Version 4.1 - 5.1.d NAT Part 2
One of the things that I found important while implementing nat is the order of NAT rules that are applied by the ASA.
Version 8.2
1. NAT exemption
2. Static NAT and Static PAT
3. Policy dynamic NAT
4. Regular dynamic NAT
Version 8.4 onward
Network object NAT rules and twice NAT rules are stored in a single table that is divided into three sections. Section 1 rules are applied first, then section 2, and finally section 3, until a match is found.
Section 1 Twice NAT
Section 2 Network object NAT
a. Static Rules
b. Dynamic Rules
Section 3 Twice NAT (after auto)
For those more familiar with 8.2 NAT, this may seem a bit confusing. But here's a config example that helps clear up the difference between Section 1 and Section 3:
asa(config)# object network private_ip_2
asa(config-network-object)# host 10.1.1.4
asa(config-network-object)# object network public_ip_2
asa(config-network-object)# host 1.1.1.4
asa(config-network-object)# exit
asa(config-network-object)# nat (dmz,outside) after-auto source static private_ip_2 public_ip_2
[Notice the "after-auto" keyword.]
NAT control is another favorite topic of question writers. Note that this is only in 8.2 and disappears with the new nat.
"NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address."
NAT exemption is when an address is not translated. Identity NAT is when an address is translated to itself.
Using both - the address before the firewall processing is the same as the address after the firewall processing.
However, there are differences in both configuration and the way the firewall processes it.
Identity NAT
nat (inside) 0 10.1.1.3
hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1
hostname(config)# object network my-host-obj1-identity
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 10.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-host-obj1-identity
NAT Exemption
access-list NO_NAT extended permit ip 192.168.0.0 255.255.255.0 10.10.10.0 255.255.255.0
nat(inside) 0 access-list NO_NAT
Identity NAT:
– works only one way (in direction specified)
– appears in xlate table
NAT exempt:
– works bidirrectional
– does not appear in xlate table
And that reminds me of another thing that pops up - the directionality of NAT. Rather than go example by example (which would cover a lot), just think about what your nat statement says and think of whether a connection could be initiated bidirectionally or only in one direction. Think of a static nat statement - this could be initiated bidirectionally. Then consider a dynamic PAT translation - this can only be initiated in an outbound direction. From that you can extrapolate to your particular scenario.
Twice NAT lets you identify both the source and destination address in a single rule. Cisco has a good PDF on this.
Another item you may run across is "hide" nat. The name seems to come from the Checkpoint circles - since a simple Google search pops up mainly Checkpoint sites. In the Cisco documentation, you will see this related to a dynamic PAT (hide) rule.
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 10.2.2.2:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
Don't forget Static PAT for port translation.
hostname(config)# static (inside,outside) tcp 209.165.201.3 ftp 10.1.2.27 ftp netmask 255.255.255.255
hostname(config)# static (inside,outside) tcp 209.165.201.3 http 10.1.2.28 http netmask 255.255.255.255
hostname(config)# static (inside,outside) tcp 209.165.201.3 smtp 10.1.2.29 smtp netmask 255.255.255.255
And also Port Forwarding with NAT. [Note - this page also shows the ASDM screens for configuring NAT.]
Static NAT with DNS modification
hostname(config)# object network FTP_SERVER
hostname(config-network-object)# host 10.1.3.14
hostname(config-network-object)# nat (inside,outside) static 209.165.201.10 dns
You will also want to take a look at NAT Examples and Reference. Towards the bottom, it talks about "Translating IPv6 Networks." You might want to at least have heard about NAT64, NAT46 and NAT66.
And with this, I am ending the section on NAT. You are going to want to look through this stuff and get familiar with anything you haven't seen before. Remember that you're not going to have to actually configure this for the written exam (but might on the lab). These questions are ones you're going to want to slow down for and look at closely. I would think that these questions would present configurations and you would need to identify which one is correct or which one corresponds to a certain concept. I would expect that incorrect configurations would have the inside and outside addresses reversed or something like that.