03-05-2016 03:51 PM - edited 03-12-2019 12:26 AM
Hello all,
I've been doing a lot of reading to really understand how NAT works in ASA version 8.3 and higher. I haven't been able to quite find any documentation that addresses my particular question, so I figured I would try here. I would like it if someone could explain to me the nat command and traffic flows when allowing internal host to be accessible via the internet.
In order to allow access to the internal server via the internet you need three things:
Take the following example
object network WebServer
host 192.168.1.5
nat (inside,outside) static 1.1.1.1 service tcp 80 80
access-list OutsideToInside permit tcp any host 192.168.1.5 eq 80
access-group OutsideToInside in interface outside
My question is, does the nat command only apply to the return traffic from the web server since the ACL will forward the HTTP traffic to the internal host?
Also, can someone break down the nat command? i.e. I know the "(inside,outside)" refers to the named interfaces but the order also matters right?
when using "source" in the nat command, that is referring to the source IP correct?
Why do you not need a nat command in the reverse order "nat (outside,inside)" for the translation?
Hopefully it is clear as to what I am asking, if not please let me know.
Thanks
Solved! Go to Solution.
03-05-2016 09:17 PM
Hello Garland Moore ,
Not sure you checked this document or not but this is a very good compilation of how the nat works post 8.3 , do take a moment to check this out and I am sure it will address most of your queries:-
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Taking your example:
object network WebServer
host 192.168.1.5
nat (inside,outside) static 1.1.1.1 service tcp 80 80
This nat command is defined under an object and is static in nature.
That means if anyone from outside tries to reach 1.1.1.1:80 , it is translated to 192.168.1.5:80 and vice verssa. What that means is , hypothetically , if 192.168.1.5 iniated traffic from port 80(usually source port number is random) , it would have been translated to 1.1.1.1:80
does the nat command only apply to the return traffic from the web server since the ACL will forward the HTTP traffic to the internal host?
This nat applies to all the traffic initiated from outside destined to 1.1.1.1:80. You dont need another nat to allow traffic from web-server at 192.168.1.5 to be able to send the traffic back to host on internet.
can someone break down the nat command?
The order of interfaces surely matters if you are using dynamic nat.
If you have static nat , then as long as you have correct IPs defined in nat, any order will work. Ideally, when we define an object, like in your case , we use the syntax (inside,outside) similar to what you defined in nat above.
when using "source" in the nat command, that is referring to the source IP correct?
That is correct.
Why do you not need a nat command in the reverse order "nat (outside,inside)" for the translation?
As stated above, once the traffic traverses over ASA, it creates and translation entry in xlate table which stays there until timeout period expires.
This translation entries confirm that we have mapped 192.168.1.5 to 1.1.1.1 on port 80 thus we don't need the other command.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-05-2016 10:49 PM
Dinesh has answered your questions quite well, but I will try to answer them slightly different so that you perhaps get a different point of view.
My question is, does the nat command only apply to the return traffic from the web server since the ACL will forward the HTTP traffic to the internal host?
When the initial packet crosses the ASA from the inside host (192.168.1.5) it goes through a series of security checks (this includes the ACL check, RPF, sequence number, routing, etc.). If the packet passes these security checks it is placed in the state table. When the return traffic enters the ASA, the ASA checks the packet against the state table to see if there is an existing connection for the traffic flow. If there is an entry in the state table, the packet has already passed the security checks and will be forwarded straight to the inside host without doing any further security checks. If there is no entry in the state table, the ASA will do the security checks.
Also, can someone break down the nat command? i.e. I know the "(inside,outside)" refers to the named interfaces but the order also matters right?
Also using the example you provided.
object network WebServer
host 192.168.1.5
nat (inside,outside) static 1.1.1.1 service tcp 80 80
In NAT after 8.3 you have manual NAT, Auto-NAT, and after-auto NAT. This type of NAT is also called Auto-NAT or section 2 NAT (can also be refered to as object NAT). the format of the command is:
nat (real_int,mapped_int) static mapped_IP service tcp real_port mapped_port
I think this is quite self explanatory but if you require further explanation please let me know
When nesting the NAT statement under the object you are implying that the IP or subnet defined within the object is the real IP or the IP that is to be translated to something else. Keep in mind that here you can use both static and dynamic NATs, where Static is bidirectional, meaning that traffic can be sourced from the outside or translated interface and still match the NAT statement. Dynamic NAT is only unidirectional.
when using "source" in the nat command, that is referring to the source IP correct?
Correct. But you do not have an option to select destination when using auto-NAT so as I mentioned earlier, it is implied that the IP / subnet you specify in the object is the source. When using twice NAT you can start specifying destination and it is then possible to translate the destination address as well as having the NAT statement only affect a traffic when heading toward that specific destination.
Why do you not need a nat command in the reverse order "nat (outside,inside)" for the translation?
for static translations, NAT is bidrectional (as I mentioned earlier). It is only in very rare occasions where you have a special requirement that you would need to specify the outside interface as the real_int. I have never actually come across a situation where I needed to define a NAT statement this way. It is always best to define the inside network as the source or real_int and the outside network or network with a lower security level as the mapped_int.
