Network Address
Translation
While static address mappings allow permanent outside access
to inside resources like servers, users also require address translation to
venture into less secure networks, such as the outside. To reduce the window of
vulnerability that permanent static mappings introduce, users generally use the
nat/global command combination to create temporary mappings
while they’re in the less-secure area. These mappings are removed after the
session ends.
NAT syntax and operation were covered in Chapter 17. This section
concentrates on those options and implications that might not have been covered
earlier. The nat and global commands are
always used together, the nat command defining the local
host(s) that can be translated to travel to less-secure networks. The global command identifies the pool of “real” global IP addresses
that can provide access to the less-secure network. The nat_id identifies the pool of global addresses that can be
accessed by the nat command. The two basic command syntaxes
are
Pix(config)# global (if_name) nat_id {global_ip
[-global_ip] [netmask global_mask] |
interface}
Pix(config)# nat (if_name) nat_id local_ip [netmask]
The following example creates a global address\pool, nat_id = 1,
that contains all the class C network 215.1.2.0, plus the 31 host addresses
included in 1.1.1.1-1.1.1.30. The nat command allows all hosts
on the 192.168.1.0 inside network to start outbound connections.
Pix(config)# global (outside) 1 215.1.2.0
Pix(config)# global (outside) 1 1.1.1.1-1.1.1.30 netmask 255.255.255.224
Pix(config)# nat (inside) 1 192.168.1.0 255.255.255.0
Remember the following about global/nat address mappings:
-
After changing or removing a nat command
statement, use the clear xlate command.
-
You can define up to 256 global pools of addresses.
-
Never use an address in a global address pool for static
mapping.
-
Static mappings always take precedence over mappings created
using the nat command.
An All Hosts Option
The next examples show a handy shorthand to allow all inside
hosts to use NAT to create outbound connections. The 0 0 is a
short notation for the local_ip /netmask combination
0.0.0.0 0.0.0.0.
Pix(config)# nat (inside) 1 0 0
Additional NAT Options
The nat command lets you enable or disable
address translation for one or more internal addresses. Some of the options
available, such as norandomseq, conn_limit, and em_limit, are the same as covered in the static command section. To enable NAT for an address or group of
addresses, use the following syntax. Use the no command to
turn off the feature.
Pix(config)# nat (if_name) nat_id ip_address [netmask] [outside] [dns] [norandomseq]
[timeout hh:mm:ss] [conn_limit] [em_limit]
Pix(config)# no nat (if_name) nat_id address [netmask]
[outside]
To disable NAT for an address or group of addresses, use the
following syntax. Use the no command to turn off the feature.
Pix(config)# nat (if_name) 0
access-list acl_name
Pix(config)# no nat (if_name) 0
[access-list acl_name]
NAT_ID Options
The nat_id
option in the nat command can have serious implications
for how the NAT process works. The next paragraphs offer an explanation and
examples of each choice.
NAT 0
The nat 0 turns off NAT translation for
the defined address(es). The result is called identity
translation, which is a translation that maps an address to itself. This
command assumes the host address is a valid global address that can be used out
in the Internet.
At first glance, this seems like the Static Command option of
using the current IP address for both addresses. The difference between this
command and the Static option is that this option requires that any resulting
traffic must be initiated from an inside host, while the Static Command option
allows outside hosts to precipitate access to inside resources. So, if you want
the addresses to be visible to the outside, use the static
command.
In the following example, the first entry shows an identity
translation using the nat 0 command, while the second uses the
more public static command.
Pix(config)# nat (dmz) 0 1.1.1.15
Pix(config)# static (dmz, outside) 1.1.1.15
1.1.1.15
The next examples show the same commands using a class C size
group of hosts. The first would be used to allow a group of user hosts with
valid global IP addresses to travel the Internet without translation. The second
would be used to make a large pool of shared servers available to the outside
world, assuming appropriate ACLs are created.
Pix(config)# nat (dmz) 0 1.1.2.0 255.255.255.0
Pix(config)# static (dmz, outside) 1.1.2.0 1.1.2.0
netmask 255.255.255.0
NAT 0 Access-List ACL_Name
The NAT 0 Access-List acl_name command
variation uses an access control list to specify the traffic to exempt from NAT
processing. This is particularly useful in VPN configuration where traffic needs
to be exempted from NAT. This command assumes the host address is a valid global
address that can be used out in the Internet.
The following example demonstrates using this Command option to
permit the internal host 1.1.1.15 to bypass NAT when connecting to outside host
1.1.2.19.
Pix(config)# access-list skip-nat permit
ip host 1.1.1.15 host 1.1.2.19
Pix(config)# nat
(inside) 0 access-list skip-nat
NAT_ID Greater Than 0
This is normal NAT with the nat_id
greater than zero (0), indicating a pool of global IP addresses specified by the
global command. The same nat_id in a nat command and global command links the two
together.
The following example demonstrates using the global command to create a global address pool (9) with 508
addresses. The nat command allows the hosts on LAN network
192.168.1.0 to access that pool. The net_id, which is 9 in
all three commands, links them together.
Pix(config)# global (outside) 9 1.1.2.1-1.1.2.254
Pix(config)# global (outside) 9 1.1.3.0 netmask 255.255.255.0
Pix(config)# nat (inside) 9 192.168.1.0 255.255.255.0
No Network or Broadcast IDs Allowed
ASA won’t allow network or broadcast IDs to be included in
the xlate table entries. If the Netmask global_mask option
is used with a network ID to define a pool of addresses, the PIX automatically
excludes the host ID and broadcast addresses from the pool available for
translations.
ASA specifies a subnet mask, for example, 255.255.255.128
specifies one half of a class C network. If a specified address range in the global_ip-global_ip overlaps subnets defined by the netmask global_mask statement, the global pool won’t use any
broadcast or network addresses included in the pool of global addresses. In the
following global command, the pool is the first 16 addresses
on the 10.1.1.0 network (10.1.1.0-15).
Pix(config)# global (outside) 1 10.1.1.0 netmask 255.255.255.240
Pix(config)# nat (inside) 1 192.168.1.0 255.255.255.0
Because 10.1.1.0 is the network and 10.1.1.15 is the broadcast
address for the network, they’ll be excluded from the actual pool, leaving
10.1.1.1 to 10.1.1.14. Another way this could be defined is the following:
Pix(config)# global (outside) 1 10.1.1.1-10.1.1.14
Pix(config)# nat (inside) 1 192.168.1.0 255.255.255.0
Confirm NAT/Global Configuration
To display the results of the global and
nat commands, use the following commands:
-
show global
-
show nat
-
write terminal
-
show xlate
Sections
Comments (0 posted)
Syndication
