cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
804
Views
0
Helpful
5
Replies

Dynamic NAT

ac707spg1
Level 1
Level 1

Hi,

One of my applications makes connections to a webserver, and because of the amount of data transmitted, if too many consecutive requests are sent, we are looked at as a DOS attack.  What I am wondering is if there is a way to have a single IP address on my internal network bound to a NAT pool so that communication to the outside uses a different IP address each time a connection is made.  Essentially I want the XLATE table to be cleared and a new IP address used for subsequent communication.  Think of it as a round robin approach. 

Any ideas on how I might do something like this or any suggestions on what I can do.

Thanks,

Scott

5 Replies 5

Hi Scott,

this is possible on ASA: dynamic PAT with PAT-pool and round-robin allocation requires ASA 8.4(2) and above:

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1455942

http://www.cisco.com/en/US/partner/docs/security/asa/command-reference/n.html#wp1778544

syntax would look like:

object network PAT_POOL1

   range 1.1.1.1 1.1.1.10

object network INSIDE_HOST1

   host 10.10.10.100

   nat (inside,outside) dynamic pat-pool PAT_POOL1 round-robin

ASA# show nat detail

Auto NAT Policies (Section 2)

1 (inside) to (outside) source dynamic INSIDE_HOST1 pat-pool PAT_POOL1 round-robin

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.10.10.100/32, Translated (PAT): 1.1.1.1-1.1.1.10

Patrick

Hi,

I tested this out of interest yesterday and today with both Manual NAT and Auto NAT and it doesnt seem to work for a single source host. (Was running 8.4(5))

I have a couple of actual /29 public address blocks at home and made a PAT Pool of them for one of my computers.

The single host kept using the first address in the pool for all the PAT translations.

In todays test it seems if I include the whole LAN subnet and use multiple source addresses for connections then first source address uses first PAT address and second source address uses second PAT address.

So I am not all that sure the single host will benefit from this configuration as it seems it would have to exhaust all the ports again on the single PAT address before perhaps moving to next one. Atleast it seemed like that and I cant say that with 100% certainty.

- Jouni

Jouni,

Did you include the option for round robin as listed in the reply by Patrick?  I haven't had a chance to attempt his solution yet, but I am very interested in seeing if this works.

I appreciate your input and Patrick's.  If I can get this to work it will make my life easier.

Scott

Hi,

Yes I did,

It didnt work with a single source address with either Manual NAT or Auto NAT configurations format if I was to believe the "packet-tracer" output.

Also as I have said I tried it with actual public IP addresses as the PAT Pool and browsed Internet for a while with my own computer. My computer only used the first PAT IP address from the "object" I defined, nothing else.

Later tests with "packet-tracer" seemed to indicate that if I configured an actual subnet as the source and used multiple different source addresses then each source address would get PATed to different public IP address in order.

Even if it was the case that this method didnt work I imagine I could define a NAT rule that would do this for a single host. The only problem really is that it wouldnt be a typical/clean configuration but I imagine it would be possible if you wanted such a configuration. I would still have to test that.

I guess this yet another special NAT configuration I should add to my NAT document

- Jouni

Hi Jouni,

you are absolutely correct about that, I think the doc explains it as "stickiness" to the PAT IP address for the same host as long as ports are available:

In the guidelines for PAT Pool:

http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1455942

If a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available.

Note: This "stickiness" does not survive a failover. If the ASA fails over, then subsequent connections from a host may not use the initial IP address.

You could maybe change your NAT based on the source port of the connection.

To do that you need to actually be able to control the source port used to establish the connection (might be tough to accomplish)...

You can have a different NAT entry per source port or for a range of source ports... should be tested to make sure it works. Apparently Source Dynamic PAT (hide) does not support port translation so you have to use static:

asa(config)# sh run object in-line

object network IN1 host 10.10.10.10

object network OUT1 host 1.1.1.1

object network OUT2 host 1.1.1.2

object service SP1 service tcp source range 1024 1048

object service SP2 service tcp source eq 5002

!

nat (inside,outside) source static IN1 OUT1 service SP1 SP1

nat (inside,outside) source static IN1 OUT2 service SP2 SP2

!

asa(config)# show nat detail

Manual NAT Policies (Section 1)

1 (inside) to (outside) source static IN1 OUT1   service SP1 SP1

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.10.10.10/32, Translated: 1.1.1.1/32

    Service - Origin: tcp source range 1024 1048 , Translated: tcp source range 1024 1048

2 (inside) to (outside) source static IN1 OUT2   service SP2 SP2

    translate_hits = 0, untranslate_hits = 0

    Source - Origin: 10.10.10.10/32, Translated: 1.1.1.2/32

    Service - Origin: tcp source eq 5002 , Translated: tcp source eq 5002

You can also use the unidirectional keyword...

Patrick

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: