In 8.2 and older, if we forgot to configure NAT, ASA will send traffic if there is no nat-control configured. Without NAT if we are trying to connect to internet from private address the ISP will kill the packet. The second reason to use NAT is we utilize the existing ipv4 address efficiently.
So to use NAT we have to use command nat-control along with NAT rule.
In version 8.2 and older, the NAT used to work like if-then statement
Dynamic NAT :
nat(inside) 1 10.0.0.0 0 255.255.255.0
#If traffic coming on inside interface and if it is sourced from network 10.0.0.0 then it is part of NAT 1.
global (outside) 1 192.168.1.51-192.168.1.100 : what the address should be translated into
global (outside) 1 192.168.1.101 : global PAT
global (dmz) 1 interface
NAT 0:
In case If we don’t want to use NAT then we should use NAT 0 command
access-list NONAT permit ip (source net to dest net)
nat (inside) 0 access-list NONAT
NAT 0 means do not translate
Static NAT :
static (dmz,outside) 192.168.1.175 172.16.0.5
static (dmz,inside) 172.16.0.5 172.16.0.5 : Identity NAT where it maps its ip address to own ip address. It’s one to one translation
In version 8.3 and above :
Newer NAT is called object NAT or Auto NAT
Network “objects” are like an alias. When we refer to the object, the ASA knows what we are referring to.
No stoppage of traffic if there is no rule but to function, we need NAT rule. Traffic initiated from private network to internet without NAT rule will be dropped.
ASDM :
Config -> firewall -> NAT Rules -> Add
Manual NAT :
object network inside_10
subnet 10.0.0.0 255.255.255.0
object network outside-pool
subnet 192.168.1.51 192.168.1.100
object network inside_10
nat dynamic outside-pool
For object network inside_10, i want to do dynamic nat to translate address to outside pool address
This nat rule holds good if we want to go from inside to outside and dmz network. we can also create Auto NAT tied to the interface if we want to go either from inside to outside or from inside to dmz.
show nat
show xlate
The three sections of NAT
1. Manual NAT (very granular)
2. Auto NAT/object NAT
3. Manual NAT (again, after “auto NAT”)
Check for Manual NAT if not there in config check for auto if not there check for 3rd rule and if no rule is configured no NAT is applied.
Auto NAT: more specific to the interface, here we specify the interface and whether we want NAT from inside to outside or from inside to dmz.
we can configure multiple Auto NAT in section 2
object network inside_10
nat (inside, any) dynamic outside-pool
In manual NAT we didn’t have (any or inside) interface configured which means any any.
show xlate
We can remove the xlate
clear xlate
Manual NAT after Auto:To configure any NAT we need.
Say we want to create a rule when same PC is going to network host 192.168.1.253 (R2) , let's do NAT to .101 . In previous case, we were using pool from .51-100. To do this we will create a manual rule and we want to hit it before object rule.
show nat
currently (section 2) is auto NAT portion
object network Raj-global-101_address
host 192.168.1.101
object network R2_real_addres
host 192.168.1.253
object network Raj_local_ip
host 10.0.0.51
nat (inside, outside) 1 source static Raj_local_ip Raj-global-101_address destination static R2_real_adress R2_real_adress
show nat
Now in above config Manual NAT policies is part of (section 1)
and auto NAT policies (section 2)
telnet 192.168.1.253
R2#who
translated ip is shown: 192.169.1.101
We can also put Manual NAT after auto NAT
no nat 1
nat (inside, outside) after-auto 1 source static Raj_local_ip Raj-global-101_address destination static R2_real_adress R2_real_adress
show nat
Now we have section 2 and 3 since we purposefully placed Manual NAT after auto NAT
auto NAT policies (section 2)
Manual NAT Policies (section 3)
Now Auto NAT policy should be hit first.
clear xlate
telnet 192.168.1.253
R2#who
ip address shown is 192.168.1.80 : auto NAt is used
show xlate
10.0.0.51 is mapped to 192.168.1.80
To remove Manaul rule after auto NAt
no nat after-auto 1
So we can mix and match as we want it.
Case Study:
what happens when two company merge together. Say our existing client belongs to company A and new company B has internal network 10.0.0.0/24 too. Both companies have 10 networks. What to do with over-lapping ip address?
Solution: Bi-directional NAT/ Twice NAT. This is basically Manual NAT
we need to lie on both sides. Company A thinks B is in 10.2 and Company B thinks A is in 10.1
To achieve this we use source NAT and destination NAT
Example :
object-network bogus
host 192.168.1.205
object network Raj-new-global
host 192.168.1.102
nat (inside, outside) 2 source static Raj_local_ip Raj-new-global destination static bogus R2_real_address
If i go to that bogus address, it should translate me to new global address
show nat
section 1 Manual
section 2 Auto
A packet from 10.0.0.51 going to 192.168.1.205 should result in :
source nat changing source address to 192.168.1.102
destination nat changing destination address in the packets to 192.168.1.253
telnet 192.168.1.205
R2# show users
ip address seen 192.168.1.102
Final piece :
Let's do nat for dmz server
object network dmz-server-real
host 172.16.0.5
object network dmz_global
host 192.168.1.176
object network dmz-server-real
nate(dmz, any) static dmz_global
Open browser to 192.168.1.176
http://192.168.1.176
show xlate
show nat
No comments:
Post a Comment