Thursday, 18 July 2013

Good explanation of NAT on Cisco ASA 8.3+

http://www.tunnelsup.com/tup/2011/06/24/nat-for-cisco-asas-version-8-3


Video here:
http://www.youtube.com/watch?v=REGJodyLJEU

NAT for Cisco ASA's Version 8.3+

| Comments

There are two major kinds of NAT in 8.3+ Auto NAT and Manual NAT. Auto is done inside the object and cannot take into consideration the destination of the traffic. Manual is done in global configuration and can NAT either the source IPs and destination IPs.

Auto NAT

The new term “autoNAT” is used in 8.3. Auto NAT is when the NAT command appears INSIDE the object statement on the firewall. There are two major variants of auto NAT: dynamic and static. Auto NAT is also sometimes referenced as “Network Object NAT” because the configuration is done within the network object.
Regular Dynamic PAT
To create a many-to-one NAT where the entire inside network is getting PAT’d to a single outside IP do the following.
Old 8.2 command:
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 interface
New 8.3 equivalent command:
object network inside-net
  subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface

Note: the “interface” command is the 2nd interface in the nat statement, in this case the outside.
Static Auto-NAT
To create a one to one NAT within the object like when you have a webserver in your DMZ you can do the following NAT configuration.
object network dmz-webserver
  host 192.168.1.23
nat (dmz,outside) static 209.165.201.28

Please note, the nat (inside,outside) part of these commands are a lot easier to read in 8.3. The first interface is the interface the traffic is coming into the ASA on and the second interface is the interface that this traffic is going out of the ASA on. So the command “nat (dmz,outside) static 209.165.201.28” should be read as “NAT the IP address 192.168.1.23 to 209.165.201.28 if the traffic is coming in on the dmz interface and going out the outside interface, or vice versa.” This will not NAT traffic coming from the inside going to the DMZ, nor should it NAT the traffic coming from the DMZ going to the inside.
Using the any interface in the NAT statement
ASA 8.3 introduces the any interface when configuring NAT. For instance if you have a system on the DMZ that you wish to NAT not only to the outside interface, but to any interface you can use this command:
object network dmz-webserver
  host 192.168.1.23
nat (dmz,any) static 200.200.200.200

This makes it so users on the inside can web to 200.200.200.200 and if traffic is routed to the firewall it will NAT it to the real IP in the DMZ.
Port forwarding using Auto NAT
Suppose you have 2 web servers in your DMZ but you only have 1 IP address. You can configure port forwarding using the auto NAT feature in the following way:
object network dmz-webserver1
  host 192.168.1.25
nat (dmz,outside) static interface service tcp 8000 www
object network dmz-webserver2
  host 192.168.1.23
nat (dmz,outside) static interface service tcp 8080 www

This will make it so if you go to the IP address of the outside interface over port 8000 it will take you to 192.168.1.25 port 80 but if you go there using port 8080 it will take you to 192.168.1.23 port 80.
Confused yet? I hope not because it’s about to get weird…

Manual NAT or Twice NAT or Policy NAT or Reverse NAT

The limitation that Auto NAT has is that it cannot take the destination into consideration when conducting it’s NAT. This also of course results in it not being able to alter the destination address either. To accomplish either of these tasks you must use “manual NAT”.
All of these terms are identical: Manual NAT, Twice NAT, Policy NAT, Reverse NAT. Don’t be confused by fancy mumbo jumbo.
Policy NAT Exemption aka NAT Zero aka No NAT
In ASA 8.3 code this is known as Policy NAT exemption. This is commonly used to not NAT traffic over a VPN tunnel.
object network inside-net
  subnet 10.0.0.0 255.255.255.0
object network vpn-subnets
  range 10.1.0.0 10.5.255.255
nat (inside,outside) source static inside-net inside-net destination static vpn-subnets vpn-subnets

