ASA 8.2 NAT

NAT Control:

Nat control requires that there should be a NAT rule for the traffic traversing through the firewall. By default NAT control is disabled.

NAT is supported in transparent mode as well check the configuration guide.

Policy NAT:
Any kind of policy NAT can be used to change the source address to some specific source address when the traffic is going to specific destination. We need extended ACL to identify the interesting traffic

Static Policy NAT:

NAT syntax:
static(Source_nameif, Destination_nameif)

access-list
Example:

Extended ACL:
access-list static-policy-nat-acl extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
static (inside,outside) 192.168.3.0  access-list static-policy-nat-acl

access-list static-policy-nat-host-acl extended permit ip 192.168.1.2 255.255.255.255 10.1.1.0 255.255.255.0
static (inside,outside) 192.168.5.2  access-list static-policy-nat-host-acl

This example says that when the traffic is coming from 192.168.1.0/24 subnet and is going to 10.1.1.0/24 subnet change the source to 192.168.3.0/24

Static Regular NAT:
Regular static NAT will change the real host IP address to a IP regardless of destination IP.
Example:

static (inside,outside) 192.168.4.1 192.168.1.2 netmask 255.255.255.255

Static Policy PAT:

Static policy PAT is same as of Static NAT the different is we have to specify TCP or UDP and the port number

access-list static-policy-pat-acl permit tcp host 192.168.1.2 eq telnet 10.1.1.0 255.255.255.0
static (inside,outside) tcp 192.168.8.1 telnet access-list static-policy-pat-acl

Note: Here port number in ACL are mandatory

The above rule says when a host (10.1.1.0/24) on outside sends traffic to 192.168.8.1 on port 23 send that traffic to 192.168.8.1 on port 23

Static Regular PAT

static (inside,outside) tcp 192.168.22.2 www 192.168.1.2 www netmask 255.255.255.255
static (inside,outside) tcp 192.168.22.2 smtp 192.168.1.3 smtp netmask 255.255.255.255

The above rule will allow the traffic from any source  to 192.168.1.2 

To allow traffic from 192.168.1.2 to internet use following commands:

nat (inside) 1 192.168.1.2 255.255.255.255
global (outside) 1 192.168.22.2

The above example says:
1>When traffic comes from anywhere to 192.168.22.2 on port 80 send traffic to 192.168.1.2 on port 80
2> When traffic comes from anywhere to 192.168.22.2 on port 25 send the traffic to 192.168.1.3 on port 25

Dynamic Policy NAT:
Example:

access-list policy-nat-acl extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 1 access-list policy-nat-acl
global (outside) 1 192.168.5.1-192.168.5.5

Note: The number in nat and global statement is used to match the statements.

This example says that if traffic is coming from 192.168.1.0/24 subnet and is going to 10.1.1.0/24 subnet change the source address to range 192.168.5.1 to 192.168.5.5. Only 5 host can communicate at same time.

Dynamic Regular NAT:

nat (inside) 2 192.168.1.0 255.255.255.0
global (outside) 2 192.168.6.1-192.168.6.2

Dynamic Policy PAT:

This is similar to Dynamic policy NAT just the difference is that global command uses only one IP were as in dynamic policy NAT a pool of IP is used.

access-list policy-nat-acl extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (inside) 1 access-list policy-nat-acl
global (outside) 1 192.168.2.3

The above example say when ever traffic is coming from 192.168.1.0/24 going to 10.1.1.0/24 translate the source to 192.168.2.3

Dynamic regular PAT:

This is similar to Dynamic regular NAT just the difference is that global command uses only one IP were as in dynamic regular NAT a pool of IP is used.

nat (inside) 2 10.2.2.0 255.255.255.0
global (outside) 2 192.168.7.4

The above example says that change the source 10.2.2.0/24 to 192.168.7.4

Note: Here 2 is the ID which is used to map NAT command with global command.

Bypassing NAT:

Identity NAT:

nat (inside) 0 10.1.1.0 255.255.255.0

As this is identity NAT we have used NAT id as 0.

Above Identity NAT will change the real IP to itself. The above rule say that translate 10.1.1.0/24 to itself when traffic is going to any where.

Identity NAT translate ip to itself but you cannot initiate the traffic from outside to inside even though you have ACL on outside interface to allow the traffic from outside to inside.

The drawback of identity NAT is that you cannot specify that do identity NAT only when traffic is going to DMZ but not when traffic is going to outside.

Static Policy Identity NAT:

This NAT is similar to Static policy NAT just the different is that this NAT translate the source to itself other wise syntax wise it is same.

Extended ACL:
access-list acl-static-identity-nat permit ip host 10.1.1.1 1.1.1.0 255.255.255.0
static (inside,outside) 10.1.1.1 access-list acl-static-identity-nat

Static regular Identity NAT:

This NAT is similar to Static regular NAT just the different is that this NAT translate the source to itself other wise syntax wise it is same.

static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0

NAT exempt:

NAT exempt give greater control then identity NAT. You can specify the source and destination for NAT exempt. Don’t specify port in the ACL because NAT exempt doesn’t consider the ports.

Extended ACL:
access-list nat-exempt-acl permit ip 10.1.1.0 255.255.255.0 any
nat (inside) 0 access-list nat-exempt-acl

NAT rule order:

  1. NAT exempt:
  2. Static NAT (regular and policy) and PAT(regular and policy) {Identiy NAT is also evaluated here}
  3. Policy dynamic NAT and PAT
  4. Regular dynamic NAT and PAT

 

Advertisements
This entry was posted in ASA and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s