Jul 21, 2010

Configuring NAT on ASA/PIX

I've designed a network scenario where I could apply every NAT type supported by ASA/PIX. Below is what I got:



The 10.10.0.0/16 address range has been assigned to the inside network (security-level 100) of the Branch Office. An ASA connects the network segments and the access to the Internet is done via outside interface (security-level 0). An MPLS network is used to connect Remote Offices and the 10.200.0.0/16 subnet has been assigned to them. A router running IOS Security controls the traffic coming from the MPLS network. Servers published to the Internet are located in the dmz (security-level 50), connected to a Nexus switch and using addresses within the 10.150.0.0/16 range. There is another network segment named supp (security-level 60) connecting endpoints assigned to the 10.40.0.0/16 subnet. Those ones are used to perform RDP access to customers' environment, so the Company achieved compliance with security standards since all the actions taken through those hosts are monitored, recorded and may be audited. Still talking about the supp network, there is a network segment with servers using the 172.31.0.0/16 range. Finally, there is a dedicated link to a partner's network via extranet interface (security-level 30). That partner uses the 10.10.10.0/24 subnet, generating an overlapping between their network and the Company's inside.

ASA/PIX provides several ways to configure NAT rules and it makes us able to restrict the traffic that should be matched to them. So we can go further than we do and make more than we can do with routers. All the possibilities are listed below by priority:
Some of the listed types permit us to set outside NAT (aka destination nat). This translation type is useful when we want to translate traffic coming from an interface with lower security-level.

All the types are described below and usage examples on the proposed scenario is given. Nat-control is enabled, so all the traffic coming from interfaces with higher security level must match some NAT rule.

All the traffic within the 10.0.0.0/8 range doesn't have to be translated, except when it comes from the supp network. NAT Exemption rules have the highest priority. Thus the following configuration should be implemented:

asa(config)# access-list nat_exemption extended permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0
asa(config)# nat (inside) 0 access-list nat_exemption
asa(config)# nat (dmz) 0 access-list nat_exemption


Connections between a DB server located in the supp network, assigned to the address 172.31.0.5, and another server located in the inside should be kept untranslated (Policy Static Identity PAT):

asa(config)# access-list supp_db_srv_nat extended permit tcp 10.10.10.50 eq 1433 host 172.31.0.5 eq 1433
asa(config)# static (inside,supp) tcp 10.10.10.50 1433 access-list supp_db_srv_nat


The server administrators (10.10.1.0/24) perform remote access from inside to supp. This traffic should not be translated and it can be done with a Policy Static Identity NAT:

asa(config)# access-list inside_supp_srv_farm extended permit ip 10.10.1.0 255.255.255.0 172.31.0.0 255.255.0.0
asa(config)# static (inside,supp) 10.10.1.0 access-list inside_supp_srv_farm


Internal users that want to reach some destination at remote offices have their traffic forwarded to the ASA before to be routed to the MPLS network. As I demonstrated previously, NAT Exemption rules don't work for intra-interface traffic. Thus, we need to set a Regular Static Identity NAT:

asa(config)# static (inside,inside) 10.0.0.0 10.0.0.0 netmask 255.0.0.0

This rule matches the whole inside network performing a bidirectional one-to-one mapping, so when 10.10.10.5, for example, sends a message to 10.200.0.5, the source and destination addresses will be kept untranslated. A  Regular Static Identity PAT is not necessary, because that rule matches traffic on any protocol and service.

10.150.0.6 is a DNS server published to the Internet with a Policy Static PAT:

asa(config)# access-list dns_srv_nat extended permit tcp host 10.150.0.5 eq 53 any eq 53
asa(config)# access-list dns_srv_nat extended permit udp host 10.150.0.5 eq 53 any eq 53
asa(config)# static (dmz,outside) tcp 192.168.0.5 53 access-list dns_srv_nat
asa(config)# static (dmz,outside) udp 192.168.0.5 53 access-list dns_srv_nat


The server assigned to the address 10.150.0.8 runs a system to periodically connect to the application development network (172.20.0.0/16). Only those connections are allowed and translated. A Policy Static NAT rule is set to that traffic:

asa(config)# access-list app_srv_nat extended permit ip host 10.150.0.8 172.20.0.0 255.255.0.0
asa(config)# static (dmz,outside) 192.168.0.8 access-list app_srv_nat


Port forwarding rules (Regular Static PAT) are set to publish Web services on the server 10.150.0.6. TCP/8080 and 443 are mapped to TCP/80 and 443, respectively. The server 10.150.0.7 runs several services and is published on any protocol/port. (Regular Static NAT):

asa(config)# static (dmz,outside) tcp 192.168.0.6 80 10.150.0.6 8080 netmask 255.255.255.255
asa(config)# static (dmz,outside) tcp 192.168.0.6 443 10.150.0.6 443 netmask 255.255.255.255
asa(config)# static (dmz,outside) 192.168.0.7 10.150.0.7 netmask 255.255.255.255


The overlapping between inside and the partner network is solved using an Outside Regular Static NAT and a Regular Static NAT:

asa(config)# static (extranet,inside) 172.16.10.0 10.10.10.0 netmask 255.255.255.0 outside
asa(config)# static (inside,extranet) 172.16.10.0 10.10.10.0 netmask 255.255.255.0


Hosts located in the network supp are mapped to 192.168.40.30 while RDPing to customer's devices (Policy Dynamic PAT):

asa(config)# access-list supp_host_rdp extended permit tcp host 10.40.0.10 any eq 3389
asa(config)# nat (supp) 3 access-list supp_host_rdp
asa(config)# global (outside) 3 192.168.40.30


DB servers located in the dmz connect to the server 172.31.0.5 using the address 172.31.0.100. This is an Outside Policy Dynamic NAT (aka bidirectional NAT) because the dmz interface has a lower security level than supp:

asa(config)# access-list dmz_supp_db_srv_nat extended permit tcp any eq 1433 172.31.0.5 eq 1433
asa(config)# nat (dmz) 5 access-list dmz_supp_db_srv_nat outside
asa(config)# global (supp) 5 172.31.0.100


All the servers in the 172.31.0.0/16 subnet have HTTPS access to the Internet using unidirectional one-to-one dynamic translation (Policy Dynamic NAT). However, there are only 254 public addresses available:

asa(config)# access-list supp_srv_farm_nat extended permit tcp 172.31.0.0 255.255.0.0 any eq https
asa(config)# nat (supp) 4 access-list supp_srv_farm_nat
asa(config)# global (outside) 4 192.168.31.1-192.168.31.254


A range with 20 addresses has been defined, so that devices of the 10.40.0.0/16 subnet have access to the Internet (Regular Dynamic NAT). Thus, only the 20 first hosts performing outbound connections would be mapped. This is an unidirectional one-to-one mapping:

asa(config)# nat (supp) 2 10.40.0.0 255.255.255.0
asa(config)# global (outside) 2 192.168.40.1-192.168.40.20


All the outbound traffic from inside to the Internet is translated to the outside interface address. This is a  Regular Dynamic PAT, also known as overload (as well as any other type of Dynamic PAT):

asa(config)# nat (inside) 1 0.0.0.0 0.0.0.0
asa(config)# global (outside) 1 interface



There is an interesting example of Policy Static NAT described in the Cisco's article below:

PIX/ASA 7.x and Later: LAN-to-LAN IPsec VPN with Overlapping Networks Configuration Example



asa(config)# end
asa# wr mem

4 comments:

  1. Brilliant, helped me figure out a lot of stuff! There is one mistake however:

    Hosts located in the network supp are mapped to 192.168.40.30 while RDPing to customer's devices (Policy Dynamic PAT):

    asa(config)# access-list supp_host_rdp extended permit tcp host 10.40.0.10 any eq 3389
    asa(config)# nat (supp) 3 access-list supp_host_rdp
    asa(config)# global (outside) 3 192.168.40.30

    I think you meant global (inside) here.

    ReplyDelete
    Replies
    1. Thank you TheGrave! It's good to know this article is helpful!

      In my example, the customers are reachable through the Internet, that's why I used the outside interface. Note that I didn't use Internet routable addresses on the diagram.

      Delete
  2. I like your blog post. Keep on writing this type of great stuff. I'll make sure to follow up on your blog in the future.
    NAT/PAT|
    ISDN Configuration

    ReplyDelete