Policy NAT exemption for incoming remote access VPNs
In order for a packet to come in through a firewall from a lesser security interface to a higher security interface it must have a translation and an ACL to permit it through. If you are setting up remote access VPN then the ACL is usually bypassed since it’s tunneled traffic. There still needs to be a translation. This is completed by doing the following (Note the order of the interfaces in the NAT statement):
object-group network OBJ-INSIDE-NETWORKS
  network-object 172.16.200.0 255.255.255.0
object network obj-172.16.101.0
  subnet 172.16.101.0 255.255.255.0
nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS

Dynamic Policy NAT
This is when you want to specify an ACL for your NAT traffic to match on and if it matches that ACL then NAT it to something
Suppose you are trying to build a VPN tunnel to another site. The problem is that your private IP addresses are overlapping with their private IP addresses so they tell you that you MUST come from 172.27.27.27. If this was a static one to one translation it wouldn’t be so hard but in this case we have many users all needing to use that IP address.
In the pre 8.3 configuration your code would look something like this:
access-list ACL-VENDOR-VPN-NAT extended permit ip 192.168.1.0 255.255.255.0 host 172.16.75.5
nat (inside) 3 access-list ACL-VENDOR-VPN-NAT
global (outside) 3 172.27.27.27

In the new ASA 8.3 config the code looks like this:
object network inside-net
  subnet 192.168.1.0 255.255.255.0
object network vendor-vpn-nat
  host 172.16.75.5
object network translated-ip
  host 172.27.27.27
nat (inside,outside) source dynamic inside-net translated-ip destination static vendor-vpn-nat vendor-vpn-nat

Miscellaneous Notes

Use real IPs in access-lists
In ASA version 8.3 you must specify the real IP and not the translate IP. For instance to permit your traffic to the webserver through the outside ACL you must put:
access-list ACL-OUTSIDE-IN extended permit tcp any host 192.168.1.25 eq 80
This is a major change from pre 8.3 which would specify the public or NAT’d IP address.

Show commands

To view this configuration you must check two places to see what is being NAT’d.
show run object
show run nat
The command “show run object in-line” is sometimes useful to when using the pipe commands.
You can also see the order of NAT and number of NAT translation hit counts with:
show nat

Optional Destination keyword in manual NAT

The destination keyword and addresses in the manual NAT command is optional. This means that both of these configurations do the same work:
object network inside-net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) dynamic interface
!
object network inside-net
subnet 10.0.0.0 255.255.255.0
nat (inside,outside) source dynamic inside-net interface

NAT order and after-auto NAT’ing

The order of operation in NAT commands is documented here:
http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157
The NAT operation will only take place once. Once there is a match on a NAT it will stop looking down the line to see whether it needs to NAT this traffic or not. The order of operation for this is like so:
  1. Twice NAT statements
  2. Auto NAT statements
  3. After-Auto NAT statements
Let’s say you have a Manual or Twice NAT that you want to be considered AFTER all of the auto NATs. You can specify this by adding the “after-auto” keyword which would look something like this:
nat (inside,outside) after-auto source dynamic any

Using Descriptions

The description keyword can be added to the end of a manual NAT statement to keep things more organized like so:
nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS description ANYCON-NONAT

Inactive NAT statements

You may deactivate a manual NAT statement by adding the “inactive” keyword at the end of the statement like so:
nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS inactive

Cisco Documentation on NAT for 8.3

CLI NAT configuration guide for ASA 8.3http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/nat_overview.html
Upgrading to ASA 8.3 – What you need to knowhttps://supportforums.cisco.com/docs/DOC-12690
Video examples and tutorialhttps://supportforums.cisco.com/docs/DOC-12324

ASA Pre-8.3 to 8.3 NAT configuration exampleshttps://supportforums.cisco.com/docs/DOC-9129
ASA NAT migration problems when upgrading to 8.3 ; Syslog “%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows”https://supportforums.cisco.com/docs/DOC-12569

No comments:

Post a Comment