ASA CHAPTER 5 (NAT/PAT)
7. Configure Dynamic NAT and PAT .
• Configure NAT such that hosts on the inside going to outside have
their addresses translated into address pool 136.X.122.100-110. Use
interface IP address as PAT backup.
• Configure NAT such that hosts on the DMZ going to outside have
their addresses translated into address pool 136.X.122.200-210. Use the
last IP address in the range as PAT backup.
• Configure NAT such that hosts on the inside going into DMZ have their
addresses translated into interface IP address via PAT.
-->
Since version 7.x, the default behavior does NOT
require a NAT translation entry prior to permitting a session through the firewall.
However, you can revert to the old behavior by issuing the command natcontrol. You can also leave NAT control off, but still enable NAT translation
rules, to masquerade some source IP addresses.
In most basic form, the ASA firewall supports two types of dynamic address
translations (applied to the source IP addresses, of course).
1) NAT (network address translation) – where every inside host is dynamically
allocated a new outside IP from the configured pool.
2) PAT (port address translation) – where hosts matching the PAT rule have their
addresses translated to a single IP address, with the TCP/UDP ports being
overloaded and rewritten as needed.
In order to configure a translation rule, you need to perform two steps.
1) Define a global address pool, to be used for dynamic translations. Use the
command global (interface) <N> { <Addr1>[-Addr2] [netmask
<mask>] | interface }.Here <N> is the pool ID (non-zero!), that will be
used when binding the pool to a NAT rule. All globalstatements sharing the
same ID, form the same address pool. The interfacename specifies egress
interface used with the pool (traffic must leave using this interface). The
examples of the correct globalcommands follow:
!
global (outside) 1 interface
global (outside) 2 192.168.0.1-192.168.0.254 netmask
255.255.255.224
When you specify just the interfacekeyword in the end of the statement, the
respective interface’s IP address (in this case – “outside’s”) is used as a single-IP
address pool (PAT pool). Next, the <Addr1>-<Addr2>range specify the IP
address pool (NAT pool) used for source translations. If the second address is
omitted, the pool is treated as PAT pool (e.g. global (outside) 3
172.16.1.1). The netmaskkeyword is optional(set by default based on the IP
address class), but if you do specify it, the firewall will correctly avoid using
subnet numbers and broadcast IP addresses from the range of the IP addresses
you have supplied. Now look at the following construct:
global (outside) 1 192.168.1.1-192.168.1.100
global (outside) 1 interface
Both statements share the same ID number, and thus define the same address
pool. When this pool is used, the firewall first attempts to exhaust the NAT pool
address range specified by the first rule. After the NAT pool exhaust, the firewall
will use the interface IP address for PAT overloading. This is called “using PAT
for backup”.
2) The second step, after defining an address pool, is configuring NAT rules. The
syntax is nat (interface) <N> <subnet> <mask>. Here <N>binds the
rules to the respective pool, and interfacespecifies the ingress traffic
interface, e.g. “inside”. NAT rules are relatively simply and used to match the
source IP addresses for non-translated packets.
The whole translation rule is triggered when a packet enters on the interface
specified by the natrule, matches the source IP address criteria and leaves the
firewall on the interface specified by the globalrule. The same NAT/PAT pool
could be re-used by multiple NAT rules and even by multiple inside interfaces.
For example:
nat (inside) 1 0 0
nat (dmz) 1 0 0
global (outside) 1 interface
would translate all traffic entering on “DMZ” and “Inside” interfaces and leaving
via the “Outside” interface using the Outside interface’s IP address.
Note that in our example the internal network is advertised via RIP to the outside
hosts. You may want to make RIP passive on the outside interface and make
sure that everything continues to work fine, thanks to the NAT translations.
!
-->diag :
ASA1:
nat-control
!
! Disable inside network advertisements
!
router rip
passive-interface outside
!
! Configure global address pools
!
!
! First, the outside pool to translate the inside sources
!
global (outside) 1 136.1.122.100-136.1.122.110
global (outside) 1 interface
!
! DMZ pool for inside hosts
!
global (dmz) 1 interface
!
! Outside pool for DMZ hosts
!
global (outside) 2 136.1.122.200-136.1.122.209
global (outside) 2 136.1.122.210
!
! NAT rules
!
nat (inside) 1 136.1.121.0 255.255.255.0
nat (dmz) 2 10.0.0.0 255.255.255.0
---> output:
A(config)# sh xlate
2 in use, 2 most used
Global 136.1.122.200 Local 10.0.0.100
Global 136.1.122.100 Local 136.1.121.1
A(config)# sh run nat
nat (inside) 1 136.1.121.0 255.255.255.0
nat (dmz) 2 10.0.0.100 255.255.255.255
A(config)# sh run glog
A(config)# sh run glob
A(config)# sh run global
global (outside) 1 136.1.122.100-136.1.122.110 netmask 255.255.255.0
global (outside) 2 136.1.122.200-136.1.122.210 netmask 255.255.255.0
global (outside) 1 interface
global (outside) 2 136.1.122.211
global (dmz) 1 interface
A(config)# sh nat
NAT policies on Interface inside:
match ip inside 136.1.121.0 255.255.255.0 outside any
dynamic translation to pool 1 (136.1.122.100 - 136.1.122.110)
translate_hits = 8, untranslate_hits = 1
match ip inside 136.1.121.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 136.1.121.0 255.255.255.0 dmz any
dynamic translation to pool 1 (10.0.0.12 [Interface PAT])
translate_hits = 6, untranslate_hits = 0
match ip inside any outside any
no translation group, implicit deny
policy_hits = 0
match ip inside any dmz any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface dmz:
match ip dmz host 10.0.0.100 outside any
dynamic translation to pool 2 (136.1.122.200 - 136.1.122.210)
translate_hits = 2, untranslate_hits = 0
match ip dmz host 10.0.0.100 dmz any
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
---->
R1#telnet 136.1.122.3
Trying 136.1.122.3 ... Open
Password required, but none set
R2#telnet 136.1.122.3
Trying 136.1.122.3 ... Open
Password required, but none set
--->
=============== In the new code ===================== 9.X
NAT Types
You can implement NAT using the following methods:
Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses, on a first come, first served basis.
Only the real host can initiate traffic. See Dynamic NAT.
Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.
See Dynamic PAT.
Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation. See Static NAT.
Identity NAT—A real address is statically translated to itself, essentially bypassing NAT. You might want to configure NAT this way when you want
to translate a large group of addresses, but then want to exempt a smaller subset of addresses. See Identity NAT.
Dynamic NAT
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 10.2.2.1 10.2.2.10
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.76.11.0 are mapped first to the nat-range1
pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address
(10.10.10.21). In the unlikely event that the PAT translations are also used up, dynamic PAT is performed using the outside interface address.
hostname(config)# object network nat-range1
hostname(config-network-object)# range 10.10.10.10 10.10.10.20
hostname(config-network-object)# object network pat-ip1
hostname(config-network-object)# host 10.10.10.21
hostname(config-network-object)# object-group network nat-pat-grp
hostname(config-network-object)# network-object object nat-range1
hostname(config-network-object)# network-object object pat-ip1
hostname(config-network-object)# object network my_net_obj5
hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface
Dynamic PAT
Examples
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 10.2.2.2:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
The following example configures dynamic PAT with a PAT pool to translate the inside IPv6 network to an outside IPv4 network:
hostname(config)# object network IPv4_POOL
hostname(config-network-object)# range 203.0.113.1 203.0.113.254
Static NAT
Examples
The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside with DNS rewrite enabled.
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns
The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside using a mapped object.
hostname(config)# object network my-mapped-obj
hostname(config-network-object)# host 10.2.2.2
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-mapped-obj
The following example configures static NAT-with-port-translation for 10.1.1.1 at TCP port 21 to the outside interface at port 2121.
hostname(config)# object network my-ftp-server
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121
Identity NAT
Example
The following example maps a host address to itself using an inline mapped address:
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
The following example maps a host address to itself using a network object:
hostname(config)# object network my-host-obj1-identity
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-host-obj1-identity
===================================================================
7. Configure Dynamic NAT and PAT .
• Configure NAT such that hosts on the inside going to outside have
their addresses translated into address pool 136.X.122.100-110. Use
interface IP address as PAT backup.
• Configure NAT such that hosts on the DMZ going to outside have
their addresses translated into address pool 136.X.122.200-210. Use the
last IP address in the range as PAT backup.
• Configure NAT such that hosts on the inside going into DMZ have their
addresses translated into interface IP address via PAT.
-->
Since version 7.x, the default behavior does NOT
require a NAT translation entry prior to permitting a session through the firewall.
However, you can revert to the old behavior by issuing the command natcontrol. You can also leave NAT control off, but still enable NAT translation
rules, to masquerade some source IP addresses.
In most basic form, the ASA firewall supports two types of dynamic address
translations (applied to the source IP addresses, of course).
1) NAT (network address translation) – where every inside host is dynamically
allocated a new outside IP from the configured pool.
2) PAT (port address translation) – where hosts matching the PAT rule have their
addresses translated to a single IP address, with the TCP/UDP ports being
overloaded and rewritten as needed.
In order to configure a translation rule, you need to perform two steps.
1) Define a global address pool, to be used for dynamic translations. Use the
command global (interface) <N> { <Addr1>[-Addr2] [netmask
<mask>] | interface }.Here <N> is the pool ID (non-zero!), that will be
used when binding the pool to a NAT rule. All globalstatements sharing the
same ID, form the same address pool. The interfacename specifies egress
interface used with the pool (traffic must leave using this interface). The
examples of the correct globalcommands follow:
!
global (outside) 1 interface
global (outside) 2 192.168.0.1-192.168.0.254 netmask
255.255.255.224
When you specify just the interfacekeyword in the end of the statement, the
respective interface’s IP address (in this case – “outside’s”) is used as a single-IP
address pool (PAT pool). Next, the <Addr1>-<Addr2>range specify the IP
address pool (NAT pool) used for source translations. If the second address is
omitted, the pool is treated as PAT pool (e.g. global (outside) 3
172.16.1.1). The netmaskkeyword is optional(set by default based on the IP
address class), but if you do specify it, the firewall will correctly avoid using
subnet numbers and broadcast IP addresses from the range of the IP addresses
you have supplied. Now look at the following construct:
global (outside) 1 192.168.1.1-192.168.1.100
global (outside) 1 interface
Both statements share the same ID number, and thus define the same address
pool. When this pool is used, the firewall first attempts to exhaust the NAT pool
address range specified by the first rule. After the NAT pool exhaust, the firewall
will use the interface IP address for PAT overloading. This is called “using PAT
for backup”.
2) The second step, after defining an address pool, is configuring NAT rules. The
syntax is nat (interface) <N> <subnet> <mask>. Here <N>binds the
rules to the respective pool, and interfacespecifies the ingress traffic
interface, e.g. “inside”. NAT rules are relatively simply and used to match the
source IP addresses for non-translated packets.
The whole translation rule is triggered when a packet enters on the interface
specified by the natrule, matches the source IP address criteria and leaves the
firewall on the interface specified by the globalrule. The same NAT/PAT pool
could be re-used by multiple NAT rules and even by multiple inside interfaces.
For example:
nat (inside) 1 0 0
nat (dmz) 1 0 0
global (outside) 1 interface
would translate all traffic entering on “DMZ” and “Inside” interfaces and leaving
via the “Outside” interface using the Outside interface’s IP address.
Note that in our example the internal network is advertised via RIP to the outside
hosts. You may want to make RIP passive on the outside interface and make
sure that everything continues to work fine, thanks to the NAT translations.
!
-->diag :
ASA1:
nat-control
!
! Disable inside network advertisements
!
router rip
passive-interface outside
!
! Configure global address pools
!
!
! First, the outside pool to translate the inside sources
!
global (outside) 1 136.1.122.100-136.1.122.110
global (outside) 1 interface
!
! DMZ pool for inside hosts
!
global (dmz) 1 interface
!
! Outside pool for DMZ hosts
!
global (outside) 2 136.1.122.200-136.1.122.209
global (outside) 2 136.1.122.210
!
! NAT rules
!
nat (inside) 1 136.1.121.0 255.255.255.0
nat (dmz) 2 10.0.0.0 255.255.255.0
---> output:
A(config)# sh xlate
2 in use, 2 most used
Global 136.1.122.200 Local 10.0.0.100
Global 136.1.122.100 Local 136.1.121.1
A(config)# sh run nat
nat (inside) 1 136.1.121.0 255.255.255.0
nat (dmz) 2 10.0.0.100 255.255.255.255
A(config)# sh run glog
A(config)# sh run glob
A(config)# sh run global
global (outside) 1 136.1.122.100-136.1.122.110 netmask 255.255.255.0
global (outside) 2 136.1.122.200-136.1.122.210 netmask 255.255.255.0
global (outside) 1 interface
global (outside) 2 136.1.122.211
global (dmz) 1 interface
A(config)# sh nat
NAT policies on Interface inside:
match ip inside 136.1.121.0 255.255.255.0 outside any
dynamic translation to pool 1 (136.1.122.100 - 136.1.122.110)
translate_hits = 8, untranslate_hits = 1
match ip inside 136.1.121.0 255.255.255.0 inside any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip inside 136.1.121.0 255.255.255.0 dmz any
dynamic translation to pool 1 (10.0.0.12 [Interface PAT])
translate_hits = 6, untranslate_hits = 0
match ip inside any outside any
no translation group, implicit deny
policy_hits = 0
match ip inside any dmz any
no translation group, implicit deny
policy_hits = 0
NAT policies on Interface dmz:
match ip dmz host 10.0.0.100 outside any
dynamic translation to pool 2 (136.1.122.200 - 136.1.122.210)
translate_hits = 2, untranslate_hits = 0
match ip dmz host 10.0.0.100 dmz any
dynamic translation to pool 2 (No matching global)
translate_hits = 0, untranslate_hits = 0
match ip dmz any outside any
no translation group, implicit deny
policy_hits = 0
---->
R1#telnet 136.1.122.3
Trying 136.1.122.3 ... Open
Password required, but none set
R2#telnet 136.1.122.3
Trying 136.1.122.3 ... Open
Password required, but none set
--->
=============== In the new code ===================== 9.X
NAT Types
You can implement NAT using the following methods:
Dynamic NAT—A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses, on a first come, first served basis.
Only the real host can initiate traffic. See Dynamic NAT.
Dynamic Port Address Translation (PAT)—A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.
See Dynamic PAT.
Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation. See Static NAT.
Identity NAT—A real address is statically translated to itself, essentially bypassing NAT. You might want to configure NAT this way when you want
to translate a large group of addresses, but then want to exempt a smaller subset of addresses. See Identity NAT.
Dynamic NAT
hostname(config)# object network my-range-obj
hostname(config-network-object)# range 10.2.2.1 10.2.2.10
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj
The following example configures dynamic NAT with dynamic PAT backup. Hosts on inside network 10.76.11.0 are mapped first to the nat-range1
pool (10.10.10.10-10.10.10.20). After all addresses in the nat-range1 pool are allocated, dynamic PAT is performed using the pat-ip1 address
(10.10.10.21). In the unlikely event that the PAT translations are also used up, dynamic PAT is performed using the outside interface address.
hostname(config)# object network nat-range1
hostname(config-network-object)# range 10.10.10.10 10.10.10.20
hostname(config-network-object)# object network pat-ip1
hostname(config-network-object)# host 10.10.10.21
hostname(config-network-object)# object-group network nat-pat-grp
hostname(config-network-object)# network-object object nat-range1
hostname(config-network-object)# network-object object pat-ip1
hostname(config-network-object)# object network my_net_obj5
hostname(config-network-object)# subnet 10.76.11.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic nat-pat-grp interface
Dynamic PAT
Examples
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 10.2.2.2:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
The following example configures dynamic PAT with a PAT pool to translate the inside IPv6 network to an outside IPv4 network:
hostname(config)# object network IPv4_POOL
hostname(config-network-object)# range 203.0.113.1 203.0.113.254
Static NAT
Examples
The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside with DNS rewrite enabled.
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.2.2.2 dns
The following example configures static NAT for the real host 10.1.1.1 on the inside to 10.2.2.2 on the outside using a mapped object.
hostname(config)# object network my-mapped-obj
hostname(config-network-object)# host 10.2.2.2
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-mapped-obj
The following example configures static NAT-with-port-translation for 10.1.1.1 at TCP port 21 to the outside interface at port 2121.
hostname(config)# object network my-ftp-server
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121
Identity NAT
Example
The following example maps a host address to itself using an inline mapped address:
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
The following example maps a host address to itself using a network object:
hostname(config)# object network my-host-obj1-identity
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-host-obj1-identity
===================================================================
No comments:
Post a Comment