Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1353
Views
0
Helpful
7
Replies

ASA- Dynamic NAT- PAT

Go to solution
miracle_david@yahoo.com
Level 1
Level 1

‎07-05-2020 10:17 PM

Hi gentlemen,

I need configuration for these 2 scenarios ASA- Dynamic NAT & PAT. Can somebody provide me with links to these scenarios please.

P.S: I have another question about ASA:  why ICMP & Traceroute commands are disabled for inspection by default.

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎07-05-2020 11:27 PM

Hi there,

the following document covers the scenarios you mention:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/nat-reference.html

 

Regarding ICMP and traceroute, both use stateless packets, something that the ASA doesn't track by default. My guess as to why inspection is disabled by default instead of tracking the packets would be to prevent the firewall from overwhelmed by that packet type.

 

cheers,

Seb.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni

‎07-05-2020 11:27 PM

Hi there,

the following document covers the scenarios you mention:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/nat-reference.html

 

Regarding ICMP and traceroute, both use stateless packets, something that the ASA doesn't track by default. My guess as to why inspection is disabled by default instead of tracking the packets would be to prevent the firewall from overwhelmed by that packet type.

 

cheers,

Seb.

0 Helpful

Go to solution
miracle_david@yahoo.com
Level 1
Level 1
In response to Seb Rupik

‎07-07-2020 12:05 AM

Seb Rupik 


Do u mean its because of security reason?

0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to miracle_david@yahoo.com

‎07-07-2020 12:45 AM

Yes, its not a good idea to make your security device susceptible to denial of service type attack.

0 Helpful

Go to solution
miracle_david@yahoo.com
Level 1
Level 1
In response to Seb Rupik

‎07-07-2020 05:06 AM

Thanks for your great reply. Do u have any link for "GETVPN coops" & multicast scenarios please?
0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to miracle_david@yahoo.com

‎07-07-2020 05:48 AM

The ASA does not support GETVPN. For multicast guides the ASA CLI configuration books are a good place to start:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/route-multicast.html

0 Helpful

Go to solution
miracle_david@yahoo.com
Level 1
Level 1
In response to Seb Rupik

‎07-13-2020 01:58 AM

@Seb Rupik
Hi again in the above mentioned link part "Different Translation Depending on the Destination Address and Port (Dynamic PAT)"
Web address is:129 while, Telnet address is 130.But in the explanations it says : "When the host accesses the server for Telnet services, the real address is translated to 209.165.202.129:port. When the host accesses the same server for web services, the real address is translated to 209.165.202.130:port." Is it a typo?
0 Helpful

Go to solution
Seb Rupik
VIP Alumni
VIP Alumni
In response to miracle_david@yahoo.com

‎07-13-2020 07:17 AM

Yes, it is a typo. The diagram and config describe the same process. The leading paragraph need the translated outside IP address swapped around.

 

cheers,

Seb.

0 Helpful
Customers Also Viewed These Support Documents