10-16-2013 12:49 PM - edited 03-11-2019 07:53 PM
Hi,
One of my applications makes connections to a webserver, and because of the amount of data transmitted, if too many consecutive requests are sent, we are looked at as a DOS attack. What I am wondering is if there is a way to have a single IP address on my internal network bound to a NAT pool so that communication to the outside uses a different IP address each time a connection is made. Essentially I want the XLATE table to be cleared and a new IP address used for subsequent communication. Think of it as a round robin approach.
Any ideas on how I might do something like this or any suggestions on what I can do.
Thanks,
Scott
10-16-2013 07:24 PM
Hi Scott,
this is possible on ASA: dynamic PAT with PAT-pool and round-robin allocation requires ASA 8.4(2) and above:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1455942
http://www.cisco.com/en/US/partner/docs/security/asa/command-reference/n.html#wp1778544
syntax would look like:
object network PAT_POOL1
range 1.1.1.1 1.1.1.10
object network INSIDE_HOST1
host 10.10.10.100
nat (inside,outside) dynamic pat-pool PAT_POOL1 round-robin
ASA# show nat detail
Auto NAT Policies (Section 2)
1 (inside) to (outside) source dynamic INSIDE_HOST1 pat-pool PAT_POOL1 round-robin
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.100/32, Translated (PAT): 1.1.1.1-1.1.1.10
Patrick
10-16-2013 11:23 PM
Hi,
I tested this out of interest yesterday and today with both Manual NAT and Auto NAT and it doesnt seem to work for a single source host. (Was running 8.4(5))
I have a couple of actual /29 public address blocks at home and made a PAT Pool of them for one of my computers.
The single host kept using the first address in the pool for all the PAT translations.
In todays test it seems if I include the whole LAN subnet and use multiple source addresses for connections then first source address uses first PAT address and second source address uses second PAT address.
So I am not all that sure the single host will benefit from this configuration as it seems it would have to exhaust all the ports again on the single PAT address before perhaps moving to next one. Atleast it seemed like that and I cant say that with 100% certainty.
- Jouni
10-17-2013 04:24 AM
Jouni,
Did you include the option for round robin as listed in the reply by Patrick? I haven't had a chance to attempt his solution yet, but I am very interested in seeing if this works.
I appreciate your input and Patrick's. If I can get this to work it will make my life easier.
Scott
10-17-2013 05:15 AM
Hi,
Yes I did,
It didnt work with a single source address with either Manual NAT or Auto NAT configurations format if I was to believe the "packet-tracer" output.
Also as I have said I tried it with actual public IP addresses as the PAT Pool and browsed Internet for a while with my own computer. My computer only used the first PAT IP address from the "object" I defined, nothing else.
Later tests with "packet-tracer" seemed to indicate that if I configured an actual subnet as the source and used multiple different source addresses then each source address would get PATed to different public IP address in order.
Even if it was the case that this method didnt work I imagine I could define a NAT rule that would do this for a single host. The only problem really is that it wouldnt be a typical/clean configuration but I imagine it would be possible if you wanted such a configuration. I would still have to test that.
I guess this yet another special NAT configuration I should add to my NAT document
- Jouni
10-17-2013 08:55 AM
Hi Jouni,
you are absolutely correct about that, I think the doc explains it as "stickiness" to the PAT IP address for the same host as long as ports are available:
In the guidelines for PAT Pool:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/nat_objects.html#wp1455942
If a host has an existing connection, then subsequent connections from that host will use the same PAT IP address if ports are available.
Note: This "stickiness" does not survive a failover. If the ASA fails over, then subsequent connections from a host may not use the initial IP address.
You could maybe change your NAT based on the source port of the connection.
To do that you need to actually be able to control the source port used to establish the connection (might be tough to accomplish)...
You can have a different NAT entry per source port or for a range of source ports... should be tested to make sure it works. Apparently Source Dynamic PAT (hide) does not support port translation so you have to use static:
asa(config)# sh run object in-line
object network IN1 host 10.10.10.10
object network OUT1 host 1.1.1.1
object network OUT2 host 1.1.1.2
object service SP1 service tcp source range 1024 1048
object service SP2 service tcp source eq 5002
!
nat (inside,outside) source static IN1 OUT1 service SP1 SP1
nat (inside,outside) source static IN1 OUT2 service SP2 SP2
!
asa(config)# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static IN1 OUT1 service SP1 SP1
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.10/32, Translated: 1.1.1.1/32
Service - Origin: tcp source range 1024 1048 , Translated: tcp source range 1024 1048
2 (inside) to (outside) source static IN1 OUT2 service SP2 SP2
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.10.10/32, Translated: 1.1.1.2/32
Service - Origin: tcp source eq 5002 , Translated: tcp source eq 5002
You can also use the unidirectional keyword...
Patrick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide