Cisco ASA Dynamic NAT Configuration

A post was merged into an existing topic: Cisco ASA Dynamic NAT with DMZ

A post was merged into an existing topic: Cisco ASA Dynamic NAT with DMZ

HI dear Friend. i configure site to site beetwen ASA. i have 2 nats. first for users which can use internet connection second for site to site vpn. but if i wrife first nat for internet (nat (inside,outside) source dynamic any interface) and after nat (inside,outside) source static lan lan destination static remote remote then vpn cannot up.i must first wite nat for vpn after nat for internet. why like this?

Hello Cemil

I’m not sure I completely understand your question. Can you be more specific in what you have attempted to do? Are you saying that the order in which you implemented the commands made a difference in the end result of connectivity? Please give us an example so that we can examine it more clearly.

Thanks so much!

Laz

Please explain me

ASA1(config)# object network PUBLIC_POOL 
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200

after this configuration , i must configure a network object for the hosts that we want be to translate. Okey!

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL interface

which different in this confgiration ?

and what it is mean, please explain.
Why we added in the line “interface”

Hello Teymur

This command:

nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL interface

…is an additional command that allows NAT to use the IP address assigned to the outside interface for translation if the PUBLIC_POOL range of addresses is exhausted. The interface keyword simply tells the device to use the IP address of the outside interface for translation. It doesn’t remove the other NAT commands but is added to it.

For example, let’s say that 100 hosts on the inside are communicating, and each one has been translated to one of the addresses in PUBLIC_POOL. There are no more free IP addresses in the pool. The 101st host then tries to communicate. If this command is present, it can use 192.168.2.254 as the translated address.

I hope this has been helpful!

Laz

Hi, Is it not the 192.168.2.0/24 a private network? How can we use a private network for address translation?

Thanks,
Nihar

Hello Nihar

It is true that NAT is primarily used to translate private IP addresses to public addresses. However, NAT does not actually distinguish between public and private IP addresses. You can translate between whatever addresses you like, and it will work just fine.

You can even have inside addresses be in the range of 5.5.5.0/24 for example, and your outside addresses be 192.168.55.0/24. NAT as a feature will still work, and does not restrict you to a specific range of addresses.

However, in your configurations, you must conform to the appropriate address spaces that are given to you, so if you are indeed given public outside addresses, and private inside addresses, you must use them appropriately.

I hope this has been helpful!

Laz

Hi Rene,

Wondering how the NAT is done on a 5508X if the interface connects to a cable modem and gets an IP address from the DHCP server?
Also I am using to sub interfaces gig 1/7.10 and gig 1/7.30 to pass two vlans

 interface GigabitEthernet1/1
 description To_cable_modem
 nameif OUTSIDE
 security-level 0
 ip address dhcp 

interface GigabitEthernet1/7
 description To_3750_Crama
 duplex full
 nameif INSIDE
 security-level 100
 no ip address
!
interface GigabitEthernet1/7.10
 description xxx
 vlan 10
 nameif wireless_&_printers
 security-level 100
 ip address 192.168.0.13 255.255.255.0 
!
interface GigabitEthernet1/7.30
description xxx 
vlan 30
 nameif surveilance_cam
 security-level 100
 ip address 10.10.10.34 255.255.255.224 
!
interface GigabitEthernet1/7.99
 descriptio xxx
 vlan 99      
 nameif native_vlan
 security-level 100
 ip address x.x.x.x /xx

the native vlan subnet is only to pass the native vlan between switch and firewall

Hello Dan

When you have multiple inside subnets that you would like to NAT to an outside interface, you can use object groups to perform NATting. You can do this regardless of whether those inside subnets are connected to physical interfaces or subinterfaces.

An example of such a configuration is the following, assuming your outside IP address is 50.50.50.10:

object-group network all_subnets
network-object 192.168.0.0 255.255.255.0
network-object 10.10.10.32 255.255.255.224

object network PAT_ip
host 50.50.50.10

nat (inside,outside) source dynamic all_subnet PAT_ip

Now in the same scenario, if you are using DHCP for your outside interface, you can replace the destination object of the NAT command from PAT_ip to the keyword interface like so:

nat (inside,outside) source dynamic all_subnet interface

This will cause the ASA to use the IP address assigned to the outside interface as the IP address for translation.

Take a look at this NetworkLessons Note on ASA NAT with multiple inside subnets for more info.

I hope this has been helpful!