--
Please remember to select a correct answer and rate helpful posts
03-05-2016 09:17 PM
Hello Garland Moore ,
Not sure you checked this document or not but this is a very good compilation of how the nat works post 8.3 , do take a moment to check this out and I am sure it will address most of your queries:-
https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli
Taking your example:
object network WebServer
host 192.168.1.5
nat (inside,outside) static 1.1.1.1 service tcp 80 80
This nat command is defined under an object and is static in nature.
That means if anyone from outside tries to reach 1.1.1.1:80 , it is translated to 192.168.1.5:80 and vice verssa. What that means is , hypothetically , if 192.168.1.5 iniated traffic from port 80(usually source port number is random) , it would have been translated to 1.1.1.1:80
does the nat command only apply to the return traffic from the web server since the ACL will forward the HTTP traffic to the internal host?
This nat applies to all the traffic initiated from outside destined to 1.1.1.1:80. You dont need another nat to allow traffic from web-server at 192.168.1.5 to be able to send the traffic back to host on internet.
can someone break down the nat command?
The order of interfaces surely matters if you are using dynamic nat.
If you have static nat , then as long as you have correct IPs defined in nat, any order will work. Ideally, when we define an object, like in your case , we use the syntax (inside,outside) similar to what you defined in nat above.
when using "source" in the nat command, that is referring to the source IP correct?
That is correct.
Why do you not need a nat command in the reverse order "nat (outside,inside)" for the translation?
As stated above, once the traffic traverses over ASA, it creates and translation entry in xlate table which stays there until timeout period expires.
This translation entries confirm that we have mapped 192.168.1.5 to 1.1.1.1 on port 80 thus we don't need the other command.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-05-2016 10:49 PM
Dinesh has answered your questions quite well, but I will try to answer them slightly different so that you perhaps get a different point of view.
My question is, does the nat command only apply to the return traffic from the web server since the ACL will forward the HTTP traffic to the internal host?
When the initial packet crosses the ASA from the inside host (192.168.1.5) it goes through a series of security checks (this includes the ACL check, RPF, sequence number, routing, etc.). If the packet passes these security checks it is placed in the state table. When the return traffic enters the ASA, the ASA checks the packet against the state table to see if there is an existing connection for the traffic flow. If there is an entry in the state table, the packet has already passed the security checks and will be forwarded straight to the inside host without doing any further security checks. If there is no entry in the state table, the ASA will do the security checks.
Also, can someone break down the nat command? i.e. I know the "(inside,outside)" refers to the named interfaces but the order also matters right?
Also using the example you provided.
object network WebServer
host 192.168.1.5
nat (inside,outside) static 1.1.1.1 service tcp 80 80
In NAT after 8.3 you have manual NAT, Auto-NAT, and after-auto NAT. This type of NAT is also called Auto-NAT or section 2 NAT (can also be refered to as object NAT). the format of the command is:
nat (real_int,mapped_int) static mapped_IP service tcp real_port mapped_port
I think this is quite self explanatory but if you require further explanation please let me know
When nesting the NAT statement under the object you are implying that the IP or subnet defined within the object is the real IP or the IP that is to be translated to something else. Keep in mind that here you can use both static and dynamic NATs, where Static is bidirectional, meaning that traffic can be sourced from the outside or translated interface and still match the NAT statement. Dynamic NAT is only unidirectional.
when using "source" in the nat command, that is referring to the source IP correct?
Correct. But you do not have an option to select destination when using auto-NAT so as I mentioned earlier, it is implied that the IP / subnet you specify in the object is the source. When using twice NAT you can start specifying destination and it is then possible to translate the destination address as well as having the NAT statement only affect a traffic when heading toward that specific destination.
Why do you not need a nat command in the reverse order "nat (outside,inside)" for the translation?
for static translations, NAT is bidrectional (as I mentioned earlier). It is only in very rare occasions where you have a special requirement that you would need to specify the outside interface as the real_int. I have never actually come across a situation where I needed to define a NAT statement this way. It is always best to define the inside network as the source or real_int and the outside network or network with a lower security level as the mapped_int.
--
Please remember to select a correct answer and rate helpful posts
03-06-2016 09:47 AM
Thank you both dmoudgil and MariusGunnerud for your thorough responses. My question concerning the order of the interfaces comes from some confusion when dealing with pre 8.3 nat statements.
For instances(8.2 nat command):
hostname(config)# static (inside,outside) 209.165.201.12 10.1.1.3 netmask 255.255.255.255
I never understood why you had to list the inside interface first then list the public IP before the internal IP when mapping an inside address to an outside address. Would I be correct to say this has changed in 8.3+?
03-06-2016 11:02 AM
Hi Garland Moore,
You are indeed right, the nomenclature defining
Previously, as you mentioned, syntax was defined as ingress and egress interface, then define public IP first and lastly private IP corresponding to this
This has changed in the post 8.3
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-06-2016 02:11 PM
Thank you both for your help and clarification!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide