Upload
sheik8o
View
22
Download
1
Embed Size (px)
Citation preview
NAT for Cisco ASA's Version 8.3+JUN 24TH, 2011 | COMMENTS
There are two major kinds of NAT in 8.3+ Auto NAT and Manual NAT.
Auto is done inside the object and cannot take into consideration the
destination of the traffic. Manual is done in global configuration and
can NAT either the source IPs and destination IPs.
Auto NAT
The new term autoNAT is used in 8� � .3. Auto NAT is when the NAT
command appears INSIDE the object statement on the firewall.
There are two major variants of auto NAT: dynamic and static. Auto
NAT is also sometimes referenced as �Network Object NAT because the �configuration is done within the network object.
Regular Dynamic PAT
To create a many-to-one NAT where the entire inside network is
getting PATd to a single outside IP do the following.�
Old 8.2 command:
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 interface
New 8.3 equivalent command:
object network inside-net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface
Note: the interface command is the 2nd interface in the nat statement, in � �this case the outside.
Static Auto-NAT
To create a one to one NAT within the object like when you have
a webserver in your DMZ you can do the following NAT
configuration.
object network dmz-webserver
host 192.168.1.23
nat (dmz,outside) static 209.165.201.28
Please note, the nat (inside,outside) part of these commands are a lot
easier to read in 8.3. The first interface is the interface the traffic is
coming into the ASA on and the second interface is the interface
that this traffic is going out of the ASA on. So the command nat �(dmz,outside) static 209.165.201.28 should be read as NAT the IP address � �192.168.1.23 to 209.165.201.28 if the traffic is coming in on the dmz interface and
going out the outside interface, or vice versa. This will not NAT traffic �coming from the inside going to the DMZ, nor should it NAT the traffic coming from
the DMZ going to the inside.
Using the any interface in the NAT statement
ASA 8.3 introduces the any interface when configuring NAT. For
instance if you have a system on the DMZ that you wish to NAT not
only to the outside interface, but to any interface you can use this
command:
object network dmz-webserver
host 192.168.1.23
nat (dmz,any) static 200.200.200.200
This makes it so users on the inside can web to 200.200.200.200
and if traffic is routed to the firewall it will NAT it to the real IP in the
DMZ.
Port forwarding using Auto NAT
Suppose you have 2 web servers in your DMZ but you only have 1 IP
address. You can configure port forwarding using the auto NAT
feature in the following way:
object network dmz-webserver1
host 192.168.1.25
nat (dmz,outside) static interface service tcp 8000 www
object network dmz-webserver2
host 192.168.1.23
nat (dmz,outside) static interface service tcp 8080 www
This will make it so if you go to the IP address of the outside
interface over port 8000 it will take you to 192.168.1.25 port 80 but
if you go there using port 8080 it will take you to 192.168.1.23 port
80.
Confused yet? I hope not because its about to get weird� �Manual NAT or Twice NAT or Policy NAT or Reverse NAT
The limitation that Auto NAT has is that it cannot take
the destination into consideration when conducting its NAT. This also �of course results in it not being able to alter the destination address either. To
accomplish either of these tasks you must use manual NAT.� �All of these terms are identical: Manual NAT, Twice NAT, Policy
NAT, Reverse NAT. Dont be confused by fancy mumbo jumbo.�Policy NAT Exemption aka NAT Zero aka No NAT
In ASA 8.3 code this is known as Policy NAT exemption. This is
commonly used to not NAT traffic over a VPN tunnel.
object network inside-net
subnet 10.0.0.0 255.255.255.0
object network vpn-subnets
range 10.1.0.0 10.5.255.255
nat (inside,outside) source static inside-net inside-net destination static vpn-subnets vpn-
subnets
Policy NAT exemption for incoming remote access VPNs
In order for a packet to come in through a firewall from a lesser
security interface to a higher security interface it must have a
translation and an ACL to permit it through. If you are setting up
remote access VPN then the ACL is usually bypassed since its tunneled�
traffic. There still needs to be a translation. This is completed by
doing the following (Note the order of the interfaces in the NAT
statement):
object-group network OBJ-INSIDE-NETWORKS
network-object 172.16.200.0 255.255.255.0
object network obj-172.16.101.0
subnet 172.16.101.0 255.255.255.0
nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-
INSIDE-NETWORKS OBJ-INSIDE-NETWORKS
Dynamic Policy NAT
This is when you want to specify an ACL for your NAT traffic to
match on and if it matches that ACL then NAT it to something
Suppose you are trying to build a VPN tunnel to another site. The
problem is that your private IP addresses are overlapping with their
private IP addresses so they tell you that you MUST come from
172.27.27.27. If this was a static one to one translation it wouldnt be �so hard but in this case we have many users all needing to use that IP address.
In the pre 8.3 configuration your code would look something like
this:
access-list ACL-VENDOR-VPN-NAT extended permit ip 192.168.1.0 255.255.255.0 host
172.16.75.5
nat (inside) 3 access-list ACL-VENDOR-VPN-NAT
global (outside) 3 172.27.27.27
In the new ASA 8.3 config the code looks like this:
object network inside-net
subnet 192.168.1.0 255.255.255.0
object network vendor-vpn-nat
host 172.16.75.5
object network translated-ip
host 172.27.27.27
nat (inside,outside) source dynamic inside-net translated-ip destination static vendor-vpn-
nat vendor-vpn-nat
Miscellaneous Notes
Use real IPs in access-lists
In ASA version 8.3 you must specify the real IP and not the translate
IP. For instance to permit your traffic to the webserver through the
outside ACL you must put:
access-list ACL-OUTSIDE-IN extended permit tcp any host
192.168.1.25 eq 80
This is a major change from pre 8.3 which would specify the public
or NATd IP address.�
Show commands
To view this configuration you must check two places to see what is
being NATd.�
show run object
show run nat
The command show run object in-line is som� � etimes useful to when using
the pipe commands.
You can also see the order of NAT and number of NAT translation hit
counts with:
show nat
Optional Destination keyword in manual NAT
The destination keyword and addresses in the manual NAT
command is optional. This means that both of these configurations
do the same work:
object network inside-net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface
!
object network inside-net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) source dynamic inside-net interface
NAT order and after-auto NATing�The order of operation in NAT commands is documented here:
http://www.cisco.com/en/US/partner/docs/security/asa/asa83/
configuration/guide/nat_overview.html#wp1118157
The NAT operation will only take place once. Once there is a match
on a NAT it will stop looking down the line to see whether it needs to
NAT this traffic or not. The order of operation for this is like so:
1. Twice NAT statements
2. Auto NAT statements
3. After-Auto NAT statements
Let’s say you have a Manual or Twice NAT that you want to be
considered AFTER all of the auto NATs. You can specify this by
adding the after-auto keyword which would look something like this:� �
nat (inside,outside) after-auto source dynamic any
Using Descriptions
The description keyword can be added to the end of a manual NAT
statement to keep things more organized like so:
nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-
INSIDE-NETWORKS OBJ-INSIDE-NETWORKS description ANYCON-NONAT
Inactive NAT statements
You may deactivate a manual NAT statement by adding the inactive � �keyword at the end of the statement like so:
nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-
INSIDE-NETWORKS OBJ-INSIDE-NETWORKS inactive
Cisco Documentation on NAT for 8.3
CLI NAT configuration guide for ASA
8.3 http://www.cisco.com/en/US/partner/docs/security/asa/asa83/con
figuration/guide/nat_overview.html
Upgrading to ASA 8.3 What you need to �know https://supportforums.cisco.com/docs/DOC-12690
Video examples and
tutorial https://supportforums.cisco.com/docs/DOC-12324
ASA Pre-8.3 to 8.3 NAT configuration
examples https://supportforums.cisco.com/docs/DOC-9129
ASA NAT migration problems when upgrading to 8.3 ; Syslog “%ASA-
5-305013: Asymmetric NAT rules matched for forward and reverse
flows” https://supportforums.cisco.com/docs/DOC-12569