Laz

Lazaros

I have a query on the Firemon Tool Traffic Flow Analasys . Its mentioned the following Statement.

“FireMon’s Traffic Flow Analysis or “TFA” does the same thing to monitor traffic through a firewall rule, and instead of allowing all traffic to traverse in all direct
ions, it monitors the empirical behaviors on the network and lets administrators know which rules they can create to allow only the necessary access.”

I know the CISCO Packet Processing Algorithm . How are the following Rules 11 and 12 are effected by the Above statement aka Network Behaviour ???

  1. Here are the individual steps in detail:

  2. The packet is reached at the ingress interface.

  3. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

  4. Cisco ASA first looks at its internal connection table details in order to verify if this is a current connection. If the packet flow matches a current connection, then the Access Control List (ACL) check is bypassed and the packet is moved forward.

  5. If packet flow does not match a current connection, then the TCP state is verified. If it is a SYN packet or UDP (User Datagram Protocol) packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

  6. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count is incremented by one when the packet matches the ACL entry.

  7. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow and the packet moves forward. Otherwise, the packet is dropped and the information is logged.

  8. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionality. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.

  9. Additional security checks will be implemented if a Content Security (CSC) module is involved.

  10. The IP header information is translated as per the Network Address Translation/ Port Address Translation (NAT/PAT) rule and checksums are updated accordingly. The packet is forwarded to Advanced Inspection and Prevention Security Services Module (AIP-SSM) for IPS related security checks when the AIP module is involved.

  11. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on the global route lookup.

  12. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that takes the priority.

  13. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. The Layer 2 rewrite of the MAC header happens at this stage.

  14. The packet is transmitted on the wire, and interface counters increment on the egress interface.

Hello Surendra

As with many marketing documents, this text is using general language to describe the operation of their product. By no means should this statement be taken as an exact description of their “TFA” algorithm. The statement

“it monitors the empirical behaviors on the network and lets administrators know which rules they can create to allow only the necessary access”

is imprecise and does not give us enough information to know what is actually being applied to traffic.

Cisco’s packet processing algorithm for the ASA that you have posted here, however, is very precise. So it is difficult to compare the process of one product with another with such a generalized description.

If you want to compare them, you will have to find technical documentation for the product that describes the process precisely.

Having said that, the description does tell us that the product possesses some level of intelligence that allows it to analyze traffic and make determinations based on traffic type and traffic volume. What those determinations are and how they are reached are unknown at this point.

I hope this has been helpful!

Laz

Hello Surendra

Based on the text of the explanation, I would assume that the TFA tool performs some sort of intelligent filtering based on application, on already established flows, and on policies and rules set by the administrator. From the tool seems to be able to automate to a certain extent, the security policies applied, based on the traffic used, as well as based on some predefined best-practice and most common profiles.

It sounds like a next-generation firewall (NGFW) with a level of intelligence similar to Cisco’s Identity Services Engine (ISE).

I hope this has been helpful!

Laz

ASA 5505 version8.2(5)
ASDM version 6.4(5)
Under Configuration >> Firewall >>NAT Rules

When do you need to check “Enable traffic through the firewall without address translation” ?
Are there any disadvantages to having this enabled?
Seems to be a default setting.

Thanks

Hello Donald

This command within ASDM is the same as the nat-control command in the CLI.

When enabled, this feature requires that packets traversing from an INSIDE interface to an OUTSIDE interface match a NAT rule. If no NAT rule is matched, the packet is dropped.

If it is disabled, then this matching is not a requirement, and the packet can be forwarded and routed without a NAT translation (assuming it passes any other checks that have been implemented on the ASA).

For more info, take a look at the following link:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/cfgnat.html#wp1065218

Now whether you enable this or disable this depends upon what you want to achieve. If you require that all traffic initiated from INSIDE be translated (which is often the case at the edge of a network where ASA devices are often placed), then you should enable this. When enabled, hosts on the INSIDE network that must access hosts on the OUTSIDE network must match a NAT translation rule for such communication to be successful. Thus you must ensure that your NAT translation rules are appropriate to ensure such communication.

I hope this has been helpful!

Laz

Hello,
all of these examples are with Auto NAT.
What about Manual NAT? Isn´t Manual NAT preferred over Auto NAT?

is there any advantage of using Auto NAT? maybe about resources ?
If not I could use Manual NAT for everythig right?

Thanks!!
Regards

Hello Alexis

Here are some of the characteristics of Auto NAT:

  • Auto NAT is always configured within an object definition.
  • Auto NAT is used whenever a NAT decision must be made based only on the source address
  • Static and Dynamic NAT, and Static and Dynamic PAT can be configured with Auto NAT

The syntax for Auto NAT is as follows:

nat (<REAL-INTERFACE>,<MAPPED-INTERFACE>) <static|dynamic> <MAPPED-IP>

Notice that none of the elements of the syntax include a real IP address. The real IP address is inherited from the object’s definition.

Now let’s take a look at Manual NAT and see the differences:

  • Auto NAT can only make a NAT decision based upon the Source of traffic.

  • Auto NAT can only translate the Source of traffic.

  • Manual NAT can make a NAT decision based upon the Source, or upon both the Source and Destination.

  • Manual NAT can translate the Source, the Destination, or even both the Source and Destination at the same time.

Manual NAT can do everything that Auto NAT can do, plus Policy NAT and Twice NAT, which both require the destination address to be involved in the process.

What is the best practice? Use Auto NAT whenever possible, because it is much simpler to configure. Also, Auto NAT places NAT statements automatically into a sensible order, while Manual NAT statement order must be manually considered.

The syntax of Manual NAT requires using an object for every reference to IP addresses and ports. Here is an example of Manual NAT configuration where only the source address is considered:

nat (<REAL-INTF>,<MAPPED-INTF>) source <static|dynamic> <REAL-SRC> <MAPPED-SRC>

Notice that it is similar to Auto NAT except for the fact that Manual NAT is not configured within an object. It is configured directly in global configuration mode.

Here is an example of Manual NAT syntax where both source and destination are considered:

nat (<REAL-INTF>,<MAPPED-INTF>) source <static|dynamic> <REAL-SRC> <MAPPED-SRC> destination static <REAL-DST> <MAPPED-DST>

I hope this has been helpful!

Laz

Hello all, I have always used the interface option for NAT/PAT and not the NAT_POOL that is suggested in this lesson. I’m wondering what are the benefits of using a pool of addresses for the translated address? I’m assuming a performance hit the way I’m perhaps doing it???

Also i’m thinking that if you have a pool of addresses then this pool of addresses needs to route; does tha ASA route this back out to the WAN interface which is on another subnet, of course, assuming I configure something lke this:
nat (inside,outside) dynamic PUBLIC_POOL

where normally I just do this:
nat (inside,outside) dynamic interface

Hello Nicholas

The command nat (inside,outside) dynamic interface is employed in order for all NAT translations to use the IP address assigned to the outside interface as the translated address. In the case of a device connected to the Internet, this address would typically be a public IP address. This is convenient because that outside address is reachable from the Internet, and thus no additional routing is necessary to ensure it will be able to communicate with destinations on the Internet. Also, it delivers NAT to all inside hosts using the same outside address.

Alternatively, you can use the command nat (inside,outside) dynamic PUBLIC_POOL where PUBLIC_POOL is an ACL that defines a range of IP addresses to use. In this case, the NAT router will dynamically choose which outside address to use from that particular pool of addresses. The difference here is that those outside addresses are not the same as the address assigned to the outside interface. For this reason, routing must be configured such that the ISP will be able to route traffic destined for those addresses to your outside interface.

Now what are the benefits of each choice? Well, there is no benefit for either solution as far as resource usage goes. The same number of NAT translations will consume memory within the NAT router whether they use the same or different IP addresses.

The only benefit of using the address pool is that you have a theoretically larger number of translations than you can achieve using the interface alone. NAT typically uses transport layer ports ranging from 49125 to 65535 (the dynamic or private port range) for translation, a range of over 16000 ports. Thus, each IP address can theoretically translate up to 16000 internal hosts. By employing more outside IP addresses, you can multiply this limit. In most implementations, memory and CPU resources of the NAT router will be exhausted well before the number of ports will be consumed. Only in situations where we have carrier-grade NAT where thousands of devices use NAT will this actually play a role.

Conversely, using the interface is beneficial due to the fact that you don’t need to worry about routing. So unless you have very specific parameters that you need to fulfill, using the interface will be more than enough to serve even the largest enterprise networks with NAT.

Take a look at this NetworkLessons note on specifying the outside IP address for NAT for more info.

I hope this has been helpful!

Laz

Hello Laz, thank you for such a well considered and detailed response. This is great and answers my question well. It does change my thinking particularly with the config for a 5585-SSP-40! Have a great weekend.

1 Like