Configuring Network Address Translation (NAT) | Cisco ASA Firewalls

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

you've asked for videos on configuring ACLs and NAT on the aasa' firewalls from the command line we've already looked at ACLs so in this video we're going to continue the adventure by looking at NAT let's get right to it we'll use the same basic topology as we did in the last video but this time we're making it all realistic by using public IP addresses also to add to the realism I've removed the ISP routers routes to the private subnets remember that private addresses are not allowed on the Internet it's important to realize that we're using modern AAS a natura instrum attica Lee when version 8.3 came onto the scene it's rare to see a si is older than this now I only mention it as there's still lots of documentation for pre 8.3 out there and in some ways it's quite a bit different I'm also assuming that you have at least a passing knowledge of what that is and you're here to see how it works specifically with the a si we won't cover every possible scenario because there's a lot of them but we will get a good understanding of the ASA's viewpoint on that following along with this lab is a good idea so you can build your own but if you are a patreon supporter you can download a pre-built viral or gns3 lab or even the R or configuration files which will really save you some time there are seven things that we want to achieve in this lab first we want to prevent Nats between the inside Network and the DMZ we want to give the DMZ intranet server its own public IP and configure a separate public IP for the workstations general internet use after that we're going to change it up and use a pool of IPs for the workstations instead of a single IP workstation to has a web page and we'd like it to be available on the internet on port 8080 workstation one is responsible for administering the ISP router so we want to exclude it from NAT but only when SSH into the router and finally we're going rewrite DNS responses from the DNS server to the internet before we hit the lab let's take a brief moment to go over how the aasa' handles NAT just like an iOS router you have inside and outside interfaces these interfaces don't have to be named inside and outside anywhere in the configuration any name is fine these are just logical concepts normally an inside network is one that we want to protect with the a sa the outside is typically an untrusted Network like the Internet the good thing is that unlike a router you don't have to hard code each interface with inside and outside statements the inside and outside are defined with each NAT rule so what we consider inside and outside can change on a rule by rule basis on the inside interface we use real addresses this is the real IP address of a host that we want to translate on the outside interface we define mapped addresses which is the IP address after it has been translated this could be a public IP on the internet for example NAT can work in two directions it can be initiated from the host on the inside Network or it can be initiated from a host on the outside Network if a NAT rule allows the translation to be initiated from either side then this is called bi-directional NAT some NAT rules only allow traffic to be initiated from the inside that is from the host with the real IP address this is called unidirectional NAT don't let me confuse you though once traffic is initiated and the nays in place returned traffic from the outside is okay unidirectional just means that traffic can only be initiated in one particular direction all packets have an IP header and in the IP header are the source and destination IP addresses one type of NAT called source NAT changes this source IP address this is probably the most common form of NAT another type of gnat is called destination net and as the name suggests this changes the destination IP address the aasa' supports both source and destination net we can even have both in the same rule if we want to our internet server needs a public IP it needs exclusive use of this IP and the IP should never change the type of NAT we want to configure is called static NAT traffic may be initiated from the internet or from the server itself which is bi-directional NAT we only want to change the server's IP address so this is called source NAT when we think of the source and destination we always think from the perspective of the host on the inside network let me show you that the web server can't reach our public IP and that's what we're going to fix here the network configuring is based around network objects which we saw in the last video I like to start by creating a network objects for the mapped IP first this is just an object with the public IP address next we'll create the network object for the intranet server this represents the server's real IP address remember to use descriptions whenever you can we can create nap within this object we need to tell it which interfaces represent the inside and outside it's always inside then outside keep that in mind and in our case the inside is the DMZ interface we could use any as the outside if we wanted this would mean that that would be applied for any egress interface but we don't want to do that though as we don't want nap between the DMZ and inside interfaces we only want it between DMZ and outside so we specify the outside interface here and after the interfaces we use the static keyword this tells the aasa' that this should be a static net and finally we give it the mapped IP object I like to choose the names of my objects around what they're used for for mapped IPs I add the word public to the object name for the real IP I like to add the name of the interface that then that occurs on so as we're now doing to the outside interface I would add outside to the object name you don't have to follow his naming convention but try to choose something that makes sense to you as it will help you with troubleshooting later now we can go back to the web server and confirm that we can reach the intranet server which we can now we want to configure the firewall to allow internet access from the inside Network right now this doesn't work as they don't have any public IP addresses remember that private IP addresses are not allowed on the internet which is why we need to give them a public IP we can configure a single public IP for all the hosts on the inside network we do this to conserve the number of public IPS that we're using this is called a port address translation and gives each flow of traffic the same IP address but a different source port this allows about 64,000 translations for a single public IP as each flow of traffic uses different and unpredictable ports traffic must be initiated from the hosts inside the network this makes it a unidirectional NAT let's go new by creating a few Network objects the first one defines the internal subnet the commands are fairly straightforward the second defines a single mapped IP now outside of the network objects we start defining our NAT rule just like before we need to tell it which interfaces are inside and outside the network we could use any as the inside if we wanted to coincidentally though we want to use the interfaces named inside and outside we follow this up with sauce dynamic which tells the aasa' that this is dynamic NAT with the inside subnet object as the source addresses these are the real IP s if we want we could choose to NAT to the IP address of one of the ASA's interfaces this is another way we can conserve an additional IP address however we're going to use the map type e that we defined in the internet pad object of course a description is always a good idea we still have an ACL entry configure that only allows access to the internet server this one was configured in the last video so we're going to remove it and replace it with a rule that allows general internet access you should be pretty familiar with how this is done by now you if we look at the workstation we can see that we can ping the web server on the internet as well as retrieve a webpage in addition to this the second workstation can also access the Internet using the same NAT rule there are some occasions where a single public IP address is not enough if you have a large network you might exhaust all the ports on the IP addresses or if you have an a sa cluster you need a unique public IP for each of the cluster nodes I have a video on that if you want to see it also some security devices will see a lot of requests coming from a single IP address and think that it is the source of an attack so using a few different IPS can change that up a bit so our alternative is to translate to a pool of IPs instead of to a single IP this is still a unidirectional translation this type of rule doesn't need to use port translation but it is quite common so we start this by removing the rule that we just created but don't worry we'll put the new one in place very soon now we'll create an object with a pool of two IP addresses notice that these are configured as a range which means that they need to be consecutive this is where good IP space planning pays off finally we add the nat rule back in with a few small changes instead of just using the object with the map type ease we need to include the Pat pool keyword first and then the object if we test this on the workstations again we see that they still have internet access you might be wondering how we can verify what we've configured so far and what translations are currently active if you are wondering that I have two excellent commands for you the first is show X late this shows active translations on the AAS a static translations stay there permanently while dynamic will expire after some inactivity shown by the timeout value you'll notice that there are one or more flags on each entry this will tell you a bit about the NAT you can use the table listed above to decode their meaning when we use Pat rules we will see an entry for each connection through the firewall the ones here are listed as ICMP because of all the pinging we've been doing the next command is shown at detail this shows us the NAT rules as they are configured they are broken into sections 1 2 & 3 we only see sections 1 & 2 here as we don't have any rules in section 3 each rule has a list of translate hits and untranslated hits the translate hit counter is incremented when a new connection is translated starting from the inside Network heading towards the outside and on translate hit is seen when the connection started from the outside Network heading to the inside but let's focus on the sections for now how do these work you can see here that the a si will divide the NAT rules into three sections section 1 & 3 are manual net while section 2 is auto none why is it like this it follows this structure so we can make NAT rules form a kind of policy to make up this policy we have two types of NAT which are called object nut and twice net object NAT is the type we configured earlier where we added the NAT rule directly into the network object each object with NAT configuration becomes a separate rule in the auto NAT section object now is simple to configure and it's easy to understand and make changes later on twice is the type of note that we configured when we enable general internet access remember how there were a lot more options to configure that's because twice now is much more capable than object now it can match conditions based on source and destination and if needed it can translate the source and destination addresses into a single rule for example it can match source a to destination B and apply a translation it can also use a separate rule to match source a to destination C and apply a completely different translation so twice Knut rules are very useful if you want to apply different translations to the same host depending on certain conditions twice that rules can go in two sections one and three if you're having trouble remembering twice not just think about how the rules can be applied in two different sections here is my recommendation try to use object nap wherever you can if there's a situation that won't work with object nap then try and use a twice nut rule now if you're willing to use the ASTM you can see all of this visually just as I've described it it's okay to like the CLI but don't be afraid to use the ASTM it is a useful tool on an AAS a NAT rules are evaluated in a particular order just like the access control entries are these sections provide this order section one is evaluated first then section 2 and finally section 3 when a match is found an action is taken and no further rules are evaluated if no match is found no translation is performed object NAT rules use a strange order the essay looks at static node entries first if there's no match dynamic rules are evaluated next within sections 1 and 3 twice nut rules are evaluated in order from the top down by default twice nut rules are added to the end of the list in section one we'll see how to add two section three very soon so why are there two sections for twice now this enables us to control the order of NAT rules and create policies that's what makes at the aasa' style of NAT much more advanced than a regular iOS router to see this in action we're going to move our general internet access rule from section 1 to section 3 the first part is to remove the rule the second part is to add the rule back in with the after auto keyword this way it's only applied after other rules have had a chance to be evaluated if we run showing that detail again we can see the rule in Section three one of our goals is to translate workstation two's webserver from port 80 to the non-standard port 8080 I just want to say that I don't recommend exposing an internal device directly to the Internet that's what the DMZ networks for I also recommend using HTTPS instead of HTTP so we're doing this just to show you how it's done this is a formal static NAT and it will be bi-directional as we're changing ports this is called static NAT with port translation this is best done with an object now as usual we start by creating the network object for the map type any then we create the object for the real IP just as we've done before we add the NAT rule into the object this time we use the service keyword which is the ASA's fancy way of saying that we're dealing with ports we need to include the real port used on the inside first then the mapped port that we're translating to on the outside remember it's always inside than outside finally we need an ACL to make this work in the ACL we need to use the object with the real IP remember to always use the real IP and not the mapped one in addition we need to use the real horse this may seem backward but the key is to remember to always use the real IP and the real port and just to confirm that this works we can try accessing the webpage on port 8080 we have an odd requirement where workstation one needs to be able to administer the ISP router with SSH let's say that this router is ours and it's used to connect to the ISP so our requirement is that we access the router using the workstations real IP this allows the router to permit or deny traffic based on a unique IP address if we want to if we didn't do this all traffic coming out of the internal network would use the IPS from the dynamic pool which makes router security more difficult so we need to bypass NAT for this traffic we don't want to buy a pass snap for any other traffic just SSH between the workstation and the router the solution is identity NAT this is where an that rule uses the real IP address as the map type e this is also known as now exclusion or that bypass all documentation might call this NAT 0 but ignore that as therefore ASA's that come before version 8.3 which did not very differently another common use for this is when you have a VPN you generally don't want nap to apply when sending traffic through the VPN tunnel so you would use an identity nut to keep the IPS the same this is actually some very simple configuration we'll just use an object nap for this one start by defining the object for the real IP there's no need to configure an object for any mapped IP in this case for the NAT configuration just make it static and use the real IP as the map type E and that's all there is to it this rule will go into section 2 so we can be sure that will be evaluated before our general internet access rule that we previously moved to section 3 you see how those sections are working out for us now a bit of thought ahead of time can make all the difference we'll quickly throw in an ACL entry to allow access to the router on SSH and we would do a quick test I should also quickly mention that the router has a host route for workstation one pointing to the a si I'm not showing that part because we're just focusing on the a si in this video and if we ssh to the router it works right away one last goal to go we need to think about DNS our internet server is a DNS server but what happens when a server on the internet does a lookup let's have a look at this on the web server I'm going to quickly change the DNS settings to point to the internet server hmm hmm something's going wrong here the contents of the file are not showing up in my terminal session correctly if I scroll up I can see it you I'm not really sure what's going on with this but with a bit of fiddling it looks like I've got it let's use the dick command to retrieve the DNS record for the internet server see how the IP address is the internal IP from the outside we really need this to be the public IP but the Linux server doesn't know that there's a NAT in place one solution is to build a second DNS server that is just for public use it would contain all the same DNS records but it would have public IP addresses not private ones this is called split DNS and it is absolutely a valid solution but this video is on a si so we're going to look at option number two and that is DNS rewriting we can configure the a si to look at the contents of the DNS response when it sees the IP address 170 to 1601 it can then rewrite this to the public IP 201 1 1 now this might sound really complicated but it's probably the easiest thing we've done so far we're going to edit the internet server's network object while we're in there will enter the NAT configuration again but this time we add the DNS keyword to the end of the line and that is it it really is that simple so now to confirm that it works over to the internet web server to run dig again and look at that it's returning the public IP now don't forget that you can use packet tracer to simulate traffic going through the a SA if you want to refresher take a look at the ACL video and that brings us to the end of a CLS and NAT on the a sa hopefully I've covered what you wanted to see let me know what you thought in the comments and if you do some of these things differently tell me about it I'd like to hear about the alternatives subscribe to the channel if you haven't already so you can see new content when it's available and I hope to see you in another video

Info

Channel: Network Direction

Views: 27,135

Rating: undefined out of 5

Keywords: Cisco, Firewall, Asa, Network direction, Nat, Acl, Network address translation, Object nat, Twice nat, Section, Public IP, Internet access, Lab, Virl, Pat-pool, Pat, Dmz, Inside, Outside, Real address, Mapped address, Bidirectional, Unidirectional, Translated, Original, Source nat, Destination nat, Static nat, Dynamic nat, Network object, Port address translation, Show xlate, Show nat detail, Untranslate, After-auto, Identity nat, Dns rewrite

Id: R-aupnzOwTQ

Channel Id: undefined

Length: 23min 55sec (1435 seconds)

Published: Tue May 14 2019