1-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 1
Network Address Translation
For example, you can limit TCP and UDP connections and embryonic connections (a connection
request that has not finished the necessary handshake between source and destination). Limiting the
number of connections and embryonic connections protects you from a DoS attack. The ASA uses
the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack
perpetrated by flooding an interface with TCP SYN packets.
• Threat detection—Implement threat detection on the ASA to collect statistics to help identify
attacks. Basic threat detection is enabled by default, but you can implement advanced statistics and
scanning threat detection. You can shun hosts that are identified as a scanning threat.
• Next-Generation IPS—Install the ASA FirePOWER module on the ASA and implement Next
Generation IPS intrusion rules in your ASA FirePOWER. These policies would apply to any traffic
that you redirect to ASA FirePOWER.
Related Topics
• Connection Settings, page 16-1
• Threat Detection, page 18-1
• ASA FirePOWER Module, page 7-1
Network Address Translation
One of the main functions of Network Address Translation (NAT) is to enable private IP networks to
connect to the Internet. NAT replaces a private IP address with a public IP address, translating the private
addresses in the internal private network into legal, routable addresses that can be used on the public
Internet. In this way, NAT conserves public addresses because you can advertise at a minimum only one
public address for the entire network to the outside world.
Other functions of NAT include:
• Security—Keeping internal IP addresses hidden discourages direct attacks.
• IP routing solutions—Overlapping IP addresses are not a problem when you use NAT.
• Flexibility—You can change internal IP addressing schemes without affecting the public addresses
available externally; for example, for a server accessible to the Internet, you can maintain a fixed IP
address for Internet use, but internally, you can change the server address.
• Translating between IPv4 and IPv6 (Routed mode only)—If you want to connect an IPv6 network
to an IPv4 network, NAT lets you translate between the two types of addresses.
NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be
translated, but will have all of the security policies applied as normal.
Related Topics
• Network Address Translation (NAT), page 9-1
• NAT Examples and Reference, page 10-1
To Next Page
Loading...
Need help?
General