Pages

Sunday, December 20, 2015

NAT on ASA


In 8.2 and older, if we forgot to configure NAT, ASA will send traffic if there is no nat-control configured. Without NAT if we are trying to connect to internet from private address the ISP will kill the packet. The second reason to use NAT is we utilize the existing ipv4 address efficiently.
So to use NAT we have to use command nat-control along with NAT rule.

In version 8.2 and older, the NAT used to work like if-then statement

Dynamic NAT :
nat(inside) 1 10.0.0.0 0 255.255.255.0
#If traffic coming on inside interface and if it is sourced from network 10.0.0.0 then it is part of NAT 1.
global (outside) 1 192.168.1.51-192.168.1.100 : what the address should be translated into
global (outside) 1 192.168.1.101 : global PAT
global (dmz) 1 interface

NAT 0:
In case If we don’t want to use NAT then we should use NAT 0 command
access-list NONAT permit ip (source net to dest net)
nat (inside) 0 access-list NONAT

NAT 0 means do not translate


Static NAT :
static (dmz,outside) 192.168.1.175 172.16.0.5
static (dmz,inside) 172.16.0.5 172.16.0.5 : Identity NAT where it maps its ip address to own ip address. It’s one to one translation

In version 8.3 and above :
Newer NAT is called object NAT or Auto NAT


Network “objects” are like an alias. When we refer to the object, the ASA knows what we are referring to.

No stoppage of traffic if there is no rule but to function, we need NAT rule. Traffic initiated from private network to internet without NAT rule will be dropped.

ASDM :
Config -> firewall -> NAT Rules -> Add

Manual NAT :

object network inside_10
      subnet 10.0.0.0 255.255.255.0
object network outside-pool
      subnet 192.168.1.51 192.168.1.100
 object network inside_10
      nat dynamic outside-pool

For object network inside_10, i want to do dynamic nat to translate address to outside pool address

This nat rule holds good if we want to go from inside to outside and dmz network. we can also create Auto NAT tied to the interface if we want to go either from inside to outside or from inside to dmz.

show nat
show xlate

The three sections of NAT
1. Manual NAT (very granular)
2. Auto NAT/object NAT
3. Manual NAT (again, after “auto NAT”)

Check for Manual NAT if not there in config check for auto if not there check for 3rd rule and if no rule is configured no NAT is applied.

Auto NAT: more specific to the interface, here we specify the interface and whether we want NAT from inside to outside or from inside to dmz.
we can configure multiple Auto NAT in section 2

object network inside_10
  nat (inside, any) dynamic outside-pool
In manual NAT we didn’t have (any or inside) interface configured which means any any.

show xlate

We can remove the xlate
clear xlate

Manual NAT after Auto:To configure any NAT we need.
Say we want to create a rule when same PC is going to network host 192.168.1.253 (R2) , let's do NAT to .101 . In previous case, we were using pool from .51-100. To do this we will create a manual rule and we want to hit it before object rule.

show nat
currently (section 2) is auto NAT portion

object network Raj-global-101_address
    host 192.168.1.101
object network R2_real_addres
        host 192.168.1.253
object network Raj_local_ip
         host 10.0.0.51
nat (inside, outside) 1 source static Raj_local_ip Raj-global-101_address destination static R2_real_adress R2_real_adress

show nat
Now in above config Manual NAT policies is part of (section 1)
and auto NAT policies (section 2)

telnet 192.168.1.253
R2#who

translated ip is shown: 192.169.1.101

We can also put Manual NAT after auto NAT

no nat 1
nat (inside, outside) after-auto 1 source static Raj_local_ip Raj-global-101_address destination static R2_real_adress R2_real_adress

show nat
Now we have section 2 and 3 since we purposefully placed Manual NAT after auto NAT
auto NAT policies (section 2)
Manual NAT Policies (section 3)

Now Auto NAT policy should be hit first.

clear xlate

telnet 192.168.1.253
R2#who
ip address shown is 192.168.1.80 : auto NAt is used

show xlate
10.0.0.51 is mapped to 192.168.1.80

To remove Manaul rule after auto NAt
no nat after-auto 1

So we can mix and match as we want it.

Case Study:
what happens when two company merge together. Say our existing client belongs to company A and new company B has internal network 10.0.0.0/24 too. Both companies have 10 networks. What to do with over-lapping ip address?

Solution: Bi-directional NAT/ Twice NAT. This is basically Manual NAT
we need to lie on both sides. Company A thinks B is in 10.2 and Company B thinks A is in 10.1
To achieve this we use source NAT and destination NAT

Example :
object-network bogus
    host 192.168.1.205
object network Raj-new-global
    host 192.168.1.102
nat (inside, outside) 2 source static Raj_local_ip Raj-new-global destination static bogus R2_real_address

If i go to that bogus address, it should translate me to new global address

show nat
section 1 Manual
section 2 Auto

A packet from 10.0.0.51 going to 192.168.1.205 should result in :

source nat changing source address to 192.168.1.102
destination nat changing destination address in the packets to 192.168.1.253

telnet 192.168.1.205
R2# show users
ip address seen 192.168.1.102

Final piece :
Let's do nat for dmz server
object network dmz-server-real
    host 172.16.0.5
object network dmz_global
    host 192.168.1.176
object network dmz-server-real
   nate(dmz, any) static dmz_global

Open browser to 192.168.1.176
http://192.168.1.176

show xlate
show nat









































No comments:

Post a Comment