Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
16696
Views
15
Helpful
1
Comments

Let's Briefly Talk About What NAT-Control Is?

cisco_admin1
Level 3
Level 3

‎10-17-2013 08:54 AM - edited ‎03-10-2019 01:18 PM

Hello Folks,

As the name implies, today's topic will be ASA's NAT-Control!

Nat-Control is the feature on the ASA's that basically states the following:

  • In order for a device to go from a higher security level to a lower security level a NAT translation must be in place for the inside user IP address.
  • Interfaces with the same-security level do not require a NAT translation for traffic to traverse the ASA.
  • If you decide to implement Dynamic Outside NAT or Outside PAT then a Nat statement must exists for the traffic to be allowed trough the ASA.
  • And finally for Static NAT there is no such restriction or requirement

NAT-Control and ASA versions?

  • With any version lower than 6.3 NAT-control is a requirement.
  • 7.0(1) and higher: NAT-control is disable by default but you could enable it if required.
  • 8.3 and higher: NAT-control is disabled by default and cannot be configured.

But let's use a lab to demonstrate how this works:NAT-Control

Basics of the Lab:

  1. We have 3 interfaces (ASA always has IP address of .1 and routers of .2)
  2. NAT-Control is disabled(by default as we are running 8.0
  3. Default-gateway of the routers is the ASA IP address.

1st Lab: Nat-Control Disabled

  • Configure the network in such a way that the internal subnet can reach the outside world.
  • Configure the network in such a way that the DMZ network can access the Inside network.

ASA configurationLet's verify if Nat-Control is enabled or not:Jcarvaja(config)# sh run nat-control
no nat-controlAs we said before disabled by default with any version lower than 7.0 (We are running 8.0)Configure the NAT for the inside users while accessing the outside world but first let's run a packet-tracer without any NAT configured and check if the packet will be allowed:

Jcarvaja(config)# packet-tracer input inside tcp 192.168.10.15 1025 4.2.2.2 80Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access listPhase: 2
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flowPhase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OutsidePhase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 0, packet dispatched to next moduleResult:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

The result is Allowed without any NAT (That's what no nat-control does).

But as we need the internal subnet to access outside resources they must use a Public IP address right? so let's use PAT for that (at the end that's the whole purpose of NAT).


nat (Inside) 1 0.0.0.0 0.0.0.0
global (Outside) 1 interface

Let's do the packet-tracer and compare the outputs:


Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flowPhase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OutsidePhase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 1 0.0.0.0 0.0.0.0
match ip Inside any Outside any
dynamic translation to pool 1 (20.20.20.1 [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.10.15/1025 to 20.20.20.1/17225 using netmask 255.255.255.255Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 1 0.0.0.0 0.0.0.0
match ip Inside any Outside any
dynamic translation to pool 1 (20.20.20.1 [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1, packet dispatched to next modulePhase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 20.20.20.2 using egress ifc Outside
adjacency Active
next-hop mac address c201.0d50.0000 hits 0Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

We can see on phase 4 that NAT is taking place, sweet.

Now, let's move to the final configuration task for this 1st lab.


  • Configure the network in such a way that the DMZ network can access the Inside network.

As we do not have NAT-control enabled there is no issue at all if we do not configure a NAT for the DMZ users right? let's do a packet-tracer and see what happens (This time from DMZ to Inside).

Of course as we are going from a lower to a higher security level an ACL has been configured to allow this traffic.


access-list DMZ_IN permit tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
access-group DMZ_IN in interface dmz

Jcarvaja(config)# packet-tracer input dmz tcp 192.168.20.2 1025 192.168.10.2 $Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flowPhase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.10.0 255.255.255.0 InsidePhase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_IN in interface DMZ
access-list DMZ_IN extended permit tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
Additional Information:Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
nat (Inside) 1 0.0.0.0 0.0.0.0
match ip Inside any DMZ any
dynamic translation to pool 1 (No matching global)
translate_hits = 0, untranslate_hits = 0
Additional Information:Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

DO NOT get confused by the drop reason "ACL", this is not the cause of the issue.So, why is the traffic failing?

I mean we do not need a NAT statement right?

That is correct, you do not need it but the problem is with the returning traffic (IN-DMZ), not with the outgoing traffic (DMZ-IN).


Cause of the Failure:


When we are going from the DMZ to the Inside our packets do not get translated, they just go through but the returning traffic will come from the inside host, reach the ASA and will match a nat statement that we configured previously (nat (inside) 1 0 0).

The traffic will match that NAT and the ASA will know it needs to send it to the DMZ interface ,afterwards will look for the Global command for the DMZ interface and because there is none the packet will be dropped.

Let's fix it:

static (inside,dmz) 192.168.10.0 192.168.10.0

Why using a Static NAT and not setting a global (DMZ) NAT statement?

Because the traffic that the ASA receives must match while going in and going out.I mean if the traffic is received on the DMZ interface going to x.x.x.x.

The reply being send to the DMZ host from the Inside host should come as well from x.x.x.x

As simple as that.With that Static NAT (Also known as Identity NAT) we configure a NAT statement so the check for the Global DMZ overrides and we also make sure the IP address is maintained while going through the ASA.

Jcarvaja(config)# packet-tracer input dmz tcp 192.168.20.2 1025 192.168.10.2 80Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flowPhase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
match ip Inside 192.168.10.0 255.255.255.0 DMZ any
static translation to 192.168.10.0
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.10.0/0 to 192.168.10.0/0 using netmask 255.255.255.0Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_IN in interface DMZ
access-list DMZ_IN extended permit tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
Additional Information:Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 5
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
match ip Inside 192.168.10.0 255.255.255.0 DMZ any
static translation to 192.168.10.0
translate_hits = 0, untranslate_hits = 1
Additional Information:Phase: 6
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
match ip Inside 192.168.10.0 255.255.255.0 DMZ any
static translation to 192.168.10.0
translate_hits = 0, untranslate_hits = 1
Additional Information:Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 6, packet dispatched to next moduleResult:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

2st Lab: Nat-Control Enabled

  • Configure the network in such a way that the internal subnet can reach the outside world.
  • Configure the network in such a way that the DMZ network can access the Inside network.

Let's start by enabling NAT-control so we can use it (disabled by default on this version)

Jcarvaja(config)# nat-control
Jcarvaja(config)#sh run nat-control

nat-control

First task:

Configure the NAT for the inside users while accessing the outside world but first let's run a packet-tracer without any NAT configured and check if the packet will be allowed:That's it, Let's do the same test than before (Packet-tracer without any NAT).

Jcarvaja(config)# packet-tracer input inside tcp 192.168.10.2 1025 4.2.2.2 80Phase: 1

Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flowPhase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 OutsidePhase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:Phase: 4
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
match ip Inside any Outside any
no translation group, implicit deny
policy_hits = 1
Additional Information:Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured ruleJcarvaja(config)# sh run nat
Jcarvaja(config)#Check that out, even though there is no NAT the ASA is showing a NAT (inside) 1 0 0 which basically means you need a global nat.This is what we talked before about NAT-Control:

  • In order for a device to go from a higher security level to a lower security level a NAT translation must be in place for the inside user IP address.

So let's configure NAT to make this happens:

nat (inside) 1 0 0

global (outside) 1 interface

Jcarvaja(config)# packet-tracer input inside tcp 192.168.10.2 1025 4.2.2.2 $

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: DROP
Config:
nat (Inside) 0 0.0.0.0 0.0.0.0
nat-control
match ip Inside any Outside any
no translation group, implicit deny
policy_hits = 2
Additional Information:

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Jcarvaja(config)# nat (ins
Jcarvaja(config)# nat (inside) 1 0 0
Jcarvaja(config)# packet-tracer input inside tcp 192.168.10.2 1025 4.2.2.2 $

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 Outside

Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip Inside any Outside any
dynamic translation to pool 1 (20.20.20.1 [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:
Dynamic translate 192.168.10.2/1025 to 20.20.20.1/20646 using netmask 255.255.255.255

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (Inside) 1 0.0.0.0 0.0.0.0
nat-control
match ip Inside any Outside any
dynamic translation to pool 1 (20.20.20.1 [Interface PAT])
translate_hits = 1, untranslate_hits = 0
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 9, packet dispatched to next module

Phase: 8
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 20.20.20.2 using egress ifc Outside
adjacency Active
next-hop mac address c201.0d50.0000 hits 1

Result:
input-interface: Inside
input-status: up
input-line-status: up
output-interface: Outside
output-status: up
output-line-status: up
Action: allow

That's it.

Now, regarding the second task (going from DMZ to Inside) we are going to need a static NAT command as well (same than previous lab)

carvaja(config)# static (inside,dmz) 192.168.10.0 192.168.10.0


Jcarvaja(config)# packet-tracer input dmz tcp 192.168.20.2 1025 192.168.10.2 $

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
nat-control
match ip Inside 192.168.10.0 255.255.255.0 DMZ any
static translation to 192.168.10.0
translate_hits = 0, untranslate_hits = 1
Additional Information:
NAT divert to egress interface Inside
Untranslate 192.168.10.0/0 to 192.168.10.0/0 using netmask 255.255.255.0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_IN in interface DMZ
access-list DMZ_IN extended permit tcp 192.168.20.0 255.255.255.0 192.168.10.0 255.255.255.0
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (DMZ) 0 0.0.0.0 0.0.0.0
nat-control
match ip DMZ any Outside any
no translation group, implicit deny
policy_hits = 0
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
nat-control
match ip Inside 192.168.10.0 255.255.255.0 DMZ any
static translation to 192.168.10.0
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (Inside,DMZ) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
nat-control
match ip Inside 192.168.10.0 255.255.255.0 DMZ any
static translation to 192.168.10.0
translate_hits = 0, untranslate_hits = 1
Additional Information:

Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 10, packet dispatched to next module

Phase: 10
Type: ROUTE-LOOKUP
Subtype: output and adjacency
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.10.2 using egress ifc Inside
adjacency Active
next-hop mac address c200.0d50.0000 hits 0

Result:
input-interface: DMZ
input-status: up
input-line-status: up
output-interface: Inside
output-status: up
output-line-status: up
Action: allow

That's it.

I hope you enjoyed this tutorial, any questions shoot me an email.

Regards,

Jcarvaja

For more networking posts follow me on http://laguiadelnetworking.com

Labels:
Comments
djmaturanos
Level 1
Level 1
‎07-08-2015 10:12 PM

What happen with the traffic that goes from dmz to outside?

 

Regards.

 

David.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents