Solved: ACL Help - plus NAT

imanco671 · ‎09-09-2011

Hi Community,

I have been working on my ACL's, but kind of confused. Below is a response to a member...

***************************************************

I am having trouble understanding ACL's, I have read it over and over. I will reply to each statement and see if I am correct. Definately correct me if I am wrong. I am sorry.....

The inside_outbound_nat0_acl is attached to:

nat (inside) 0 access-list inside_outbound_nat0_acl

The above means that using the above command will not allow NAT to its own inside address.

This statement must be executed after every NATed WAN address?

So I cannot NAT to the inside interface, which is not "legit" anyways. NATing should be done to the outside interface?

So the above statement is just added protection?

I assume the "real" way to NAT would to use a command: nat (outside) 0 access-list inside_outbound_nat0_acl ?

The nat statement needs to match a global with the (inside) number command. For example:

global (outside) 1 200.200.200.200 255.255.255.255

nat (inside) 1 192.168.1.50

nat (inside) 0 access-list inside_outbound_nat0_acl

Say I want to NAT this scenario: WAN address 200.200.200.201 to LAN address 192.168.1.51

So my first command to execute would be: global (outside) 2 200.200.200.201 255.255.255.255

Next command: nat(inside) 2 192.168.1.51

last command: nat(inside) 0 access-list inside_outbound_nat0_acl

Another example: I want to NAT: WAN Address 200.200.200.202 to LAN address 192.168.1.52

global (outside) 2 200.200.200.202 255.255.255.255

nat(inside) 2 192.168.1.52

nat(inside) 0 access-list inside_outbound_nat0_acl

This basically means that I defined my WAN address (global) and then defined my LAN address( inside), then I made sure that it could not NAT to its own inside address.

Your access-list hosts are "xxxx" out, so you'll have to make that call, but from what I can see it says that you don't want any of the hosts to nat when going to any destination. Since I don't know how you're laid out, I can't make a reasonable assumption as to why you'd want to do this.

access-list inside_outbound_nat0_acl permit ip host "exchange-server" any

I know that the above server should be able to NAT. I dont know why its listed then. All the functional NATed servers are included in the access-list inside_outbound_nat0_acl

My nat statements look something like the following:

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

The above looks like you are defining your outside assigned interface of your firewall. Then you want to define your LAN subnet of 192.168.1.0. Then you want to define your DMZ subnet of 10.10.10.0. Then you want to define your access list called "nonat". Then lastly you are stating that you do not want to allow NATing to your LAN subnet or your DMZ subnet?

Basically, I don't want to nat when going from 192.168.1.0 to my dmz, but I do want to nat going to anything else.

I do not understand "but I do want to nat going to anything else" So basically you want to prevent NATing from your LAN to DMZ but what does "anything else" mean?

(Im trying to getting the hang of it. Sorry for being such a novice. )

John Blakley · ‎09-09-2011

John,

That's what we're here for

The inside_outbound_nat0_acl is attached to:

nat (inside) 0 access-list inside_outbound_nat0_acl

So any ACL that includes "inside_outbound_nat0_acl" will not show my outside interface. So if I have a server on my inside and I include "inside_outbound_nat0_acl" in an ACL, then this server will not Nat using the outside interface address (200.200.200.200). So that server will not be able to get outside? What would happen?

So the above command covers the access-list which restricts an internal server from showing a Nated address of my outside interface?

Any entry in the inside_outbound_nat0_acl will bypass nat, but only those that are specified. For example, if you had:

access-list inside_outbound_nat0_acl permit ip any host internal-webserver

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.1.0 255.255.255.0

That means ANY host that's coming in on the inside interface going to your webserver will not be natted, but any host going to cisco.com will be natted.

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

The above statement first creates and ACL that "bans" nating between the 192.168.2.0 and the 192.168.1.0 b/c obviously you dont need to nat between internal interfaces like a dmz and internal interaces. It is just not needed unless you have to go out to the internet.

Correct

Now is where I have to define the nating for my internal interface b/c if the internal subnet wants to leave the firewall, then they need a nated address:

Global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

The above means that the entire 192.168.1.0 subnet on the inside will get nated and will appear to have address 200.200.200.200. But if I create an ACL including "inside_outbound_nat0_acl" then it will not get nated using the address 200.200.200.200

Not quite. It depends on the destination of the 192.168.1.x host. If they're going somewhere that's not natted, say cisco.com, it's going to be natted because you'll not have an entry in your acl to deny that. If you want to deny it, your acl would be something like "deny ip 192.168.1.0 255.255.255.0 host cisco.com" and then it wouldn't be natted.

I assume that I have to use "inside_outbound_nat0_acl" if I want to nat a specific internal address to a specific outside address?

Actually, you'd create another global/nat pair:

global (outside) 2 200.200.200.201

inside (inside) 2 192.168.1.50

If you were to go to the internet to whatismyip.com from the 192.168.1.50 host, you'd show as 200.200.200.201.

Understanding 1 - using the above I have stated the inside and outside nating. Also I stated the name of my "no-nat": "inside_outbound_nat0_acl" It is not being used until I include it with an ACL.

Correct - you don't need a nat 0 rule unless you absolutely need one.

Understanding 2 - When I want to specifically nat a particular inside IP to a particular outside IP, I would need to include the name of my "no-nat" using the access-list command (which is called an ACL?)

Possible something like the below command:

global (outside) 1 200.200.200.202 255.255.255.255

nat(inside) 1 192.168.1.52

access-list inside_outside_nat0_acl permit ip 192.168.1.52 255.255 any (does it need "any" on the end)

access-list inside_outside_nat0_acl permit tcp any 200.200.200.202 eq 80 (do I need this extra access-list stated?)

static (inside,outside) 200.200.200.202 192.168.1.52 netmask 255.255.255.255 0 0

Do I need to issue all the above (if correct) everytime I want to nat a specific internal to a specific external?

If you want to nat the address, you don't need an acl attached to nat 0; remember, it bypasses nat.

To do what you described would be like:

global (outside) 1 200.200.200.202

nat (inside) 1 192.168.1.52

The above is for outbound only traffic...for inbound you'd use statics and an acl on the outside interface:

static (inside, outside) 200.200.200.202 192.168.1.52 netmask 255.255.255.255

access-list outside permit tcp any host 200.200.200.202 eq 80

access-group outside in interface outside

Remember the only time that you'd use nat 0 is if you want to bypass nat. You always nat if the other end doesn't know anything about your inside subnets. The provider knows about your 200.200.200.0/24 subnet, but they don't know about your internal subnets so you'd nat outbound. Inbound nat is so you can translate from the public to the private, but the global and nat statements are for outgoing traffic (in the most normal usages). There are times when you may have to use them in VPN scenarios or other reasons, but for now just know that they're outbound most of the time. The static commands allows you to map a host from the inside out as a public address, but you don't do anything with the nat 0 for that to work.

HTH,

John

HTH, John *** Please rate all useful posts ***

View solution in original post

John Blakley · ‎09-09-2011

The inside_outbound_nat0_acl is attached to:

nat (inside) 0 access-list inside_outbound_nat0_acl

The above means that using the above command will not allow NAT to its own inside address.

This statement must be executed after every NATed WAN address?

So I cannot NAT to the inside interface, which is not "legit" anyways. NATing should be done to the outside interface?

So the above statement is just added protection?

I assume the "real" way to NAT would to use a command: nat (outside) 0 access-list inside_outbound_nat0_acl ?

* It means that anything that's behind the inside interface on your network doesn't nat if the source/destination address matches what's in the acl. *

* You only need 1 "0" entry for the whole firewall. It bypasses natting altogether.

* In certain scenarios, you may have to NAT to an inside address, but that's generally in a VPN based scenario. I have sites that use my ASA as a vpn endpoint. In my ASA, I have another tunnel to a vendor that requires me to nat to them. In order to nat all of my networks, I also need to nat what's coming in on my outside interface back through.*

* It's not for 'protection', but it's a necessity if your firewall knows of the networks that you're going to.*

* The real way to nat would be to use a nat and global paired on the same number:

global (outside) 2 200.200.200.200

nat (inside) 2 192.168.1.0 255.255.255.0

The above nats any 192.168.1.0/24 out as 200.200.200.200

The nat statement needs to match a global with the (inside) number command. For example:

global (outside) 1 200.200.200.200 255.255.255.255

nat (inside) 1 192.168.1.50

nat (inside) 0 access-list inside_outbound_nat0_acl

Say I want to NAT this scenario: WAN address 200.200.200.201 to LAN address 192.168.1.51

So my first command to execute would be: global (outside) 2 200.200.200.201 255.255.255.255

Next command: nat(inside) 2 192.168.1.51

last command: nat(inside) 0 access-list inside_outbound_nat0_acl

Another example: I want to NAT: WAN Address 200.200.200.202 to LAN address 192.168.1.52

global (outside) 2 200.200.200.202 255.255.255.255

nat(inside) 2 192.168.1.52

nat(inside) 0 access-list inside_outbound_nat0_acl

This basically means that I defined my WAN address (global) and then defined my LAN address( inside), then I made sure that it could not NAT to its own inside address.

NAT 0 doesn't nat anything...it bypasses NAT for networks that you don't want to nat. Look at it this way. If you have a inside network of 192.168.2.0/24 and you have a dmz network of 192.168.1.0/24, your firewall knows how to get to both of those networks because, usually, they terminate directly on the firewall so they're seen as locally connected. You don't need nat in this scenario for traffic going in either direction. If you have a webserver in the dmz on 192.168.1.50, then your nat 0 access list would look like:

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

The REST of the 192.168.2.0 network going to anything other than 192.168.1.0 gets natted with the following:

nat (inside) 1 192.168.2.0 255.255.255.0

global (outside) 1 200.200.200.200

My nat statements look something like the following:

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (dmz) 1 10.10.10.0 255.255.255.0

nat (inside) 0 access-list nonat

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

The above looks like you are defining your outside assigned interface of your firewall. Then you want to define your LAN subnet of 192.168.1.0. Then you want to define your DMZ subnet of 10.10.10.0. Then you want to define your access list called "nonat". Then lastly you are stating that you do not want to allow NATing to your LAN subnet or your DMZ subnet?

Correct!

Basically, I don't want to nat when going from 192.168.1.0 to my dmz, but I do want to nat going to anything else.

I do not understand "but I do want to nat going to anything else" So basically you want to prevent NATing from your LAN to DMZ but what does "anything else" mean?

Anything that doesn't match what's in the ACL.

HTH!

John

HTH, John *** Please rate all useful posts ***

imanco671 · ‎09-09-2011

ahhhh

Thanks John for the expert clarification!!

I thinkg I am gettin it now, I was just having a hard time understanding the principle of Nating. Which I think I got it now.

Let me just clarify to make sure that I fully get it. And thanks for teaching me this!

The inside_outbound_nat0_acl is attached to:

nat (inside) 0 access-list inside_outbound_nat0_acl

So any ACL that includes "inside_outbound_nat0_acl" will not show my outside interface. So if I have a server on my inside and I include "inside_outbound_nat0_acl" in an ACL, then this server will not Nat using the outside interface address (200.200.200.200). So that server will not be able to get outside? What would happen?

So the above command covers the access-list which restricts an internal server from showing a Nated address of my outside interface?

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

The above statement first creates and ACL that "bans" nating between the 192.168.2.0 and the 192.168.1.0 b/c obviously you dont need to nat between internal interfaces like a dmz and internal interaces. It is just not needed unless you have to go out to the internet.

Now is where I have to define the nating for my internal interface b/c if the internal subnet wants to leave the firewall, then they need a nated address:

Global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

The above means that the entire 192.168.1.0 subnet on the inside will get nated and will appear to have address 200.200.200.200. But if I create an ACL including "inside_outbound_nat0_acl" then it will not get nated using the address 200.200.200.200

I assume that I have to use "inside_outbound_nat0_acl" if I want to nat a specific internal address to a specific outside address?

Understanding 1 - using the above I have stated the inside and outside nating. Also I stated the name of my "no-nat": "inside_outbound_nat0_acl" It is not being used until I include it with an ACL.

Understanding 2 - When I want to specifically nat a particular inside IP to a particular outside IP, I would need to include the name of my "no-nat" using the access-list command (which is called an ACL?)

Possible something like the below command:

global (outside) 1 200.200.200.202 255.255.255.255

nat(inside) 1 192.168.1.52

access-list inside_outside_nat0_acl permit ip 192.168.1.52 255.255 any (does it need "any" on the end)

access-list inside_outside_nat0_acl permit tcp any 200.200.200.202 eq 80 (do I need this extra access-list stated?)

static (inside,outside) 200.200.200.202 192.168.1.52 netmask 255.255.255.255 0 0

Do I need to issue all the above (if correct) everytime I want to nat a specific internal to a specific external?

Thanks a million for you patience with me!!

John Blakley · ‎09-09-2011

John,

That's what we're here for

The inside_outbound_nat0_acl is attached to:

nat (inside) 0 access-list inside_outbound_nat0_acl

So any ACL that includes "inside_outbound_nat0_acl" will not show my outside interface. So if I have a server on my inside and I include "inside_outbound_nat0_acl" in an ACL, then this server will not Nat using the outside interface address (200.200.200.200). So that server will not be able to get outside? What would happen?

So the above command covers the access-list which restricts an internal server from showing a Nated address of my outside interface?

Any entry in the inside_outbound_nat0_acl will bypass nat, but only those that are specified. For example, if you had:

access-list inside_outbound_nat0_acl permit ip any host internal-webserver

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.1.0 255.255.255.0

That means ANY host that's coming in on the inside interface going to your webserver will not be natted, but any host going to cisco.com will be natted.

access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list nonat

The above statement first creates and ACL that "bans" nating between the 192.168.2.0 and the 192.168.1.0 b/c obviously you dont need to nat between internal interfaces like a dmz and internal interaces. It is just not needed unless you have to go out to the internet.

Correct

Now is where I have to define the nating for my internal interface b/c if the internal subnet wants to leave the firewall, then they need a nated address:

Global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl

The above means that the entire 192.168.1.0 subnet on the inside will get nated and will appear to have address 200.200.200.200. But if I create an ACL including "inside_outbound_nat0_acl" then it will not get nated using the address 200.200.200.200

Not quite. It depends on the destination of the 192.168.1.x host. If they're going somewhere that's not natted, say cisco.com, it's going to be natted because you'll not have an entry in your acl to deny that. If you want to deny it, your acl would be something like "deny ip 192.168.1.0 255.255.255.0 host cisco.com" and then it wouldn't be natted.

I assume that I have to use "inside_outbound_nat0_acl" if I want to nat a specific internal address to a specific outside address?

Actually, you'd create another global/nat pair:

global (outside) 2 200.200.200.201

inside (inside) 2 192.168.1.50

If you were to go to the internet to whatismyip.com from the 192.168.1.50 host, you'd show as 200.200.200.201.

Understanding 1 - using the above I have stated the inside and outside nating. Also I stated the name of my "no-nat": "inside_outbound_nat0_acl" It is not being used until I include it with an ACL.

Correct - you don't need a nat 0 rule unless you absolutely need one.

Understanding 2 - When I want to specifically nat a particular inside IP to a particular outside IP, I would need to include the name of my "no-nat" using the access-list command (which is called an ACL?)

Possible something like the below command:

global (outside) 1 200.200.200.202 255.255.255.255

nat(inside) 1 192.168.1.52

access-list inside_outside_nat0_acl permit ip 192.168.1.52 255.255 any (does it need "any" on the end)

access-list inside_outside_nat0_acl permit tcp any 200.200.200.202 eq 80 (do I need this extra access-list stated?)

static (inside,outside) 200.200.200.202 192.168.1.52 netmask 255.255.255.255 0 0

Do I need to issue all the above (if correct) everytime I want to nat a specific internal to a specific external?

If you want to nat the address, you don't need an acl attached to nat 0; remember, it bypasses nat.

To do what you described would be like:

global (outside) 1 200.200.200.202

nat (inside) 1 192.168.1.52

The above is for outbound only traffic...for inbound you'd use statics and an acl on the outside interface:

static (inside, outside) 200.200.200.202 192.168.1.52 netmask 255.255.255.255

access-list outside permit tcp any host 200.200.200.202 eq 80

access-group outside in interface outside

Remember the only time that you'd use nat 0 is if you want to bypass nat. You always nat if the other end doesn't know anything about your inside subnets. The provider knows about your 200.200.200.0/24 subnet, but they don't know about your internal subnets so you'd nat outbound. Inbound nat is so you can translate from the public to the private, but the global and nat statements are for outgoing traffic (in the most normal usages). There are times when you may have to use them in VPN scenarios or other reasons, but for now just know that they're outbound most of the time. The static commands allows you to map a host from the inside out as a public address, but you don't do anything with the nat 0 for that to work.

HTH,

John

HTH, John *** Please rate all useful posts ***

imanco671 · ‎09-12-2011

Hi John,

Im back at it.

Awesome stuff, I am still trying to digest your responses. I am slowly getting things, I just want to make sure that I fully understand and you are making a huge difference!!

access-list inside_outbound_nat0_acl permit ip any host internal-webserver

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 192.168.1.0 255.255.255.0

I understand that the internal-webserver is not part of the "global" nating of the entire inside subnet.

The next line states that the anything on the inside subnet that goes to a server listed with an ACL, will not get nated, b/c why nat if you are just staying internally. I assume this line only has to be exectued once?

The last line states that the inside subnet is 192.168.1.0. I asuume this line only has to be executed once too?

global (outside) 1 200.200.200.202

nat (inside) 1 192.168.1.52

ok so the above is for outbound traffic, so if I went to cisco.com on the 192.168.1.52 server. I would have the address 200.200.200.202.

Why cannot I just use this command insead?

static (inside, outside) 200.200.200.202 192.168.1.52 netmask 255.255.255.255

Then say you at your home wants to access my webserver on port 80. I would need to execute the below command:

access-list outside permit tcp any host 200.200.200.202 eq 80

access-group outside in interface outside

The first line makes 200.200.200.202 part of the access-list (outside) which allows port 80 inbound traffic.

Then the third line I am not sure about.

So an understanding of where were are....

1. Nat needs to be defined on the interface subnet, so every computer getting out will appear with a WAN address.

2. Nat then should be disabled for internal traffic between inside interfaces such as a dmz and inside subnets.

3. This completes the traffic from inside leaving the firewall. Nating of internal-external or no Nating of internal-internal.

4. I then need to define a name for my access list: nat (inside) 0 access-list nonat

5. I then need to define my global (outside) 33 200.200.200.202 (I used number 33 to define)

6. I then need to define my nat(inside) 33 192.168.1.52 ( I match up number 33 so router knows it pairs with above address)

I now have an internal address of 192.168.1.52 assigned with Ip address 200.200.200.202. So when traffic leave server 192.168.1.52, it is nated with IP address 200.200.200.202

I now have to start working on traffic coming into the router using 200.200.200.202. Some rules need to be applied to traffic entering using 200.200.200.202

7. I will need to create a rule using: access-list outside permit tcp any host 200.200.200.202 eq 80
8. I then need to use command: access-group outside in interface outside ( I am not sure why)

What do you think? Am I getting somewhere?

Thanks

John