cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3186
Views
0
Helpful
3
Replies

ASA 8.3+ Static Many-to-One NAT

eddie.harmoush
Level 1
Level 1

Hello all,

So with the advent of 8.3 NAT and the ability to do a Many to One Static NAT, which was otherwise impossible (sort of), I had a few questions about the specifics of how it works.  First, here is the configuration I am using to test:

object network ONE

host 1.1.1.1

 

object-group network MANY

network-object host 10.10.10.11

network-object host 10.10.10.12

network-object host 10.10.10.13

network-object host 10.10.10.14

network-object host 10.10.10.15

nat (inside,outside) source static MANY ONE

All my inside hosts (10.10.10.11 - .15) are being Staticly NAT'ed to the outside IP of 1.1.1.1 (via an object named ONE).  I have a few specific questions to how exactly this works.  And how it ends up being different from a simple Dynamic NAT.

Here are some tests I've run with Packet-Tracer:

asa84# packet-tracer input inside tcp 10.10.10.11 11111 9.9.9.9 80 detail

<-~-~-~- SNIP -~-~-~- >

Phase: 5

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static MANY ONE

Additional Information:

Static translate 10.10.10.11/11111 to 1.1.1.1/11111

Forward Flow based lookup yields rule:

in  id=0xc83aabe0, priority=6, domain=nat, deny=false

        hits=1, user_data=0xc85fb328, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.10.10.11, mask=255.255.255.255, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

<-~-~-~- SNIP -~-~-~- >

 

asa84# packet-tracer input inside tcp 10.10.10.12 11111 9.9.9.9 80 detail

<-~-~-~- SNIP -~-~-~- >

Phase: 4

Type: NAT

Subtype:

Result: ALLOW

Config:

nat (inside,outside) source static MANY ONE

Additional Information:

Static translate 10.10.10.12/11111 to 1.1.1.1/11111

Forward Flow based lookup yields rule:

in  id=0xcb40e0a8, priority=6, domain=nat, deny=false

        hits=1, user_data=0xc85fb328, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=10.10.10.12, mask=255.255.255.255, port=0

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

        input_ifc=inside, output_ifc=outside

<-~-~-~- SNIP -~-~-~- >

When the inside host 10.10.10.11 speaks to an outside hosts, it gets translated to 1.1.1.1 and the source port remains the same.

When the inside host 10.10.10.12 speaks to an outside hosts, it gets translated to 1.1.1.1 and the source port remains the same.

But what happens if both of these inside hosts happen to pick the same source port number?  If the port stays the same, how would the Firewall distinguish the return traffic between the two "real" source IPs?

Furthermore...

asa84# packet-tracer input outside tcp 8.8.8.8 8888 1.1.1.1 80 detail

<-~-~-~- SNIP -~-~-~- >

Phase: 2

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static MANY ONE

Additional Information:

NAT divert to egress interface inside

Untranslate 1.1.1.1/80 to 10.10.10.11/80

<-~-~-~- SNIP -~-~-~- >

asa84# packet-tracer input outside tcp 9.9.9.9 80 1.1.1.1 1111 detail

Phase: 1

Type: UN-NAT

Subtype: static

Result: ALLOW

Config:

nat (inside,outside) source static MANY ONE

Additional Information:

NAT divert to egress interface inside

Untranslate 1.1.1.1/1111 to 10.10.10.11/1111

When an outside host sends a packet to the shared Mapped address, it seems to always translate it to the first IP address in the "MANY" object-group (10.10.10.11).  Is that always going to be the behavior?  Will the Firewall ever "un-nat" the incoming traffic to one of the other IP addresses in the "MANY" object-group?

Any additional information you think would be helpful, I'm all ears.  Thank you.

3 Replies 3

julomban
Level 3
Level 3

Hello Eddie,

See it from the ASA perspective, how the ASA knows when to send data to 10.10.10.11,12,13,14 or 15 when coming from the outside? Unless you specify the port there is no way to accomplish what you are looking for.

If you set port forwarding and specify the port it works fine since the ASA knows that when is SSH will go to 10.10.10.11 and telnet to 10.10.10.12.

The NAT rule you share is going to work for outobund connections however for inbound access you may need to specify the port.

Regards,

Juan Lombana

Please rate helpful posts.

Hi Julomban,

I understand how it traditionally would only work unidirectional.  But one of the new features of 8.3+ is specifically a Static Many to One NAT (which implies bidirectional).  The purpose of this post was simply to get more information as to the innerworkings of how the ASA process packets through a "Many to One" Static NAT as configured above.

Regards,

-Eddie

Eddie,

One-to-Many applies for one real IP to multiple mapped IP addresses. I think the link below will clarify this for you:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1107407

Regards,

Juan Lombana

Please rate helpful posts.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: