05-29-2013 11:43 AM - edited 03-11-2019 06:50 PM
Hello all,
So with the advent of 8.3 NAT and the ability to do a Many to One Static NAT, which was otherwise impossible (sort of), I had a few questions about the specifics of how it works. First, here is the configuration I am using to test:
object network ONE
host 1.1.1.1
object-group network MANY
network-object host 10.10.10.11
network-object host 10.10.10.12
network-object host 10.10.10.13
network-object host 10.10.10.14
network-object host 10.10.10.15
nat (inside,outside) source static MANY ONE
All my inside hosts (10.10.10.11 - .15) are being Staticly NAT'ed to the outside IP of 1.1.1.1 (via an object named ONE). I have a few specific questions to how exactly this works. And how it ends up being different from a simple Dynamic NAT.
Here are some tests I've run with Packet-Tracer:
asa84# packet-tracer input inside tcp 10.10.10.11 11111 9.9.9.9 80 detail
<-~-~-~- SNIP -~-~-~- >
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static MANY ONE
Additional Information:
Static translate 10.10.10.11/11111 to 1.1.1.1/11111
Forward Flow based lookup yields rule:
in id=0xc83aabe0, priority=6, domain=nat, deny=false
hits=1, user_data=0xc85fb328, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.10.10.11, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
<-~-~-~- SNIP -~-~-~- >
asa84# packet-tracer input inside tcp 10.10.10.12 11111 9.9.9.9 80 detail
<-~-~-~- SNIP -~-~-~- >
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static MANY ONE
Additional Information:
Static translate 10.10.10.12/11111 to 1.1.1.1/11111
Forward Flow based lookup yields rule:
in id=0xcb40e0a8, priority=6, domain=nat, deny=false
hits=1, user_data=0xc85fb328, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.10.10.12, mask=255.255.255.255, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=inside, output_ifc=outside
<-~-~-~- SNIP -~-~-~- >
When the inside host 10.10.10.11 speaks to an outside hosts, it gets translated to 1.1.1.1 and the source port remains the same.
When the inside host 10.10.10.12 speaks to an outside hosts, it gets translated to 1.1.1.1 and the source port remains the same.
But what happens if both of these inside hosts happen to pick the same source port number? If the port stays the same, how would the Firewall distinguish the return traffic between the two "real" source IPs?
Furthermore...
asa84# packet-tracer input outside tcp 8.8.8.8 8888 1.1.1.1 80 detail
<-~-~-~- SNIP -~-~-~- >
Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static MANY ONE
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.1/80 to 10.10.10.11/80
<-~-~-~- SNIP -~-~-~- >
asa84# packet-tracer input outside tcp 9.9.9.9 80 1.1.1.1 1111 detail
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static MANY ONE
Additional Information:
NAT divert to egress interface inside
Untranslate 1.1.1.1/1111 to 10.10.10.11/1111
When an outside host sends a packet to the shared Mapped address, it seems to always translate it to the first IP address in the "MANY" object-group (10.10.10.11). Is that always going to be the behavior? Will the Firewall ever "un-nat" the incoming traffic to one of the other IP addresses in the "MANY" object-group?
Any additional information you think would be helpful, I'm all ears. Thank you.
05-29-2013 12:13 PM
Hello Eddie,
See it from the ASA perspective, how the ASA knows when to send data to 10.10.10.11,12,13,14 or 15 when coming from the outside? Unless you specify the port there is no way to accomplish what you are looking for.
If you set port forwarding and specify the port it works fine since the ASA knows that when is SSH will go to 10.10.10.11 and telnet to 10.10.10.12.
The NAT rule you share is going to work for outobund connections however for inbound access you may need to specify the port.
Regards,
Juan Lombana
Please rate helpful posts.
05-29-2013 01:44 PM
Hi Julomban,
I understand how it traditionally would only work unidirectional. But one of the new features of 8.3+ is specifically a Static Many to One NAT (which implies bidirectional). The purpose of this post was simply to get more information as to the innerworkings of how the ASA process packets through a "Many to One" Static NAT as configured above.
Regards,
-Eddie
05-29-2013 01:56 PM
Eddie,
One-to-Many applies for one real IP to multiple mapped IP addresses. I think the link below will clarify this for you:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1107407
Regards,
Juan Lombana
Please rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide