Cisco ASA 8.3 / 8.4 NAT Guide
Twice NAT lets you identify both the source and destination address in a single rule. Specifying both the source and destination addresses lets you specify that a source address should be translated to A when going to destination X, but be translated to B when going to destination Y
No More NAT and Global commands.
Basically there is no more global command, and we are now a lot more reliant on object groups.
If you are port forwarding (Static PAT) then the dns re-write will no longer work.
NAT 0 (or no nat) no longer exists.
- Create a network object.
- Within this object define the Real IP/Network to be translated.
- Also within this object you can use the the nat commands to specifiy whether the translation will be dynamic or static.
NAPT/ Dynamic NAT to Hide Nat inside network traffic behind outside interface.
firewall(config)# object network inside-network
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic interface
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic interface
In the above example, you may replace interface with Hide NAT IP 1.1.1.1 if needed as
firewall(config)# object network inside-network
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic 1.1.1.1
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic 1.1.1.1
NAPT / Dynamic NAT to Hide NAT inside network traffic behind a range of outside addresses 1.1.1.1-1.1.1.5
firewall(config)# object network outside-nat-range
firewall(config-network-object)# range 1.1.1.1-1.1.1.5
firewall(config-network-object)# range 1.1.1.1-1.1.1.5
firewall(config)# object network inside-network
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic outside-nat-range
firewall(config-network-object)# subnet 192.168.1.0 255.255.255.0
firewall(config-network-object)# nat (inside,outside) dynamic outside-nat-range
Static NAT or One to One NAT the host 192.168.1.1 on the inside to 1.1.1.2 on the outside
firewall(config)# object network inside-host
firewall(config-network-object)# host 192.168.1.1
firewall(config-network-object)# nat (inside,outside) static 1.1.1.2
Static NAT with port translation for host 192.168.1.1 on the inside at TCP port 80 to the outside interface at port 8080.
firewall(config-network-object)# host 192.168.1.1
firewall(config-network-object)# nat (inside,outside) static 1.1.1.2
Static NAT with port translation for host 192.168.1.1 on the inside at TCP port 80 to the outside interface at port 8080.
firewall(config)# object network web-server
firewall(config-network-object)# host 192.168.1.1
firewall(config-network-object)# nat (inside,outside) static 1.1.1.2 service tcp 80 8080
firewall(config-network-object)# host 192.168.1.1
firewall(config-network-object)# nat (inside,outside) static 1.1.1.2 service tcp 80 8080
OLD - Regular PAT - 1 External IP to many internal IP addresses
nat (inside) 1 0 0
global (outside) 1 interface
NEW - Regular PAT - 1 External IP to many internal IP addresses
object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
OLD - Static PAT (Port Forwarding)
access-list inbound extended permit tcp any interface outside eq smtp
access-list inbound extended permit tcp any interface outside eq www
access-list inbound extended permit tcp any interface outside eq 3389
static (inside,outside) tcp interface www 10.254.254.5 www netmask 255.255.255.255
static (inside,outside) tcp interface smtp 10.254.254.5 smtp netmask 255.255.255.255
static (inside,outside) tcp interface 3389 10.254.254.5 3389 netmask 255.255.255.255
NEW - Static PAT (Port Forwarding)
access-list inbound extended permit tcp any object obj-10.254.254.5 eq smtp
access-list inbound extended permit tcp any object obj-10.254.254.5 eq www
access-list inbound extended permit tcp any object obj-10.254.254.5 eq 3389
object network obj-10.254.254.5
host 10.254.254.5
object network obj-10.254.254.5-01
host 10.254.254.5
object network obj-10.254.254.5-02
host 10.254.254.5
object network obj-10.254.254.5
nat (inside,outside) static interface service tcp www www
OLD - No NAT (seen mainly - but not always - on VPN traffic)
nat (inside) 0 access-list EXEMPT
access-list EXEMPT extended permit ip 10.254.254.0 255.255.255.0 172.16.254.0 255.255.255.0
NEW - No NAT
object network obj-10.254.254.0
subnet 10.254.254.0 255.255.255.0
object network obj-172.16.254.0
subnet 172.16.254.0 255.255.255.0
nat (inside,any) source static obj-10.254.254.0 obj-10.254.254.0 destination static obj-172.16.254.0 obj-172.16.254.0
DIFFERENCE BETWEEN 8.2 & 8.3 COMPARISON
8.2 > Dynamic overloaded interface NAT (PAT) before 8.3 (perhaps in version 8.2):
global (outside) 100 interface
nat (inside) 100 10.10.10.0 255.255.255.0
!
!
!
8.3 > Dynamic overload interface NAT (PAT) with 8.3 and up (AKA “Auto-NAT”):
object network INSIDE-HOSTS_10.10.10.0
subnet 10.10.10.0 255.255.255.o
nat (inside,outside) dynamic interface
!
!!!This could be another PAT method (this is from Cisco)
ASA(config)#object network Generic_All_Network
ASA(config−obj)#subnet 0.0.0.0 0.0.0.0
ASA(config−obj)#exit
ASA(config)#nat (inside,outside) source dynamic Generic_All_Network interface
!
!
object network WAN_SECONDARY_IP_2.2.2.2
host 2.2.2.2
!
object network OBJ_DMZ-HOSTS_172.16.1.0
subnet 172.16.1.0 255.255.255.0
nat (dmz,outside) dynamic WAN_SECONDARY_IP_2.2.2.2
!
!!Note: as a best practice or generally a necessity, you’d want to NAT DMZ traffic to a different public IP.
!!In the above example is the secondary WAN IP.
global (outside) 100 interface
nat (inside) 100 10.10.10.0 255.255.255.0
!
!
!
8.3 > Dynamic overload interface NAT (PAT) with 8.3 and up (AKA “Auto-NAT”):
object network INSIDE-HOSTS_10.10.10.0
subnet 10.10.10.0 255.255.255.o
nat (inside,outside) dynamic interface
!
!!!This could be another PAT method (this is from Cisco)
ASA(config)#object network Generic_All_Network
ASA(config−obj)#subnet 0.0.0.0 0.0.0.0
ASA(config−obj)#exit
ASA(config)#nat (inside,outside) source dynamic Generic_All_Network interface
!
!
object network WAN_SECONDARY_IP_2.2.2.2
host 2.2.2.2
!
object network OBJ_DMZ-HOSTS_172.16.1.0
subnet 172.16.1.0 255.255.255.0
nat (dmz,outside) dynamic WAN_SECONDARY_IP_2.2.2.2
!
!!Note: as a best practice or generally a necessity, you’d want to NAT DMZ traffic to a different public IP.
!!In the above example is the secondary WAN IP.
*********
8.2 > Dynamic ANY overloaded interface NAT (PAT) with 8.2:
global (outside) 100 interface
nat (inside) 100 0 0
!
!
!
8.3 > Dynamic ANY overloaded interface NAT (PAT) with 8.3:
object network ANY-0.0.0.0
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
!
!!Note: as a best practice or generally a necessity, you’d want to NAT DMZ !!traffic to a different public IP
global (outside) 100 interface
nat (inside) 100 0 0
!
!
!
8.3 > Dynamic ANY overloaded interface NAT (PAT) with 8.3:
object network ANY-0.0.0.0
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
!
!!Note: as a best practice or generally a necessity, you’d want to NAT DMZ !!traffic to a different public IP
**********
8.2 > NAT exemption used for VPN purposes (i.e. No NAT):
access-list NAT_EXEMPT_OUTBOUND extended permit ip 10.10.10.0 255.255.255.0 ip 192.168.245.0 255.255.255.0
!
nat (inside) 0 access-list NAT_EXEMPT_OUTBOUND
access-list NAT_EXEMPT_OUTBOUND extended permit ip 10.10.10.0 255.255.255.0 ip 192.168.245.0 255.255.255.0
!
nat (inside) 0 access-list NAT_EXEMPT_OUTBOUND
!
!
!
!
!
8.3 > NAT exemption used for VPN purposes (i.e. No NAT):
object network INSIDE_HOSTS-10.10.10.0
subnet 10.10.10.0 255.255.255.0
!
object network RAVPN_HOSTS-192.168.245.0
subnet 192.168.245.0 255.255.255.0
!
nat (inside,outside) source static INSIDE_HOSTS-10.10.10.0 INSIDE_HOSTS-10.10.10.0 destination static RAVPN_HOSTS-192.168.245.0 RAVPN_HOSTS-192.168.245.0!!In simple terms, this says: NOT NAT or “double NAT”
object network INSIDE_HOSTS-10.10.10.0
subnet 10.10.10.0 255.255.255.0
!
object network RAVPN_HOSTS-192.168.245.0
subnet 192.168.245.0 255.255.255.0
!
nat (inside,outside) source static INSIDE_HOSTS-10.10.10.0 INSIDE_HOSTS-10.10.10.0 destination static RAVPN_HOSTS-192.168.245.0 RAVPN_HOSTS-192.168.245.0!!In simple terms, this says: NOT NAT or “double NAT”
**********
8.2 > Inside to DMZ traffic (if NAT-CONTROL is enabled):static (inside,DMZ) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
!! If NAT-CONTROL is enabled, traffic from higher security to lower security
!!zone must be NAT’d. If NAT-CONTROL is not enable, then as long as
!!routing and ACL’s are satisfied, traffic from inside to DMZ would flow
!!normally. If you have NAT-CONTROL, you’d need some down time
!!if you wish to remove it as you’ll have redo all NAT configurations–so I’d be
!!careful.
!! If NAT-CONTROL is enabled, traffic from higher security to lower security
!!zone must be NAT’d. If NAT-CONTROL is not enable, then as long as
!!routing and ACL’s are satisfied, traffic from inside to DMZ would flow
!!normally. If you have NAT-CONTROL, you’d need some down time
!!if you wish to remove it as you’ll have redo all NAT configurations–so I’d be
!!careful.
8.3 > Inside to DMZ traffic:
!!There’s really no explicit or “out-0f-the-box” need for NAT between inside !!and DMZ unless deemed necessary by specific requirements.
!!Since NA-CONTROL is deprecated, there’s no need to have NAT to
!!have inside communicate with DMZ.
!
!
!
!!There’s really no explicit or “out-0f-the-box” need for NAT between inside !!and DMZ unless deemed necessary by specific requirements.
!!Since NA-CONTROL is deprecated, there’s no need to have NAT to
!!have inside communicate with DMZ.
!
!
!
8.2 > Port Forwarding for Servers:static (DMZ,outside) tcp 1.1.1.1 https 1.0.0.0.1 https netmask 255.255.255.255
!!Yes, it was pretty confusing in 8.2
!!Yes, it was pretty confusing in 8.2
8.3 > Port Forwarding for Servers:
object service TCP-POP3-110
service tcp source eq pop3
!
object network WAN_IP_3.3.3.3
host 3.3.3.3
!
object network SERVER_OBJECT_10.10.10.50
host 10.10.10.50
nat (DMZ,outside) source static SERVER_OBJECT_10.10.10.5 WAN_IP_OBJECT_3.3.3.3 service TCP-POP3-110 TCP-POP3-110
!!The new NAT scheme is actually much more straight forward and clear.
object service TCP-POP3-110
service tcp source eq pop3
!
object network WAN_IP_3.3.3.3
host 3.3.3.3
!
object network SERVER_OBJECT_10.10.10.50
host 10.10.10.50
nat (DMZ,outside) source static SERVER_OBJECT_10.10.10.5 WAN_IP_OBJECT_3.3.3.3 service TCP-POP3-110 TCP-POP3-110
!!The new NAT scheme is actually much more straight forward and clear.
No comments:
Post a Comment