cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
813
Views
7
Helpful
10
Replies

ASA5505 / Different types of NAT

godinerik
Level 1
Level 1

Hi,

My config looks as follow:

fw-ASA5505(config)# show run nat

nat (inside) 1 0.0.0.0 0.0.0.0

fw-ASA5505(config)# show run global

global (outside) 1 interface

fw-ASA5505(config)# show run static

static (inside,outside) 74.213.AAA.AAA 192.168.100.2 netmask 255.255.255.255

static (inside,outside) 74.213.BBB.BBB 192.168.100.3 netmask 255.255.255.255

static (inside,outside) 74.213.CCC.CCC 192.168.100.4 netmask 255.255.255.255

fw-ASA5505(config)#

The thing I'm curious about, when I look at the help info for the GLOBAL command, I see the following:

================================

# global (outside) 1 ?

configure mode commands/options:

WORD Enter IP address or a range of IP addresses <start_ip>[-<end_ip>]

interface Specifies PAT using the IP address at the interface

======================================

The help options seem to imply that by using the word "interface", I'm using PAT. But reading the definition for PAT, it's obvious then I'm not, especially because of the following statement:

"Users on the destination network cannot reliably initiate a connection to a host that

uses PAT (even if the connection is allowed by an access list). Not only can you not predict the real or

mapped port number of the host, but the security appliance does not create a translation at all unless the

translated host is the initiator"

So, my server is accessible from the outside interface. All of the above makes me think that the configuration I'm using is considered to be a a STATIC PAT config. So reading the definition of STATIC PAT:

"Static PAT is the same as static NAT, except that it lets you specify the protocol (TCP or UDP) and port

for the real and mapped addresses."

Nop, I'm not specifying protocol or port in my static statements. The last one left would be STATIC NAT (When I started using this configuration, this is what I was told, that it's a static NAT config) But then if this is the case, why the keyword "interface" in my global statement? Also, instead of having my current global statement, I tried replacing it with the following:

global (outside) 1 74.213.AAA.AAA-74.213.CCC.CCC

thinking that the IP range should work just as well, however the result of this was that I could only ping 74.213.AAA.AAA and I couldn't reach .BBB.BBB and .CCC.CCC

So, my conclusion is that an IP range is only to be used *if* I'm trying to do dynamic PAT/NAT, and even though the keyword interface is used, it still remains a static NAT up to the point where I specify ports/protos.

I'm hoping that someone can confirm these thoughts of mine, as this has been confusing for some time now. I've been able to put up a basic configuration and make a server accessible for some time (who isn't capable of repeating the same configuration, with only minor variances like different ports being opened) but now it's time that I start looking at and playing with more complicated configs :)

Thanks!

Erik

1 Accepted Solution

Accepted Solutions

Erik

"static (inside,outside) interface 212.12.12.1 80 192.168.1.10 80"

presumably you mean

static (inside,outside) interface 80 192.168.1.10 80

ie. you don't need to use interface and the IP address 212.12.12.1 at the same time.

Assuming that 212.12.12.1 is the outside interface address of your firewall they are really equivalent commands altho if it is the outside interface address you want to use then the "interface" keyword is the correct syntax.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

the above is dynamic PAT not static PAT. It basically says hide all the inside addresses (0.0.0.0 0.0.0.0) behind the interface address on the outsude. So any traffic coming from inside to the outside will have it's source IP address translated to the outside interface address.

Dynamic PAT is fine for hosts connecting from the inside to the outside. However it is of no use at all if you want outside hosts to be able to connect to the inside hosts for reasons covered in previous thread.

So lets say that you have 250 inside hosts. You want to allow them access to the Internet. The above dynamic PAT would take of that. However you also have a server inside that you want to allow people from the outside to connect to. For this you would need to setup a static NAT translation - again see previous thread for explanation, so

static (inside,outside) 212.12.12.1 192.168.100.2 255.255.255.255

is a static NAT translation.

The "interface" keyword when used with global is for dynamic NAT/PAT.

The "interface" keyword when used with static is for static NAT/PAT.

If you were allowing http access to an inside address with the statement

static (inside,outside) interface 80 192.168.1.10 80

and you removed that statement and then cleared the translation from the xlate table, if someone on the outside tried to connect this machine the

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

configuration lines would not allow the access. Because the above lines only create translations in the xlate table when the connection is initiated from the inside.

Again if you need further clarification please come back.

Jon

View solution in original post

10 Replies 10

Jon Marshall
Hall of Fame
Hall of Fame

Erik

The nat & global statements are used for dynamic NAT. These translations are not bi-directional in nature. So

nat (inside) 1 192.168.1.10 255.255.255.255

global (outside) 1 212.12.12.1

You will not be able to connect to 212.12.12.1 from the outside and be directed to 192.168.1.10 if a translation has not already been made ie. the inside host 192.168.1.10 will have had to make a connection to the outside world and created a translation that is still active in the xlate table.

static (inside,outside) 212.12.12.1 192.168.1.10 netmask 255.255.255.255

this is not dynamic NAT. It sets up a permanent translation in the xlate table. So a connection to 212.12.12.1 can be made from the outside with the inside host of 192.168.1.10 ever having made a connection outbound.

Note, i'm saying a connection will be allowed but obviously it's dependant on access-lists as well.

As for the interface keyword

static (inside,outside) interface 212.12.12.1 80 192.168.1.10 80

this is a static port translation and a connection will be permitted from the outside without a connection having been initiated from the inside.

nat (inside) 1 192.168.1.10

global (outside) 1 interface

this is dynamic NAT/PAT with the same proviso's as above.

Hope this has helped - let me know if i haven't answered your question.

Jon

static (inside,outside) 212.12.12.1 192.168.1.10 netmask 255.255.255.255

With this, you allow both inbound and outbound

connection. In other words, traffics can be

inititated on either side.

Hi John,

Thanks for your answer. It's very detailed and definitely helps me understand this better. I do have two follow-up questions:

=======================================

static (inside,outside) interface 212.12.12.1 80 192.168.1.10 80

and

static (inside,outside) 212.12.12.1 80 192.168.1.10 80)

==========================================

How would those two commands differ in results?

in regards to static PAT, one of the configs we deploy the firewalls with is:

NAT (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

But then we have static statements for each mapped IP address, i.e.:

static (inside,outside) 212.12.12.1 192.168.100.2 255.255.255.255

I suspect this isn't considered dynamic NAT/PAT anymore, in which category would this fall? The references I see about using the "interface" keyword on a global command seems to imply that the outgoing connection will use the outside interface's IP (i.e.: the firewall's IP). Would this be case if I were to remove my static statements?

Thanks again.

Erik

Erik

"static (inside,outside) interface 212.12.12.1 80 192.168.1.10 80"

presumably you mean

static (inside,outside) interface 80 192.168.1.10 80

ie. you don't need to use interface and the IP address 212.12.12.1 at the same time.

Assuming that 212.12.12.1 is the outside interface address of your firewall they are really equivalent commands altho if it is the outside interface address you want to use then the "interface" keyword is the correct syntax.

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

the above is dynamic PAT not static PAT. It basically says hide all the inside addresses (0.0.0.0 0.0.0.0) behind the interface address on the outsude. So any traffic coming from inside to the outside will have it's source IP address translated to the outside interface address.

Dynamic PAT is fine for hosts connecting from the inside to the outside. However it is of no use at all if you want outside hosts to be able to connect to the inside hosts for reasons covered in previous thread.

So lets say that you have 250 inside hosts. You want to allow them access to the Internet. The above dynamic PAT would take of that. However you also have a server inside that you want to allow people from the outside to connect to. For this you would need to setup a static NAT translation - again see previous thread for explanation, so

static (inside,outside) 212.12.12.1 192.168.100.2 255.255.255.255

is a static NAT translation.

The "interface" keyword when used with global is for dynamic NAT/PAT.

The "interface" keyword when used with static is for static NAT/PAT.

If you were allowing http access to an inside address with the statement

static (inside,outside) interface 80 192.168.1.10 80

and you removed that statement and then cleared the translation from the xlate table, if someone on the outside tried to connect this machine the

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

configuration lines would not allow the access. Because the above lines only create translations in the xlate table when the connection is initiated from the inside.

Again if you need further clarification please come back.

