Why to use Identity NAT for VPNs in ASA 8.3 and above?

Question: Why do we use Identity NAT for VPN traffic if NAT isn’t a mandatory requirement in ASA 8.3 and above?

Answer: If your VPNs are terminated on the outside interface and you have a Dynamic PAT being used on that interface then all traffic going in the direction of the Dynamic PAT (eg: inside to outside) will be matched against it and be translated as per the Dynamic PAT rule. This is why you have to define Identity NATs so that the VPN traffic is differentiated from normal traffic and is matched before the Dynamic PAT.

So to sum it up;

1. If you have a Dynamic PAT or any other form of NAT that shadows your VPN traffic then you need to define the Identity NAT statements and make sure they are at the top of the Unified NAT table.

2. And if you have a Dynamic PAT or any other form of NAT that does not shadow your VPN traffic at all, then you need not define any NAT statements.

The direction of the NAT is important. Continue reading

Advertisements

Identity NAT (ASA 8.3/8.4)

In 8.2 and below we used to use the NAT exemptions (nat 0) to exempt traffic from being translated while going through the VPN and other such scenarios. In 8.3 and above there is no such term as ‘NAT exemption’, its just that the term used will be Identity NAT.

Identity NAT with source and destination specified (Policy Based NAT):

This works like a policy NAT but instead of defining an access-list and then referring the ACL in a nat statement, you define both of them in a single command. The source will be translated to itself if it is destined for the specified destination. If it is destined for a destination other than the specified one then this translation rule won’t be used and the selection will drop down to the next nat statement present in the NAT table and so on.

1. Create the network objects

ASA1(config)# object network internal_network
ASA1(config-network-object)#  subnet 172.16.1.0 255.255.255.0
ASA1(config-network-object)# object network remote_network
ASA1(config-network-object)#  subnet 192.168.1.0 255.255.255.0

2. Create the Identity NAT rule

ASA1(config)# nat (dmz,outside) source static internal_network internal_network destination static remote_network remote_network no-proxy-arp route-lookup

no-proxy-arp and route-lookup are two optional elements in this statement. But you want to use them in your Identity NAT statements!

Continue reading

Static PAT a.k.a Port Forwarding (ASA 8.3/8.4)

Configuring Static PAT as a Network Object NAT/Auto NAT:

1. Create a Network Object
2. Define the Real IP/Private IP
3. Create a Static PAT/Port Forwarding rule inside the network object itself.

ASA(config)# object network websrv 
ASA(config-network-object)# host 10.1.1.3
ASA(config-network-object)# nat (dmz,outside) static 2.2.2.3 service tcp 8080 www

8080 is the real port and www is the mapped port.

Verification

ciscoasa# show nat
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static websrv 2.2.2.3 service tcp 8080 www
translate_hits = 0, untranslate_hits = 3

Configuring Static PAT as a Twice NAT/Manual NAT:

1. Create the required network objects that need to be referenced in the Twice NAT/Manual NAT syntax (real ip, mapped ip and services). Continue reading

Static NAT (ASA 8.3/8.4)

Configuring Static NAT as a Network Object NAT/Auto NAT:

1. Create a Network Object

2. Define the Real IP

3. Create a Static NAT inside the ‘network object’ itself

ASA(config)# object network websrv_realip
ASA(config-network-object)# host 10.1.1.3
ASA(config-network-object)# nat (dmz,outside) static 2.2.2.3

— You can either use the network object name or the real IP in your access lists.

— You can only define one host per network object.

Configuring Static NAT as a Twice NAT/Manual NAT:

1. Create the required network objects that need to be referenced in the Twice NAT/Manual NAT syntax.

2. Create the Static NAT in the ‘global configuration mode’ referencing those created network objects wherever required. Continue reading

Understanding NAT and NAT Rule Order (ASA 8.3/8.4)

First of all, there is no such thing as ‘nat-control’ any more so you either define a NAT or you don’t. Traffic that does not match any NAT rules will be allowed to bypass the firewall without any translation (like NAT exemption but without explicitly configuring it, more like an implicit NAT exemption). The  static and global keywords are deprecated, now its all about ‘nat’.

In ASA 8.3 and above, Cisco has come up with two ‘major’ categories/sections of NAT; Manual NAT and Auto NAT. In Cisco’s documentation they have used the terms Twice NAT and Network Object NAT respectively, but in the show command’s output NAT rules are classified under Manual and Auto.

Continue reading