Sunday 18 October 2015

NAT on Cisco ASA 8.3 and Above

Translations on Cisco ASA 8.3 and Above

Hii everyone, as per my experience on Cisco ASA firewall, I am going to take you through some of the important information about the different translations on Cisco ASA software Version 8.3 and Above.

 This content is also useful for candidates studying IINS version 3.0 or Cisco CCNA Security, as the new IINSv3.0 syllabus focuses on Cisco ASA Software version 9.X.
In this Post I am going to stick to the 8.3+ code and won`t discuss anything about the previous version. Yes, if you find this content Useful, do leave a comment, I would love to explain Translations on Cisco ASA version 8.2 and below.

 Well very first lets look at the Main differences between the two  NAT Types we are going to configure in 8.3+ code. These two NAT types are:

A) Network Object NAT or Auto-NAT or Object NAT

B)  Twice NAT or Manual NAT


So what is Network Object used for? or how do you identify its Auto-NAT/ Network Object NAT
Network object NAT/Auto-NAT—You define NAT Rule as a parameter or part of a network object. Or in short if you see NAT statement within the object, that`s  Object NAT/Auto-NAT.

eg. object network IN-OUT
         host 10.11.11.91
         nat (inside,outside) static 191.9.6.6  <-- NAT statement within Object
       exit

Within A network object you can define - 
1.  An IP host 
                  eg. Object Network Ex-Host
                            host A.B.C.D
                         exit

2. Range
                  eg. Object Network Ex-Range
                            range A.B.C.D - A.B.C.Z
                         exit

3. Subnet 
                  eg. Object Network Ex-Subnet
                            subnet <Network> <MASK>
                         exit

And you can then use the object in configuration instead of using the actual IP addresses. 

hope its clear. Now Next type of NAT is Twice NAT, But how do you identify its Twice or Manual NAT?

         – Twice NAT —You can configure network object or network object group for both the real and mapped addresses. Here NAT rule is not a part of the network object, rather its configured in Global configuration mode.  

 Like I mentioned for Network Object or Auto NAT that the NAT rule is a part of Network Object.  Well here in Twice or Manual NAT, the network object or Network object group is a part of the NAT rule, which is defined in global configuration mode. 

 Here are some examples of Network objects and Network object groups - 
Network Object example
object network IN-NW-10
 subnet 10.11.11.0 255.255.255.0
exit
!
object network IN-NW-192.168
 subnet 192.168.10.0 255.255.255.0
exit
!
object network DMZ3-NW-172.19
  subnet 172.19.19.0 255.255.255.0
exit

 Now here these are individual objects, you can group these objects into Network Object Groups

Object-group network SOURCE-Group
  network-object object   IN-NW-10
  network-object object   IN-NW-192.168
  network-object object   IN-NW-172.19
exit

 OR 

Object-group network SOURCE-Group
  network-object 10.11.11.0 255.255.255.0
  network-object 192.168.10.0 255.255.255.0
  network-object 172.19.19.0 255.255.255.0
exit

Order of NAT Rules
 – Network object NAT—Automatically ordered in the NAT table.

You cant manipulate the order of the NAT rules in SECTION2 of Translation Table with any kind of "line" value. The only way to control the Section 2 Network Object NAT order is based on how specific the NAT rules.

The Section 2 NAT however does have line number visible in some output But this value is determined by the ASA and when you add a new Auto-NAT Rule the ASA calculates the new order.

 Given Below are the factors that decide the priority  - 

The first deciding factor in order is the Type of NAT -
1. Static or Dynamic NAT rule
Order is as follows - Static NAT > Static PAT > Dynamic NAT > Dynamic PAT

Actually you would configure Dynamic NAT or PAT etc. in Section 1 or Section 3, Most general rules are actually configured in Section 3 and more precise rules like Dynamic Policy NAT/PAT or NAT-PAT combinations or Identity NAT are configured in Section 1.

Inside the above mentioned NAT Types the following order applies
  • Amount  of IP addresses contained in "object  network"        
  • "Object-Network" containing same amount of IP addresses the lowest IP address number is first in order.
  • For "object network" being equal on both above counts will be ordered by the alphabetical order of their names


 Now Twice/Manual NAT are where you can actually make use of Line numbers to manually ordered the NAT rules within the particular section of NAT table.


Now Basically the NAT Tables has 3 sections, which are as follows :-

 1. SECTION 1 (Twice/Manual NAT)
2. SECTION 2 (Object NAT, Network Object NAT / Auto-NAT)
3. SECTION 3 (After-Auto Twice/Manual NAT)
Now if you are familiar with possible NAT on Cisco ASA, We have the following translations possible on ASA - 
Dynamic NAT, PAT , NAT+PAT Combination
Dynamic Policy NAT,PAT
Static NAT/PAT
Policy NAT
Identity NAT or NAT Exemption
DNS Rewrite
Destination NAT

 Now the Question is which translation rule should be configured in which section of translation table.

 Given below is the list of rules along with the section number - 
SECTION 1 = TWICE/MANUAL NAT

Dynamic Policy NAT 
Dynamic Policy PAT
Dynamic Policy NAT + PAT
Static Policy NAT
Static Policy PAT
Identity NAT
Destination NAT

 SECTION 2 = AUTO- NAT

Static NAT
Static PAT
DNS Rewrite


SECTION 3 = After-Auto TWICE/MANUAL NAT

Dynamic NAT 
Dynamic PAT
Dynamic NAT + PAT

Hope the order is clear.
Will post these different NAT`s along with the examples soon in my upcoming post. so stay tuned and 
Till then keep learning, Keep Sharing.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)