ASA 8.2 NAT

NAT Control:

Nat control requires that there should be a NAT rule for the traffic traversing through the firewall. By default nat control is disabled.

Policy NAT:
Any kind of policy nat can be used to change the source address to some specific source address when the traffic is going to specific destination. We need extended ACL to identify the intresting traffic

Static Policy NAT:
NAT syntax:
static(SourceInterface_nameif, DestinationInterface_nameif) <Address_after translation | Interface> access-list <ACL_Name>Example:

access-list static-policy-nat-acl extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
static (inside,outside) 192.168.3.0  access-list static-policy-nat-acl

access-list static-policy-nat-host-acl extended permit ip 192.168.1.2 255.255.255.255 10.1.1.0 255.255.255.0
static (inside,outside) 192.168.5.2  access-list static-policy-nat-host-acl

This example says that when the traffic is coming from 192.168.1.0/24 subnet and is going to 10.1.1.0/24 subnet change the source to 192.168.3.0/24

Static Regular NAT:
Regular static NAT will change the real host IP address to a IP regardless of destination IP.
Example:

static (inside,outside) 192.168.4.1 192.168.1.2 netmask 255.255.255.255

Static Policy PAT:

access-list static-policy-pat-acl permit tcp host 192.168.1.2 eq telnet 10.1.1.0 255.255.255.0
static (inside,outside) tcp 192.168.8.1 telnet access-list static-policy-pat-acl

Note: Here port number in ACL are mandatory

Static Regular PAT

static (inside,outside) tcp 192.168.22.2 www 192.168.1.2 www netmask 255.255.255.255

The above rule will allow the traffic to the server. 
To allow traffic from server to outside use following commands:

nat (inside) 1 192.168.1.2 255.255.255.255
global (outside) 1 192.168.22.2

Dynamic Policy NAT:
Example:

access-list policy-nat-acl extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 1 access-list policy-nat-acl
global (outside) 1 192.168.5.1-192.168.5.5

Note: The number in nat and global statement is used to match the statements.

This example says that if traffic is coming from 192.168.1.0/24 subnet and is going to 10.1.1.0/24 subnet change the source address to range 192.168.5.1 to 192.168.5.5. Only 5 host can communicate at same time.

Dynamic Regular NAT:

nat (inside) 2 192.168.1.0 255.255.255.0
global (outside) 2 192.168.6.1-192.168.6.2

Dynamic Policy PAT:

access-list policy-nat-acl extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 1 access-list policy-nat-acl
global (outside) 1 192.168.2.3

The above example say when ever traffic is coming from 192.168.1.0/24 going to 10.1.1.0/24 translate the source to 192.168.2.3

Dynamic regular PAT:

nat (inside) 2 10.2.2.0 255.255.255.0
global (outside) 2 192.168.7.4

The above example says that change the source 10.2.2.0/24 to 192.168.7.4

Note: Here 2 is the ID which is used to map NAT command with global command.

Bypassing NAT:

Identity NAT:

nat (inside) 0 10.1.1.0 255.255.255.0

Above Identity NAT will not do NAT for any traffic coming from 10.1.1.0/24 going to any where. We cannot specifiy that don’t do any NAT when traffic is coming from here to there.

Static Policy Identity NAT:

access-list acl-static-identity-nat permit ip host 10.1.1.1 1.1.1.0 255.255.255.0
static (inside,outside) 2.2.2.2 access-list acl-static-identity-nat

Static regular Identity NAT:

static (inside,dmz) 10.1.2.0 10.1.1.0 netmask 255.255.255.0

NAT exempt:

access-list nat-exempt-acl permit ip 10.1.1.0 255.255.255.0 any
nat (inside) 0 access-list nat-exempt-acl

NAT rule order:

  1. NAT exempt:
  2. Static NAT (regular and policy) and PAT(regular and policy)
  3. Policy dynamic NAT and PAT
  4. Regular dynamic NAT and PAT

 

Advertisements
This entry was posted in ASA and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s