1.Differences between pre 8.3 and 8.3+ ASA NAT
Starting with version 8.3, ASA has a new NAT implementation scheme.
Now for NAT implementation ASA 8.3+ use objects.
Also the ACLs configured use the real IP address instead of mapped one.
There are now 2 types of NAT:
-Auto NAT - only source NAT
-Manual NAT -source and destination NAT
NAT control is not used anymore.
syntax:
dynamic NAT
nat [(real_ifc,mapped_ifc)] dynamic {mapped_inline_host_ip | mapped_obj | interface} [dns]
static NAT
nat [(real_ifc,mapped_ifc)] static {mapped_inline_ip | mapped_obj | interface} [dns | service {tcp | udp} real_port mapped_port]
Interfaces—If you do not specify the real and mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of the interfaces. Be sure to include the parentheses in your command.
2. Auto NAT
Auto NAT is only used for Static or Dynamic NAT.
Auto NAT is is configured within an object.
2.1. Static/Dynamic NAT using mapped IP
object network obj_10.1.1.2
host 10.1.1.2
nat (inside,outside) static 192.168.223.150
object network obj_10.1.1.2
host 10.1.1.2
nat (inside,outside) dynmaic 192.168.223.150
2.2 Static PAT using mapped IP
object network obj_10.1.1.22.3 Static/Dynamic NAT with DNS Reply Modification
host 10.1.1.2
nat (inside,outside) static 192.168.223.150 service tcp www 8080
object network obj_10.1.1.2
host 10.1.1.2
nat (inside,outside) static 192.168.223.150 dns
object network obj_10.1.1.2
host 10.1.1.2
nat (inside,outside) dynamic 192.168.223.150 dns
A DNS server is accessible from outside interface. The http server used in our example is accessible on inside interface. You configure the adaptive security appliance to statically translate the HTTP_inside_server real address (10.1.1.2) to a mapped address (192.168.223.150) that is visible on the outside network. In this case, you want to enable DNS reply modification on this static rule so that inside users who have access to HTTP_inside_server using the real address receive the real address from the DNS server, and not the mapped address.
The dns keyword translates DNS replies. Be sure DNS inspection is enabled (it is enabled by default). This option is not available if you specify the service keyword.
2.4 Static/Dynamic PAT with interface keyword
Interface keyword can be used only for static NAT with port translation. For this option, you must configure a specific interface for the mapped interface.
object network obj_10.1.1.2
host 10.1.1.2
nat (inside,outside) static interface
object network obj_10.1.1.2Static NAT for a specific service only
host 10.1.1.2
nat (inside,outside) dynamic interface
object network obj_10.1.1.2
host 10.1.1.2
nat (inside,outside) static interface service tcp www 8080
3. Manual NAT
Manual NAT is configured directly from the global configuration mode, not as part of any network object.
Manual NAT considers either only the source or the source and destination address when performing NAT.
3.1 Static/Dynamic NAT using range ip address
object network range_192.168.223.200-250
range 192.168.223.200 192.168.223.250
object network inside_network
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) source static inside_network range_192.168.223.200-250
object network range_192.168.223.200-250
range 192.168.223.200 192.168.223.250
object network inside_network
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) source dynamic inside_network range_192.168.223.200-250
3.2 Static/Dynamic PAT using interface keyword
object network inside_network
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) source static inside_network interface
object network inside_network
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) source dynamic inside_network interface
3.3 Dynamic NAT with dynamic PAT backup
object network range_192.168.223.200-250
range 192.168.223.200 192.168.223.250
object network inside_network
subnet 10.1.1.0 255.255.255.0
object network obj_192.168.223.251
host 192.168.223.251
object-group network PAT_BKP
network-object object range_192.168.223.200-250
network-object object obj_192.168.223.251
nat (inside,outside) source dynamic inside_network PAT_BKP interface
Hosts on inside network 10.1.1.0 are mapped first to the range_192.168.223.200-250 . After all addresses in the range_192.168.223.200-250 are allocated, dynamic PAT is performed using the host 192.168.223.251 address. In the unlikely event that the PAT translations are also use up, dynamic PAT is performed using the outside interface address.
3.4 Twice NAT
Manual NAT can NAT source and destination within a single statement.
object network obj_10.1.1.2
host 10.1.1.2
object network obj_200.200.200.130
host 200.200.200.130
object network obj_192.168.223.150
host 192.168.223.150
object network obj_192.168.223.129
host 192.168.223.129
nat (inside,outside) source static obj_10.1.1.2 obj_192.168.223.150 destination static obj_200.200.200.130 obj_192.168.223.129
3.5 Policy NAT Exemption
Used to not NAT traffic over a VPN tunnel
object network inside-network
subnet 10.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
object network vpn-subnet
range 10.2.2.0 10.2.2.100
nat (inside,outside) source static inside-network inside-network destination static vpn-subnet vpn-subnet
4. NAT order of opperation
Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3
Section 1 – Manual NAT
Section 2 – Auto NAT
Section 3 – Manual Nat After-Auto
5.NAT monitoring and troubleshooting
ASA1# show running-config nat
nat (inside,outside) source static inside_network inside_network destination static vpn-subnet vpn-subnet
object network obj_10.1.1.2
nat (inside,outside) static 192.168.223.150 service tcp www www
nat (inside,outside) after-auto source static obj_10.1.1.2 obj_192.168.223.150 destination static obj_200.200.200.130 obj_192.168.223.129
ASA1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static inside_network inside_network destination static vpn-subnet vpn-subnet
translate_hits = 0, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj_10.1.1.2 192.168.223.150 service tcp www www
translate_hits = 0, untranslate_hits = 0
Manual NAT Policies (Section 3)
1 (inside) to (outside) source static obj_10.1.1.2 obj_192.168.223.150 destination static obj_200.200.200.130 obj_192.168.223.129
translate_hits = 0, untranslate_hits = 0
ASA1# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static inside_network inside_network destination static vpn-subnet vpn-subnet
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
Destination - Origin: 10.2.2.0-10.2.2.100, Translated: 10.2.2.0-10.2.2.100
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static obj_10.1.1.2 192.168.223.150 service tcp www www
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.1.1.2/32, Translated: 192.168.223.150/32
Service - Protocol: tcp Real: www Mapped: www
Manual NAT Policies (Section 3)
1 (inside) to (outside) source static obj_10.1.1.2 obj_192.168.223.150 destination static obj_200.200.200.130 obj_192.168.223.129
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.1.1.2/32, Translated: 192.168.223.150/32
Destination - Origin: 200.200.200.130/32, Translated: 192.168.223.129/32
ASA1# show xlate
4 in use, 4 most used
Flags: D - DNS, i - dynamic, r - portmap, s - static, I - identity, T - twice
NAT from inside:10.1.1.0/24 to outside:10.1.1.0/24
flags sI idle 0:04:33 timeout 0:00:00
TCP PAT from inside:10.1.1.2 80-80 to outside:192.168.223.150 80-80
flags sr idle 0:05:58 timeout 0:00:00
NAT from outside:192.168.223.129 to inside:200.200.200.130
flags sT idle 0:03:35 timeout 0:00:00
NAT from inside:10.1.1.2 to outside:192.168.223.150
flags sT idle 0:03:35 timeout 0:00:00
No comments:
Post a Comment