Jon

I think (hope) I understand this better now. Based on the information you said (this isn't a production server, it's for training purposes) I took out the NAT/GLOBAL statement. The result is that I'm still able to initiate a connection fgrom outside to inside with only the static statements in place, and since the device is stateful, any outgoing connections which are associated with a previously incoming connection are accepted, however once logged in to the server (linux) I cannot establish an SSH connection to another host outside vlan1 (inside)

On the other hand, removing the static entries I see only allows connections from the inside to the outside (theoretically outside to inside can happen while the xlate table still has an entry but it's not likely)

In conclusion (and this is what makes it seem all more logical) the combination of nat/global with static statements isn't one type of NAT, it's two different types of NATs each serving their own purpose, Dyn PAT for outgoing connections (which, because of the static entries, all inside hosts end up having their own static IP) and static translations for incoming address.

Does that all make sense what I just said? Thanks again for your time.

Erik

"In conclusion (and this is what makes it seem all more logical) the combination of nat/global with static statements isn't one type of NAT, it's two different types of NATs each serving their own purpose"

Exactly - the nat/global is dynamic and for clients to initiate outbound connections.

The static is used for both outbound and inbound connections because it creates a permanent translation in the xlate table.

The only bit i am a little unclear is this statement -

"Dyn PAT for outgoing connections (which, because of the static entries, all inside hosts end up having their own static IP) and static translations for incoming address."

not sure what you mean "because of the static entries, all inside hosts end up having their own static IP" unless you mean that in addition to nat/global you also have a static (inside,outside) for every single host on the inside of your firewall ?

If you did have these static statements they would take precedence over the nat/global statement.

But i'm pretty sure you have the concept now. And as it is a lab setup always remember to run "clear xlate" when playing around with NAT just to make sure you get the expected results.

Hope i've understood, let me know if i haven't and many thanks for the ratings.

Jon

That's exactly right, I do have a static statement for every real address and I've noticed that as you said, it does take precedence over PAT. I was able to confirm this by connection to a server via SSH and simply looking who's connected using netstat, perhaps it's time I do things more properly and start using a traffic capture application such as iptraf and tcpdump.. None the less, your help has been very appreciated, I definitely feel like I understand this better then when I started this thread.

Have a good week!

Erik

So Jon lets say for example I wanted to perform the following redirection is this correct

1)External users direct Telnet requests to PAT address 212.12.12.8,which the PIX redirects to 192.168.100.4

Create Access list

Sec A:access-list 101 permit tcp any host 212.12.12.8 eq telnet

Section B:Static NAT translation.

static (inside,outside) tcp 212.12.12.8 telnet 192.168.100.4 telnet netmask 255.255.255.255 0 0

2.External users direct HTTP request to PIX outside IP address 212.12.12.1, which the PIX redirects to 192.168.100.5

Sec A.access-list 101 permit tcp any host 212.12.12.1 eq www

Sec B. Dynamic PAT translation

static (inside,outside) tcp interface www 192.168.100.5 www netmask 255.255.255.255 0 0

Nat control commands

global (outside) 1 212.12.12.208 /* Dynamic PAT statement matching inside nat 1

nat (inside) 1 0.0.0.0 0.0.0.0 0 0 /* All inside interfaces hidden then translated to global (outside) PAT address 212.12.12.208

and 212.12.12.1 is the outside interface of the PIX.

Steven

1) Correct

2) Pretty much correct in configuration except it isn't dynamic PAT, it is a static PAT translation because it will be permanently in the xlate table. It has to be otherwise an outside connection intiated to 212.12.12.1 on port 80 would not get translated to 192.168.100.5.

Also instead of the following

access-list 101 permit tcp any host 212.12.12.1 eq www

i believe you can use

access-list 101 permit tcp any interface eq www

altho i have always used the IP address.

3) Nat control commands. Yes all addresses that are not already covered by static statements will be translated to 212.12.12.8.

Where you have written "all inside interfaces" i take to mean all inside client IP addresses.

Jon

Thanks Jon,

I learn quite a bit from experts like yourself, in this crazy world of networking. I really appreciate all your posts, and like I said it is very helpful, simply by going to Netpro, it allows me to learn and pick up on areas that I need to know. You guys rock, keep it up.

Take care and have a great New Year

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: