Tuesday, March 28, 2017

PAT (port address translation) on Cisco ASA - nat | global commands


For an ASA to perform translations, 4 pieces of information are required (if of the following 4 parameters are missing, the ASA will not perform address translation) :
  • original source IP address (and port) in the packet
  • interface where the original packet enters the ASA (ingress interface)
  • interface where the packet will exit the ASA (egress interface)
  • translated address (and, optionally, port) to insert into the packet
When performing NAT, you have the choices of :
  • dynamic NAT (use for client systems when you have a large enough pool of available global IP addresses to support assignment to clients) 
  • dynamic PAT (use for client systems when your global pool contains fewer IP addresses than there are hosts requiring translation and you therefore must perform assignment in a many-to-one manner
  • static NAT (use for server systems that require inbound (or bidirectional) connectivity over NAT and you have enough global IP addresses to allow each servers its specific, fixed address)
  • static PAT (use for server systems that require only inbound connectivity over NAT and you do not have enough global IP address to allow each server its own specific, fixed address. Also use it when a single global IP address is shared by many internal servers, each supporting applications on different listening ports)
  • Policy NAT (use when you need translation to depend ACL for specific traffic flows 

EXAMPLE 1 ON DYNAMIC PAT FROM CISCOPRESS

(config)#nat (inside) 5 10.0.0.0 255.255.255.0 tcp 0 0 udp 0
(config)#nat (DMZ) 5 172.16.0.0 255.255.255.0 tcp 0 0 udp 0
(config)#global (DMZ) 5 172.16.0.254 netmask 255.255.255.255
(config)#global (outside) 5 interface

This example has :
  • 2 "nat" commands are used
  • 2 "global commands are used 
  • The 4 lines are mapped toghether using NAT ID 5
    "nat" command is used to specify  the original IP address and ingress interface. In other words, "nat" command answers the following question : which traffic should make the ASA starts the translation process ? In this example the answer is : traffic from subnet 10.0.0.0/24 coming in the ASA through the "inside" interface going to the dmz zone OR to the external networks. AND traffic from subnet 172.16.0.0/24 coming in the ASA through the "dmz" interface to the external networks. On the outside interface, the translated IP address will be the one of the outside interface (used to get to the external networks). On the DMZ interface, the translated IP address is 172.16.0.254 (used to get to the dmz zone)

    "global" command is used to specify the translated IP address or the mapped IP address (here traffic going to the DMZ will use as translated IP address 172.16.0.254 AND traffic going to external networks will use as translated IP address the one in the outside interface)

    "5" the number 5 in red color is the NAT ID and it's used to bind those 4 lines of commands together 

    "tcp 0 0 udp 0"  These tcp 0 0 and udp 0 set the connection limits. TCP 0 0 : the first 0  represents TCP-MAX-CONNECTION  and 0 means unlimited tcp connections. The second 0 of the TCP 0 0 represents TCP embryonic connection (which is in the TCP connection in  process of being established) and 0 means unlimited tcp embryonic connections. UDP 0 represent the number of udp connections and 0 means unlimited UDP connections. Note that it's optional to specify these "tcp 0 0 udp 0" when configuring.

    EXAMPLE  2 ON  DYNAMIC NAT AND PAT TAKEN FROM CISCO WEBSITE 




    (config)#nat (inside) 1 10.1.2.0 255.255.255.0
    (config)#nat (dmz) 1 10.1.1.0 255.255.255.0
    (config)#global (outside) 1 209.165.201.3-209.165.201.10
    (config)#global (dmz) 1 10.1.1.23

    This example has :
    • 2 "nat" commands are used
    • 2 "global" commands are used
    • The 4 lines are mapped togheter using the NAT ID 1

    In these example, translation is possible when traffic comes  from  the  inside interface (subnet 10.1.2.0) to the externale networks  OR to the dmz zone AND from the dmz interface (subnet 10.1.1.0)  to the external networks. On the outside interface, we have a pool of translated IP address (209.165.201.3-209.165.201.4). On the DMZ interface, the translated IP address is 10.1.1.23
      In our next post, we will give some examples of "static NAT on Cisco ASA"

      ------------------------------------------------------------------------------------------------------
      I will be honored to read your comment about this post. Please feel free to leave one ☺ And if you have a Cisco IOS, Firewall ASA Or Mircrorsoft server infrastructure topic you would like me to add in this blog, i will be more than happy to know which one ☺
      -------------------------------------------------------------------------------------------------------

      No comments:

      Post a Comment