Re: NAT Design / Migration Question

James Ferero · ‎05-22-2018

Hello - I'm in the process of migrating NAT functionality to an ASA and had a few questions on the best and cleanest way to accomplish this.

Currently the internet firewall isn't NAT'ing traffic, all NAT'ing is done on a northbound internet load balancer. The internet firewall is doing nothing more than routing RFC 1918 address from Zone to Zone with security rules applied.

For a multitude of reasons were looking to decommission the northbound load balancer and move the NAT functionality down to the ASA. The load balancer currently has 3 internet connections and each connection is a statically routed public network, the load balancer NAT's the RFC 1918 addresses to the public IP's and vise versa. The plan is to announce these 3 networks into BGP for external access and additional redundancy.

Now for the ASA NAT part. I need to take these 3 public network and essentially make NAT pools for them that the DMZ devices can statically use. The ASA has standard inside, outside and a fist full of DMZ zones. All of these Zones are RFC 1918 IP's. For the DMZ's this can't change due to requirements and constraints we currently have; e.g.// Different DMZ's NAT to the same Public IP Subnet

Each DMZ is private IP and uses the ASA interface as the default gateway.

Call the DMZ's

DMZ1 - 10.1.1.0/24

DMZ2 - 10.1.2.0/24

DMZ3 - 10.1.3.0/24

DMZ4 - 10.1.4.0/24

Call the Public IP subnets that need moving

NAT Pool1 - 12.1.1.0/24

NAT Pool2 - 12.1.2.0/24

NAT Pool3 - 12.1.3.0/24

What I'm looking for is the best way to accomplish this configuration wise on the ASA. I'm not an ASA NAT wizard, I believe this can be done but after reading the 9.4 ASA CLI config guide its throwing me for a loop.

I took this from the guide

"

Addresses on a Unique Network

If you need more addresses than are available on the destination (mapped) interface network, you can identify addresses on a different subnet. The upstream router needs a static route for the mapped addresses that points to the ASA.

Alternatively for routed mode, you can configure a static route on the ASA for the mapped addresses using any IP address on the destination network as the gateway, and then redistribute the route using your routing protocol. For example, if you use NAT for the inside network (10.1.1.0/24) and use the mapped IP address 209.165.201.5, then you can configure a static route for 209.165.201.5 255.255.255.255 (host address) to the 10.1.1.99 gateway that can be redistributed.

route inside 209.165.201.5 255.255.255.255 10.1.1.99

"

This made is sound like I can create a static route for the public network and point it to the next hop on the outside interface and then create the static NAT referencing the outside interface.

E.G.//

route outside 12.1.2.0 255.255.255.0 172.16.0.1
!
object network UselessDMZDevice
host 10.1.2.53
nat (DMZ2,outside) Static 12.1.2.53

Does the appear correct or will I need to build pools as well? From everything I was able to gather the pools are only required when doing any form of Dynamic NAT.

If needed I can DR up a Visio to attach but basically I need to create 4 public NAT ranges that wont have physical interfaces on the ASA but will need to traverse the outside interface for egress routing. Ingress routing from the Internet will be through static routes configured on my Internet Core pointing to the ASA outside interface as the next hop.

Florin Barhala · ‎05-23-2018

I think you got it right: ASA will have default static route through outside to the Internet router while Internet router will static_point the three/four public IP pools to your ASA.
Obviously EIGRP/OSPF/iBGP can do the same job as the static routes.

Just make sure Internet router eBGP advertising is correct and just wish you happy natting on the ASA.

James Ferero · ‎05-23-2018

OK cool, routing is not a problem, that's honestly the easiest part of this for me.

My next question is this, if I just have static NAT without the service switch will the ASA reference the rule to determine what ports are open for the translated packet? I assume that it will do a rule lookup but I just wanted to verify.

object network UselessDMZDevice
host 10.1.2.53
nat (DMZ2,outside) Static 12.1.2.53

VS

object network UselessDMZDevice
host 10.1.2.53
nat (DMZ2,outside) Static 12.1.2.53 service ssh ftp

My last question is around objects and multi referencing. In the example UselessDMZDevice is already a configured object on the ASA and referenced in both rules and object groups. If I create a new object for the migrated NAT's will that break any of the forwarding logic in the firewall? Once again I assume it wont because its looking at the Layer 3 / Layer 4 headers and not the object name.

E.G.//

=== Existing Object on the ASA ===
object network UselessDMZDevice
host 10.1.2.53

=== New NAT object for that same host, with different object name ===
object network NAT-obj-12.1.2.53
host 10.1.2.53
nat (DMZ2,outside) Static 12.1.2.53

If I reference the new NAT object in the NAT configuration but leave the existing object in the already configured rules will this break the logic.

What I'm aiming for here is a migration tactic that will work without having to go back and rework every rule and object group for all the hosts that are now getting a NAT on the ASA.

Florin Barhala · ‎05-24-2018

Here's my feedback:
1. Static NAT wise FW couldn't care less about if ports are mentioned or not; it is routing that decides if that NAT will work in the first place.
2. As for the objects I am again following your logic, but I also have no experience into tweaking/playing with NAT objects so you either leave us some impressions after the migration or hopefully some expert can tell us more