Translation Examples on Cisco ASA 8.3 and Above
Hii Guys, Welcome back, hope you guys went through the differences between Twice NAT and Network Object NAT, As mentioned in the previous post, there are 3 Sections in translation table.
So lets begin with some example for NAT rules that you will configure in Section 1.
!
!
!
Lab Topology -
Section 1 : TWICE / MANUAL NAT
Lets start with the very first example on Dynamic Policy NAT.
Now here in this example I want that when any host from inside subnet 10.11.11.0/24 is going to a specific destination may be Router R2- Loopbacks( 2.2.22.0/24 or 2.2.23.0/24) and also to R2 interface F0/0(1.1.1.2). Inside network should get translated to the following range of IP address - 1.1.1.3 to 1.1.1.9 on outside.
Example 1: DYNAMIC POLICY NAT
Create object for Inside Subnet -10.11.11.0/24
!
object
network INSIDE
subnet 10.11.11.0 255.255.255.0
exit
Create object group of type network for loopbacks behind R2 and R2 interface F0/0
I want you guys to observe how objects are referenced under the object network group.
In later examples I will try to show you how to reference network object within network object group.
network-object 2.2.0.0 255.255.0.0
network-object host 1.1.1.2
exit
object network NAT-POOL1
object network NAT-POOL1
range 1.1.1.3 1.1.1.9
exit
nat
(inside,outside) source dynamic INSIDE NAT-POOL1 destination static DESTINATION1 DESTINATION1
Example 2: DYNAMIC PAT
Well in this example I want Any host from either Inside, DMZ3 or DMZ4 zones, going to any host on outside network except R2 Loopbacks and R2-F0/0 to get PATed to Firewall Outside interface IP address.
Use the object created in previous example
object network INSIDE
subnet 10.11.11.0 255.255.255.0
Use the object created in previous example
object network INSIDE
subnet 10.11.11.0 255.255.255.0
exit
Create another network object for DMZ3
Create another network object for DMZ3
object
network DMZ3
subnet 192.168.30.0 255.255.255.0
exit
object
network DMZ4
subnet 192.168.40.0 255.255.255.0
exit
Now in this example of Network Object I am going to refer to All Inside, DMZ subnets.
object-group
network ANY-SOURCE
network-object 10.11.11.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
exit
Here the interface keyword picks the IP address of outgoing interface which is Outside in this case.
nat(any,outside) source dynamic ANY-SOURCE interface
Example 3: DYNAMIC
NAT+PAT Combination
Well this example is a combination of above two examples.
Here basically I will create one object for NAT and another object for PAT, So that as Order of translation is to do NAT followed by PAT, So if the IP Addresses in the NAT pool gets exhausted, it should move to PAT IP Address, which is defined using another network object.
object network INSIDE
Here basically I will create one object for NAT and another object for PAT, So that as Order of translation is to do NAT followed by PAT, So if the IP Addresses in the NAT pool gets exhausted, it should move to PAT IP Address, which is defined using another network object.
object network INSIDE
subnet 10.11.11.0 255.255.255.0
exit
object network NAT-POOL1
range 1.1.1.3 1.1.1.5
exit
object network PAT-POOL1
exit
object network PAT-POOL1
host 1.1.1.6
exit
exit
Here in the Network Group Object
object-group
network NAT-PAT-POOL
network-object object NAT-POOL1
network-object object PAT-POOL1
!
object-group network DESTINATION1
object-group network DESTINATION1
network-object 2.2.0.0 255.255.0.0
network-object host 1.1.1.2
exit
!
nat (inside,outside) source dynamic INSIDE NAT-PAT-POOL destination static DESTINATION1 DESTINATION1
nat (inside,outside) source dynamic INSIDE NAT-PAT-POOL destination static DESTINATION1 DESTINATION1
!
Example 4: IDENTITY
NAT
Well here in this example of Identity NAT, the task is to Translate INSIDE subnet to itself, when the destination is either the subnet of DMZ3 zone or DMZ4 zone.
