ASA NAT Keypoints (8.2 and below)

Document

May 16, 2010 9:05 AM
May 16th, 2010

Hello Community,

I created this document with the most-used NAT tips and information that I’ve experienced. It is not a great-deal of new stuff, but it’s a reminder of all the key points from version 8.2 and below. NAT has changed completely on version 8.3 and I’ll try to post a new document on the important points just as this.

NAT Key Points

·NAT is commonly used to translate private IP addresses (RFC 1918) to public IP addresses and therefore allow communication on the public Internet

·NAT Types

o   Dynamic NAT

o   PAT

o   Static NAT

o   Static PAT

·The ASA requires a NAT matching rule to allow communication between interfaces of different security levels. To avoid this requirement, you can disable NAT Control (introduced in 7.0(1))

·NAT in transparent mode has some limitations

·Policy NAT allows to specify the source and destination address and ports to NAT (regular NAT allows only to specify the source address)

·Order of NAT commands when checked by the ASA

o   NAT exemption (nat 0 access-list)

o   Static NAT and Static PAT (static)

o   Policy dynamic NAT (nat access-list)

o   Regular dynamic NAT (nat)

·DNS responses can be translated by the use of the dns keywork on the NAT rule

·If NAT Control is enabled but you want to bypass NAT, there are three ways to do this

1.       Identity NAT (nat 0)

2.       Static Identity NAT (static)

3.       NAT exemption (nat 0 access-list)

·Multiple NAT IDs can be used to link NAT statements to its corresponding GLOBAL statements

Dynamic NAT

·Used to translate a range of private IPs to a range of public IPs (the range of public IPs could be fewer)

·The translation only takes place when the real inside host initiates the connection

·sh xlate command is used to check the translation table

·For the duration of the translation timeout xlate, a remote host can initiate a connection to the inside host (if an ACL allows it)

Dynamic PAT

·Used to translate a range of private IPs to a single public IP

·PAT lets you conserve addresses, since it shares the same public IP by distinguishing the translations using unique port numbers

·Disadvantages of PAT

o   Protocols that do not have Layer 4 information to translate such as ESP, GRE version 0

o   Multimedia applications that have a data stream on one port, the control path on another port, and are not open standard

·NAT and PAT can be used together (for example when the number of inside hosts exceed the number of public IPs available)

·For outside NAT, the outside keyword is required (outside NAT is referred when the interface with a global statement resides on a higher security interface)

·The clear xlate command is used to clear the translation table and necessary when changing NAT statements, but keep in mind that it also disconnects all current connections that use translations

Static NAT

·Used to specify a one-to-one translation

·Only dynamic translations can be removed from the translations table, therefore cannot use the clear xlate command, must remove the static command and to remove the connections use the clear local-host command

·To allow communication between overlapping networks is very common to use the static commands, ie.

o   Inside network 192.168.100.0.24, DMZ network 192.168.100.0/24

static (inside,dmz) 10.1.2.0 192.168.100.0 netmask 255.255.255.0

static (dmz,inside) 10.1.3.0 192.168.100.0 netmask 255.255.255.0

The communication will flow between 10.1.2.0/24 and 10.1.3.0/24 solving the overlapping issue

Static PAT

·Sometimes known as Port Redirection allows to statically translate different port numbers to the same mapped IP address

·Very useful to translate a well-known port to a non-standard port, i.e hosting a web server that listens on port 8081

o   static (inside,outside) tcp 209.165.201.3 80 192.168.100.3 8081

There are some advanced features that can be invoked with NAT, for example:

·Some NAT statements consider the inactive and time-range keywords on the ACEs

·The norandomseq disables TCP ISN randomization protection

·The tcp max_conn and udp max_conn specifies the maximum number of simultaneous tcp/udp connections allowed to the local-host (default is 0 which doesn’t mean 0, means unlimited ;-))

·The timeout conn and timeout xlate specifies the amount of time for the connections/translations. Always the translation time should be higher than the connection timeout, because translations are layer 3 and connections are layer 4

·The connection limits can be set in the NAT statements, however is recommended to use the Modular Policy Framework since it’s more versatile

Best Regards,
Federico.

Average Rating: 3.5 (2 ratings)

Actions

Login or Register to take actions

This Document

Posted May 16, 2010 at 9:05 AM
Stats:
Comments:0 Avg. Rating:3.5
Views:4802 Contributors:0
Shares:0
Tags: No tags.

Documents Leaderboard