals
Save this manual to your list of manuals

Page 314 highlights

NAT Overview Chapter 16 Configuring NAT Bypassing NAT when NAT Control is Enabled If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT. (See the "Inspection Engine Overview" section on page 22-2 for information about inspection engines that do not support NAT.) You can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility with inspection engines. However, each method offers slightly different capabilities, as follows: • Identity NAT (nat 0 command)-When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists. For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality. • Static identity NAT (static command)-Static identity NAT lets you specify the interface on which you want to allow the real addresses to appear, so you can use identity NAT when you access interface A, and use regular translation when you access interface B. Static identity NAT also lets you use policy NAT, which identifies the real and destination addresses when determining the real addresses to translate. (See the "Policy NAT" section on page 16-10 for more information about policy NAT.) For example, you can use static identity NAT for an inside address when it accesses the outside interface and the destination is server A, but use a normal translation when accessing the outside server B. • NAT exemption (nat 0 access-list command)-NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list. Policy NAT Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, and not the destination. For example, with policy NAT, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B. For applications that require application inspection for secondary channels (FTP, VoIP, and so on), the policy specified in the policy NAT statement should include the secondary ports. Or, when the ports cannot be predicted, the policy should specify only the IP addresses for the secondary channel. This way, the FWSM translates the secondary ports. 16-10 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01

Section	Page
About This Guide	27
Audience	27
Objectives	27
Document Conventions	27
Related Documentation	28
Obtaining Documentation and Submitting a Service Request	29
Quick Start Steps	31
Routed Firewall Minimum Configuration Steps	31
Transparent Firewall Minimum Configuration Steps	32
Getting Started and General Information	35
Introduction to the Firewall Services Module	37
New Features	38
Security Policy Overview	39
Permitting or Denying Traffic with Access Lists	40
Applying NAT	40
Protecting from IP Fragments	40
Using AAA for Through Traffic	40
Applying Internet Filtering	40
Applying Application Inspection	41
Applying Connection Limits	41
How the Firewall Services Module Works with the Switch	41
Using the MSFC	42
Firewall Mode Overview	43
Stateful Inspection Overview	44
Security Context Overview	45
Configuring the Switch for the Firewall Services Module	47
Switch Overview	47
Verifying the Module Installation	48
Assigning VLANs to the Firewall Services Module	48
VLAN Guidelines	49
Assigning VLANs to the FWSM	49
Adding Switched Virtual Interfaces to the MSFC	50
SVI Overview	51
Configuring SVIs	53
Customizing the FWSM Internal Interface	54
Configuring the Switch for Failover	55
Assigning VLANs to the Secondary Firewall Services Module	55
Adding a Trunk Between a Primary Switch and Secondary Switch	55
Ensuring Compatibility with Transparent Firewall Mode	55
Enabling Autostate Messaging for Rapid Link Failure Detection	55
Managing the Firewall Services Module Boot Partitions	56
Flash Memory Overview	56
Setting the Default Boot Partition	56
Resetting the FWSM or Booting from a Specific Partition	57
Connecting to the Firewall Services Module and Managing the Configuration	59
Connecting to the Firewall Services Module	59
Logging in to the FWSM	59
Logging out of the FWSM	60
Managing the Configuration	61
Saving Configuration Changes	61
Saving Configuration Changes in Single Context Mode	61
Saving Configuration Changes in Multiple Context Mode	61
Copying the Startup Configuration to the Running Configuration	63
Viewing the Configuration	63
Clearing and Removing Configuration Settings	63
Creating Text Configuration Files Offline	64
Configuring Security Contexts	65
Security Context Overview	65
Common Uses for Security Contexts	66
Unsupported Features	66
Context Configuration Files	66
Context Configurations	66
System Configuration	66
Admin Context Configuration	67
How the FWSM Classifies Packets	67
Valid Classifier Criteria	67
Invalid Classifier Criteria	68
Classification Examples	69
Sharing Interfaces Between Contexts	71
NAT and Origination of Traffic	72
Sharing an Outside Interface	72
Sharing an Inside Interface	72
Management Access to Security Contexts	73
System Administrator Access	73
Context Administrator Access	74
Enabling or Disabling Multiple Context Mode	74
Backing Up the Single Mode Configuration	74
Enabling Multiple Context Mode	74
Restoring Single Context Mode	75
Managing Memory for Rules	75
About Memory Partitions	76
Default Rule Allocation	76
Setting the Number of Memory Partitions	77
Changing the Memory Partition Size	78
Reallocating Rules Between Features for a Specific Memory Partition	83
Configuring Resource Management	85
Classes and Class Members Overview	86
Resource Limits	86
Default Class	87
Class Members	88
Configuring a Class	88
Configuring a Security Context	91
Changing Between Contexts and the System Execution Space	95
Managing Security Contexts	96
Removing a Security Context	96
Changing the Admin Context	97
Changing the Security Context URL	97
Reloading a Security Context	98
Reloading by Clearing the Configuration	98
Reloading by Removing and Readding the Context	99
Monitoring Security Contexts	99
Viewing Context Information	99
Viewing Resource Allocation	100
Viewing Resource Usage	103
Monitoring SYN Attacks in Contexts	104
Configuring the Firewall Mode	107
Routed Mode Overview	107
IP Routing Support	107
How Data Moves Through the FWSM in Routed Firewall Mode	108
An Inside User Visits a Web Server	108
An Outside User Visits a Web Server on the DMZ	109
An Inside User Visits a Web Server on the DMZ	110
An Outside User Attempts to Access an Inside Host	111
A DMZ User Attempts to Access an Inside Host	112
Transparent Mode Overview	113
Transparent Firewall Network	113
Bridge Groups	113
Management Interface	114
Allowing Layer 3 Traffic	114
Allowed MAC Addresses	114
Passing Traffic Not Allowed in Routed Mode	114
MAC Address vs. Route Lookups	115
Using the Transparent Firewall in Your Network	115
Transparent Firewall Guidelines	116
Unsupported Features in Transparent Mode	117
How Data Moves Through the Transparent Firewall	118
An Inside User Visits a Web Server	119
An Inside User Visits a Web Server Using NAT	120
An Outside User Visits a Web Server on the Inside Network	121
An Outside User Attempts to Access an Inside Host	122
Setting Transparent or Routed Firewall Mode	123
Configuring Interface Parameters	125
Security Level Overview	125
Configuring Interfaces for Routed Firewall Mode	126
Guidelines and Limitations	126
Configuring an Interface	127
Configuring Interfaces for Transparent Firewall Mode	128
Information About Interfaces in Transparent Mode	128
Information About Bridge Groups	128
Information About Device Management	128
Guidelines and Limitations	129
Configuring Transparent Firewall Interfaces for Through Traffic	130
Assigning an IP Address to a Bridge Group	130
Adding a Management Interface	131
Allowing Communication Between Interfaces on the Same Security Level	134
Configuring Inter-Interface Communication	134
Configuring Intra-Interface Communication	135
Turning Off and Turning On Interfaces	136
Configuring Basic Settings	137
Changing the Passwords	137
Changing the Login Password	137
Changing the Enable Password	138
Changing the Maintenance Software Passwords	138
Setting the Hostname	139
Setting the Domain Name	140
Setting the Prompt	140
Configuring a Login Banner	141
Configuring IP Routing and DHCP Services	143
How Routing Behaves Within FWSM	143
Egress Interface Selection Process	143
Next Hop Selection Process	144
Configuring Static and Default Routes	144
Configuring a Static Route	145
Configuring a Default Route	146
Monitoring a Static or Default Route	147
Defining a Route Map	147
Configuring BGP Stub Routing	148
BGP Stub Limitations	149
Configuring BGP Stub Routing	149
Monitoring BGP Stub Routing	150
Restarting the BGP Stub Routing Process	151
Configuring OSPF	151
OSPF Overview	151
Enabling OSPF	152
Redistributing Routes Between OSPF Processes	153
Configuring OSPF Interface Parameters	154
Configuring OSPF Area Parameters	156
Configuring OSPF NSSA	157
Configuring a Point-To-Point, Non-Broadcast OSPF Neighbor	158
Configuring Route Summarization Between OSPF Areas	159
Configuring Route Summarization when Redistributing Routes into OSPF	159
Generating a Default Route	160
Configuring Route Calculation Timers	160
Logging Neighbors Going Up or Down	161
Displaying OSPF Update Packet Pacing	161
Monitoring OSPF	162
Restarting the OSPF Process	163
Configuring RIP	163
RIP Overview	163
Enabling RIP	163
Configuring EIGRP	164
EIGRP Routing Overview	164
Enabling and Configuring EIGRP Routing	165
Enabling and Configuring EIGRP Stub Routing	166
Enabling EIGRP Authentication	167
Defining an EIGRP Neighbor	168
Redistributing Routes Into EIGRP	168
Configuring the EIGRP Hello Interval and Hold Time	169
Disabling Automatic Route Summarization	169
Configuring Summary Aggregate Addresses	170
Disabling EIGRP Split Horizon	170
Changing the Interface Delay Value	171
Monitoring EIGRP	171
Disabling Neighbor Change and Warning Message Logging	172
Configuring Asymmetric Routing Support	172
Adding Interfaces to ASR Groups	173
Asymmetric Routing Support Example	173
Configuring Route Health Injection	174
Route Health Injection Overview	174
RHI Guidelines	175
Enabling RHI	175
Configuring DHCP	177
Configuring a DHCP Server	177
Enabling the DHCP Server	177
Configuring DHCP Options	179
Using Cisco IP Phones with a DHCP Server	180
Configuring DHCP Relay Services	181
DHCP Relay Overview	181
Configuring the DHCP Relay Agent	181
Preserving DHCP Option 82	183
Verifying the DHCP Relay Configuration	183
Configuring Multicast Routing	185
Multicast Routing Overview	185
Enabling Multicast Routing	186
Configuring IGMP Features	186
Disabling IGMP on an Interface	187
Configuring Group Membership	187
Configuring a Statically Joined Group	187
Controlling Access to Multicast Groups	188
Limiting the Number of IGMP States on an Interface	188
Modifying the Query Interval and Query Timeout	188
Changing the Query Response Time	189
Changing the IGMP Version	189
Configuring Stub Multicast Routing	189
Configuring a Static Multicast Route	190
Configuring PIM Features	190
Disabling PIM on an Interface	190
Configuring a Static Rendezvous Point Address	191
Configuring the Designated Router Priority	191
Filtering PIM Register Messages	191
Configuring PIM Message Intervals	192
For More Information About Multicast Routing	192
Configuring IPv6	193
IPv6-Enabled Commands	193
Configuring IPv6 on an Interface	194
Configuring a Dual IP Stack on an Interface	196
Configuring IPv6 Duplicate Address Detection	196
Configuring IPv6 Default and Static Routes	197
Configuring IPv6 Access Lists	197
Configuring IPv6 Neighbor Discovery	198
Configuring Neighbor Solicitation Messages	198
Configuring the Neighbor Solicitation Message Interval	199
Configuring the Neighbor Reachable Time	199
Configuring Router Advertisement Messages	200
Configuring the Router Advertisement Transmission Interval	201
Configuring the Router Lifetime Value	201
Configuring the IPv6 Prefix	201
Suppressing Router Advertisement Messages	202
Configuring a Static IPv6 Neighbor	202
Verifying the IPv6 Configuration	202
Viewing IPv6 Interface Settings	202
Viewing IPv6 Routes	203
Configuring AAA Servers and the Local Database	205
AAA Overview	205
About Authentication	206
About Authorization	206
About Accounting	206
AAA Server and Local Database Support	207
Summary of Support	207
RADIUS Server Support	208
Authentication Methods	208
Attribute Support	208
RADIUS Authorization Functions	208
TACACS+ Server Support	208
SDI Server Support	209
SDI Version Support	209
Two-step Authentication Process	209
SDI Primary and Replica Servers	209
NT Server Support	209
Kerberos Server Support	210
LDAP Server Support	210
Local Database Support	210
User Profiles	210
Fallback Support	210
Configuring the Local Database	211
Identifying AAA Server Groups and Servers	213
Configuring Certificates	217
Public Key Cryptography	217
About Public Key Cryptography	217
Certificate Scalability	218
About Key Pairs	218
About Trustpoints	219
About Revocation Checking	219
Certificate Configuration	219
Preparing for Certificates	220
Generating Key Pairs	220
Removing Key Pairs	221
Establishing AAA Authentication	221
Verifying Configurations for Specified Settings	222
Exporting and Importing Keypairs and Certificates	223
Exporting a Keypair and Certificate	223
Importing a Keypair and Certificate	223
Linking Certificates to a Trustpoint	225
Configuration Example: Cut-Through-Proxy Authentication	225
Identifying Traffic with Access Lists	227
Access List Overview	227
Access List Types	228
Access Control Entry Order	228
Access List Implicit Deny	229
IP Addresses Used for Access Lists When You Use NAT	229
Access List Commitment	231
Maximum Number of ACEs	232
Adding an Extended Access List	232
Extended Access List Overview	232
Allowing Broadcast and Multicast Traffic through the Transparent Firewall	233
Adding an Extended ACE	233
Adding an EtherType Access List	235
Supported EtherTypes	235
Apply Access Lists in Both Directions	235
Implicit Deny at the End of an Access List Does Not Affect IP or ARP Traffic	235
Using Extended and EtherType Access Lists on the Same Interface	236
Allowing MPLS	236
Adding an EtherType ACE	236
Adding a Standard Access List	237
Simplifying Access Lists with Object Grouping	237
How Object Grouping Works	237
Adding Object Groups	238
Adding a Protocol Object Group	238
Adding a Network Object Group	239
Adding a Service Object Group	240
Adding an ICMP Type Object Group	240
Nesting Object Groups	241
Using Object Groups with an Access List	242
Displaying Object Groups	243
Removing Object Groups	243
Adding Remarks to Access Lists	244
Access List Group Optimization	244
How Access List Group Optimization Works	244
Configuring Access List Group Optimization	246
Scheduling Extended Access List Activation	250
Adding a Time Range	250
Applying the Time Range to an ACE	251
Logging Access List Activity	251
Access List Logging Overview	251
Configuring Logging for an ACE	252
Managing Deny Flows	253
Configuring Failover	255
Understanding Failover	255
Failover System Requirements	256
Software Requirements	256
License Requirements	256
Failover and State Links	256
Failover Link	256
State Link	257
Intra- and Inter-Chassis Module Placement	257
Intra-Chassis Failover	257
Inter-Chassis Failover	258
Transparent Firewall Requirements	261
Active/Standby and Active/Active Failover	262
Active/Standby Failover	262
Active/Active Failover	266
Determining Which Type of Failover to Use	271
Regular and Stateful Failover	271
Regular Failover	272
Stateful Failover	272
Failover Health Monitoring	273
Unit Health Monitoring	273
Interface Monitoring	273
Rapid Link Failure Detection	274
Configuring Failover	274
Failover Configuration Limitations	275
Using Active/Standby Failover	275
Prerequisites	275
Configuring Active/Standby Failover	275
Configuring Optional Active/Standby Failover Settings	278
Using Active/Active Failover	280
Prerequisites	280
Configuring Active/Active Failover	280
Configuring Optional Active/Active Failover Settings	283
Configuring Failover Communication Authentication/Encryption	285
Verifying the Failover Configuration	285
Viewing Failover Status	285
Viewing Monitored Interfaces	293
Viewing the Failover Configuration	293
Testing the Failover Functionality	293
Controlling and Monitoring Failover	294
Forcing Failover	294
Disabling Failover	295
Disabling Configuration Synchronization	295
Restoring a Failed Unit or Failover Group	295
Monitoring Failover	296
Failover System Log Messages	296
Debug Messages	296
SNMP	296
Configuring the Security Policy	297
Permitting or Denying Network Access	299
Inbound and Outbound Access List Overview	299
Applying an Access List to an Interface	302
Configuring NAT	305
NAT Overview	305
Introduction to NAT	306
NAT in Routed Mode	306
NAT in Transparent Mode	307
NAT Control	309
NAT Types	310
Dynamic NAT	310
PAT	312
Static NAT	312
Static PAT	313
Bypassing NAT when NAT Control is Enabled	314
Policy NAT	314
NAT Session (Xlate) Creation	317
NAT and PAT Global Pool Usage	318
NAT and Same Security Level Interfaces	318
Order of NAT Commands Used to Match Real Addresses	319
Maximum Number of NAT Statements	319
Mapped Address Guidelines	319
DNS and NAT	320
Configuring NAT Control	322
Configuring Xlate Bypass	323
Using Dynamic NAT and PAT	323
Dynamic NAT and PAT Implementation	324
Configuring Dynamic NAT or PAT	330
Using Static NAT	333
Using Static PAT	335
Bypassing NAT	337
Configuring Identity NAT	338
Configuring Static Identity NAT	338
Configuring NAT Exemption	340
NAT Examples	341
Overlapping Networks	342
Redirecting Ports	343
Applying AAA for Network Access	345
AAA Performance	345
Configuring Authentication for Network Access	345
Authentication Overview	346
One-Time Authentication	346
Applications Required to Receive an Authentication Challenge	346
FWSM Authentication Prompts	346
Static PAT and HTTP	347
Authenticating Directly with the FWSM	347
Enabling Network Access Authentication	347
Configuring Custom Login Prompts	349
Enabling Secure Authentication of Web Clients	350
Disabling Authentication Challenge per Protocol	352
Configuring Authorization for Network Access	353
Configuring TACACS+ Authorization	353
Configuring RADIUS Authorization	354
Configuring a RADIUS Server to Download Per-User Access Control Lists	354
Configuring a RADIUS Server to Download Per-User Access Control List Names	356
Configuring Accounting for Network Access	357
Using MAC Addresses to Exempt Traffic from Authentication and Authorization	358
Applying Filtering Services	361
Filtering Overview	361
Filtering ActiveX Objects	361
ActiveX Filtering Overview	362
Enabling ActiveX Filtering	362
Filtering Java Applets	363
Filtering URLs and FTP Requests with an External Server	364
URL Filtering Overview	364
Identifying the Filtering Server	364
Buffering the Content Server Response	366
Caching Server Addresses	366
Filtering HTTP URLs	367
Configuring HTTP Filtering	367
Enabling Filtering of Long HTTP URLs	367
Truncating Long HTTP URLs	368
Exempting Traffic from Filtering	368
Filtering HTTPS URLs	368
Filtering FTP Requests	369
Viewing Filtering Statistics and Configuration	369
Viewing Filtering Server Statistics	370
Viewing Buffer Configuration and Statistics	370
Viewing Caching Statistics	371
Viewing Filtering Performance Statistics	371
Viewing Filtering Configuration	371
Configuring ARP Inspection and Bridging Parameters	373
Configuring ARP Inspection	373
ARP Inspection Overview	373
Adding a Static ARP Entry	374
Enabling ARP Inspection	374
Customizing the MAC Address Table	375
MAC Address Table Overview	375
Adding a Static MAC Address	375
Setting the MAC Address Timeout	375
Disabling MAC Address Learning	376
Viewing the MAC Address Table	376
Using Modular Policy Framework	377
Information About Modular Policy Framework	377
Modular Policy Framework Supported Features	377
Modular Policy Framework Configuration Overview	378
Default Global Policy	379
Identifying Traffic (Layer 3/4 Class Map)	380
Default Class Maps	380
Maximum Class Maps	380
Creating a Layer 3/4 Class Map for Through Traffic	381
Configuring Special Actions for Application Inspections (Inspection Policy Map)	382
Inspection Policy Map Overview	383
Defining Actions in an Inspection Policy Map	383
Identifying Traffic in an Inspection Class Map	386

Match case Limit results 1 per page

16-10

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM

OL-20748-01

Chapter 16

Configuring NAT

NAT Overview

Bypassing NAT when NAT Control is Enabled

If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If

you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively,

you can disable NAT control). You might want to bypass NAT, for example, if you are using an

application that does not support NAT. (See the

“Inspection Engine Overview” section on page 22-2

for

information about inspection engines that do not support NAT.)

You can configure traffic to bypass NAT using one of three methods. All methods achieve compatibility

with inspection engines. However, each method offers slightly different capabilities, as follows:

•

Identity NAT (

nat 0

command)—When you configure identity NAT (which is similar to dynamic

NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for

connections through all interfaces. Therefore, you cannot choose to perform normal translation on

real addresses when you access interface A, but use identity NAT when accessing interface B.

Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate

the addresses. Make sure that the real addresses for which you use identity NAT are routable on all

networks that are available according to your access lists.

For identity NAT, even though the mapped address is the same as the real address, you cannot initiate

a connection from the outside to the inside (even if the interface access list allows it). Use static

identity NAT or NAT exemption for this functionality.

•

Static identity NAT (

static

command)—Static identity NAT lets you specify the interface on which

you want to allow the real addresses to appear, so you can use identity NAT when you access

interface A, and use regular translation when you access interface B. Static identity NAT also lets

you use policy NAT, which identifies the real and destination addresses when determining the real

addresses to translate. (See the

“Policy NAT” section on page 16-10

for more information about

policy NAT.) For example, you can use static identity NAT for an inside address when it accesses

the outside interface and the destination is server A, but use a normal translation when accessing the

outside server B.

•

NAT exemption (

nat 0 access-list

command)—NAT exemption allows both translated and remote

hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific

interfaces; you must use NAT exemption for connections through all interfaces. However,

NAT exemption does let you specify the real and destination addresses when determining the real

addresses to translate (similar to policy NAT), so you have greater control using NAT exemption.

However unlike policy NAT, NAT exemption does not consider the ports in the access list.

Policy NAT

Policy NAT lets you identify real addresses for address translation by specifying the source and

destination addresses in an extended access list. You can also optionally specify the source and

destination ports. Regular NAT can only consider the source addresses, and not the destination. For

example, with policy NAT, you can translate the real address to mapped address A when it accesses

server A, but translate the real address to mapped address B when it accesses server B.

For applications that require application inspection for secondary channels (FTP, VoIP, and so on), the

policy specified in the policy NAT statement should include the secondary ports. Or, when the ports

cannot be predicted, the policy should specify only the IP addresses for the secondary channel. This way,

the FWSM translates the secondary ports.