So if the destination is not DMZ3 and DMZ4 some other translation rule must be used.
!
object network INSIDE
!
object network INSIDE
subnet 10.11.11.0 255.255.255.0
exit
!
!
!
object-group
network DMZ-ZONES
network-object 192.168.30.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
exit
!
!
!
nat (inside,any) source static INSIDE INSIDE destination static
DMZ-ZONES DMZ-ZONES
Well now here I have used (inside, any) because I can`t use two egress interface name in one NAT rule.
Also note that in production network I would prefer to create individual objects for DMZ3 and DMZ4, which I would group in Network Object.
Something like this -
object network DMZ3
subnet 192.168.30.0 255.255.255.0
exit
!
!
object network DMZ4
subnet 192.168.40.0 255.255.255.0
exit
object-group network DMZ-ZONES
network-object object DMZ3
exit
10.11.11.0/24 1.1.1.0/24
INSIDE Outside
R1 ---------------------- FW
--------------------------R2
10.11.11.0/24
--------------------------> 2.2.0.0/16 or host1.1.1.2
object
network INSIDE
subnet
10.11.11.0 255.255.255.0
exi
!
!
!
object
network R2-LOOPBACKS
subnet 2.2.0.0 255.255.0.0
exi
!
!
object network MAPPED-NAT-SOURCE
!
object network MAPPED-NAT-SOURCE
range
1.1.1.99 1.1.1.103
exit
!
!
!
nat (inside,outside) source static
INSIDE MAPPED-NAT-SOURCE destination static R2-LOOPBACKS
R2-LOOPBACKS
!
!
Now as the Source of this traffic would be on outside interface of ASA, which is at low security level. The destination R3 is available in DMZ3 zone at security level of 50.
So you would have to explicitly (manually) allow this traffic on outside interface of the ASA.
Now there was a major change in order of processing on ASA software version 8.3 and above where Translate/Un-translate happens before ACL check.
so the packet received on outside interface of the ASA would be with destination IP as 1.1.1.30(Mapped_IP), which is translated IP address of R3-F0.
Once the destination IP address gets un-translated to 192.168.30.3(Real-IP), as per the order of processing, packet is checked against ACL, to be allowed towards R3-F0.
In this case the ACE in the ACL named OUT should be like this -
access-list OUT permit tcp any host 192.168.30.9 eq 80
object network R4-F0-WEB-PAT
host 192.168.40.9
This is another example where I have directly used the Real_IP address of R3 and R4 in the ACLs. but again as I have mentioned before, recommendation is to use the objects here in the ACLs as well.
object network R3-F0
object network R4-F0
host 192.168.40.4
Guess what? the most general NAT rules come to this section of NAT table on ASA. Well if you see the NAT rule here in the given below example, yes it`s defined in global configuration mode, so its Manual/Twice NAT, but as it`s more general rule to go to Internet I have placed it in Section 3 using "after-auto" keyword.
object-group network ANY-SOURCE
nat (any,outside) after-auto source dynamic ANY-SOURCE GLOBAL-PAT-IP
Leave your comments below
!
SECTION 2 Rules -
(Auto-NAT or Network Object NAT)
Example 1: STATIC NAT
Well this rule will go to Section 2 of the translation table, now here I want a static translation for R3 Interface F0/0 IP address, which is 192.168.30.3 to be seen as 1.1.1.30 on outside interface of ASA.
so if any one tries to access IP address 1.1.1.30 from outside of ASA would end up reaching Router R3(192.168.30.3).
these rules are configured in section 2. observe the example carefully, NAT keyword is being used within the network object.
These same objects are used in ACLs as Well.
object
network R3-F0
host 192.168.30.3
nat (DMZ3,outside) static 1.1.1.30
exi
Now as the Source of this traffic would be on outside interface of ASA, which is at low security level. The destination R3 is available in DMZ3 zone at security level of 50.
So you would have to explicitly (manually) allow this traffic on outside interface of the ASA.
Now there was a major change in order of processing on ASA software version 8.3 and above where Translate/Un-translate happens before ACL check.
so the packet received on outside interface of the ASA would be with destination IP as 1.1.1.30(Mapped_IP), which is translated IP address of R3-F0.
Once the destination IP address gets un-translated to 192.168.30.3(Real-IP), as per the order of processing, packet is checked against ACL, to be allowed towards R3-F0.
In this case the ACE in the ACL named OUT should be like this -
access-list OUT permit icmp any object R3-F0
Here I am Using the same Network Object in ACL as well.
Have a look at another example for Router R4.
object network R4-F0
Here I am Using the same Network Object in ACL as well.
Have a look at another example for Router R4.
object network R4-F0
host 192.168.40.4
nat (DMZ4,outside) static 1.1.1.40
exi
access-list
OUT permit icmp any object R4-F0
access-group
OUT in interface outside
Example 2: STATIC PAT
Ok so this example here is of Static PAT, and the scenario is that you have two servers, R3(192.168.30.3) and R4(192.168.40.4) in DMZ3 and DMZ4 zone respectively .
I will translate both private IPs to a Single Public IP address of ASA outside interface.
Now Outside interface IP address of ASA which is 1.1.1.10 when accessed on tcp/8080 should redirect the user to R3-F0 (192.168.30.3) on tcp/80
and same IP address i.e. 1.1.1.10 when accessed on tcp/8999 should redirect the user to R4-F0 (192.168.40.4) on tcp/80.
Ok so this example here is of Static PAT, and the scenario is that you have two servers, R3(192.168.30.3) and R4(192.168.40.4) in DMZ3 and DMZ4 zone respectively .
I will translate both private IPs to a Single Public IP address of ASA outside interface.
Now Outside interface IP address of ASA which is 1.1.1.10 when accessed on tcp/8080 should redirect the user to R3-F0 (192.168.30.3) on tcp/80
and same IP address i.e. 1.1.1.10 when accessed on tcp/8999 should redirect the user to R4-F0 (192.168.40.4) on tcp/80.
object
network R3-F0-WEB-PAT
host 192.168.30.9
nat (DMZ3,outside) static interface service
tcp 80 8080
exi
access-list OUT permit tcp any host 192.168.30.9 eq 80
host 192.168.40.9
nat (DMZ4,outside) static interface service
tcp 80 8999
exi
access-list
OUT permit tcp any host 192.168.40.9 eq 80
access-group
OUT in interface outside
This is another example where I have directly used the Real_IP address of R3 and R4 in the ACLs. but again as I have mentioned before, recommendation is to use the objects here in the ACLs as well.
Example 3 :DNS
REWRITE(Static Translation)
object network R3-F0
host 192.168.30.3
nat (DMZ3,outside) static 1.1.1.30 dns
exi
host 192.168.40.4
nat (DMZ4,outside) static 1.1.1.40 dns
exi
SECTION 3 Rules: (After-Auto NAT)
Example 1: DYNAMIC
NAT/PAT/NAT+PAT-Combination
Guess what? the most general NAT rules come to this section of NAT table on ASA. Well if you see the NAT rule here in the given below example, yes it`s defined in global configuration mode, so its Manual/Twice NAT, but as it`s more general rule to go to Internet I have placed it in Section 3 using "after-auto" keyword.
object-group network ANY-SOURCE
network-object 10.11.11.0 255.255.255.0
network-object 192.168.30.0 255.255.255.0
network-object 192.168.40.0 255.255.255.0
exit
object
network GLOBAL-PAT-IP
host 1.1.1.199
exit
nat (any,outside) after-auto source dynamic ANY-SOURCE GLOBAL-PAT-IP
Leave your comments below
No comments:
Post a Comment