There are many misconceptions about NAT out there. I would like to write something I learned, figured out about NAT concepts in Cisco Firewalls.
Source NAT means Your NAT
In Cisco world Source NAT word is misleading. "Source" here really means "Yours".
You are configuring your Firewall to translate your IP addresses which is in the LAN throughout the entire session for both forward and return traffics. This Source NAT (aka Yours IP translation) will be used 99% in real world.
Source NAT really means Your IP is getting NATted
On the other hand "Destination NAT" which really means translating remote address will be needed very rarely. It is not really used anymore in real world. Think of an example where you need to translate remote IP for your purposes.
Auto NAT vs Manual NAT
In Cisco Firewalls, you can perform NAT via 2 methods. Auto NAT which is also called Object NAT is something you configure within a network object itself where Manual NAT which is also called Policy NAT / Twice NAT is performed based on a traffic criteria (Source/Destination IP).
Types of NAT
Following are the different types of NAT which are used for different requirements.
Static NAT
Static PAT (Port Forwarding)
Dynamic NAT
Dynamic PAT
We will take a look at how the above NAT types can be configured using Auto-NAT method as it s the simplest method in ASA.
Static NAT
Works bi-directional by default. Generally used to translate public servers statically. So this is used by clients to access your servers. The flow is mostly initiated from OUTSIDE towards DMZ in real world.
Ex:-
Map DMZ Web server IP 192.168.50.10 to Outside public IP 203.115.50.5
Map DMZ Email server IP 192.168.50.20 to Outside public IP 203.115.50.6
object network WEB
host 192.168.50.10
nat (dmz,outside) static 203.115.50.5
object network EMAIL
host 192.168.50.20
nat (dmz,outside) static 203.115.50.6
Static PAT (Port Forwarding)
Same kind of use case like Static NAT instead used when you have only 1 public IP to map several private IPs.
Ex:-
Map DMZ Web server IP 192.168.50.10 to Outside public IP 203.115.50.5
Map DMZ Email server IP 192.168.50.20 to Outside public IP 203.115.50.6
Map DMZ DNS server IP 192.168.50.30 to Outside public IP 203.115.50.7
object network WEB
host 192.168.50.10
nat (dmz,outside) static 203.115.50.5 service tcp 80 80
object network EMAIL
host 192.168.50.20
nat (dmz,outside) static 203.115.50.5 service tcp 25 25
object network WEB
host 192.168.50.30
nat (dmz,outside) static 203.115.50.5 service udp 53 53
You can change the port numbers if you want to give server access from a different port. 1st port number is the real service port, 2nd one is the mapped port.
Dynamic NAT
This is used to map a pool of private IPs to a pool of public IPs dynamically. IP assignment will happen randomly.
Define the range public IPs
object network PUBLIC-POOL
range 203.115.50.50 203.115.50.100
Define the internal IP range
object network INTERNAL
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic PUBLIC-POOL
Dynamic PAT
Generally configured for internet access to internal hosts. Will be overloaded to an interface, single IP or even to a pool. If overloaded to a single IP, 64000 simultaneous connections will be provided. If that is not enough, you can configure a PAT pool so that the amount of simultaneous translations will be multiplied by the number of IP addresses in the pool
object network PUBLIC-IP
host 203.115.50.10
object network INTERNAL-IPS
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic PUBLIC-IP
or
object network INTERNAL-IPS
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) dynamic interface
Configure using Manual NAT Method
As an example,
You need to translate 192.168.10.10 to 203.115.50.5 when 192.168.10.10 is going to access 203.115.50.10 and at the same time translate 192.168.10.10 to 203.115.50.6 when 192.168.10.10 is going to access 203.115.50.20
Here, the source IP and destination IP of the packet must match to perform the NAT. This can be achieved by Manual NAT via the following configuration.
Polices are defined after objects created.
object network S
host 192.168.10.10
object network X1
host 203.115.50.5
object network X2
host 203.115.50.6
object network D1
host 203.115.50.10
object network D2
host 203.115.50.20
nat (inside,outside) source static S1 X1 destination D1 D1
nat (inside,outside) source static S1 X2 destination D2 D2
You can translate destination service by this too and also you can do this uni-directionally even for static NATs if you want. You can perform any type of NAT which you could do with Auto NAT including Static NAT, Static PAT, Dynamic NAT, Dynamic PAT, Destination NAT etc and even put a dynamic policy to be executed 1st by changing the policy order with simple modification to the command.
NAT Order of Operation
There are 3 Sections in ASA configuration.
Section 1 will be executed 1st while section 3 will be the last. Section 1 is comprised of Manual NAT and Section 2 is comprised with Auto NAT. Section 3 is for Manual NATs again if you want to execute some of them after Auto NAT rules.
Within Section 2, Static NAT rules will be executed before Dynamic NAT rules.
Manual NAT will be executed by policy order which you can change but Auto NAT will be executed with the longest match 1st theory
show nat command will display the NAT table in order.
No comments:
Post a Comment