Saturday, October 5, 2013

New NAT Options in IOS Versions 8.3 and Later

* One significant change in NAT with software versions 8.3 and higher is that NAT control (enforcing use of NAT) is no longer a supported. 

* The implementation of NAT is done through the use of network objects (hence, "object-oriented")

* There is now an "any" option that can be used when defining ingress and egress interfaces in the NAT configuration.

* You can configure translations as part of network object definitions, which are added to configuration. This is known as "Auto NAT," which reduces complex configuration when only one translation policy is required for a host.

* You can configure a single NAT rule that will translate both the source and destination addresses in a packet. This is known as "Manual NAT" or "Twice NAT," because NAT can be performed twice - once on the source IP and the other on the destination IP.

* NAT rules can be defined as unidirectional, meaning only traffic sourced from a defined object can use the translation. Connections toward the object must match a different NAT rule, or they will not be translated.

In this scenario, we have two application servers on the DMZ interface that require access from the Internet. A web server with native (local) IP address 172.16.0.5 and an FTP server with native IP address 172.16.0.10. The web server will use translated (global) IP address 209.165.200.228 when communicating with the outside interface (the Internet), and the FTP server will use translated IP address 209.165.200.229. 







ciscoasa(config)# object ?

configure mode commands/options:
  network  Specifies a host, subnet or range IP addresses
  service  Specifies a protocol/port
ciscoasa(config)# object network ?

configure mode commands/options:
  WORD < 65 char  Specifies object ID (1-64 characters)
ciscoasa(config)# object network DMZ-FTP-PUB
ciscoasa(config-network-object)# ?

  description  Specify description text
  fqdn         Enter this keyword to specify an FQDN
  help         Help for network object configuration commands
  host         Enter this keyword to specify a single host object
  nat          Enable NAT on a singleton object
  no           Remove an object or description from object
  range        Enter this keyword to specify a range
  subnet       Enter this keyword to specify a subnet
ciscoasa(config-network-object)# host ?

network-object mode commands/options:
  A.B.C.D     Enter a host IP address
  X:X:X:X::X  Enter a host IPV6 address
ciscoasa(config-network-object)# host 209.165.200.229
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network DMZ-FTP-PRIV
ciscoasa(config-network-object)# host 172.16.0.10
ciscoasa(config-network-object)# nat ?

network-object mode commands/options:
  (        Open parenthesis for (<real_if_name>,<mapped_if_name>) pair where
           <real_if_name> is the prenat interface and <mapped_if_name> is the
           postnat interface
  dynamic  Specify NAT type as dynamic
  static   Specify NAT type as static

configure mode commands/options:
  (               Open parenthesis for (<internal_if_name>,<external_if_name>)
                  pair where <internal_if_name> is the Internal or prenat
                  interface and <external_if_name> is the External or postnat
                  interface
  <1-2147483647>  Position of NAT rule within before auto section
  after-auto      Insert NAT rule after auto section
  source          Source NAT parameters
ciscoasa(config-network-object)# nat (?

network-object mode commands/options:
Current available interface(s):

  DMZ      Name of interface GigabitEthernet1
  any      Global address space
  inside   Name of interface GigabitEthernet0
  outside  Name of interface GigabitEthernet2

configure mode commands/options:
Current available interface(s):

  DMZ      Name of interface GigabitEthernet1
  any      Global address space
  inside   Name of interface GigabitEthernet0
  outside  Name of interface GigabitEthernet2
ciscoasa(config-network-object)# nat (DMZ,outside) ?

network-object mode commands/options:
  dynamic  Specify NAT type as dynamic
  static   Specify NAT type as static

configure mode commands/options:
  <1-2147483647>  Position of NAT rule within before auto section
  after-auto      Insert NAT rule after auto section
  source          Source NAT parameters
ciscoasa(config-network-object)# nat (DMZ,outside) static ?

network-object mode commands/options:
  A.B.C.D    Mapped IP address
  WORD       Mapped network object/object-group name
  interface  Use interface address as mapped IP
ciscoasa(config-network-object)# nat (DMZ,outside) static DMZ-FTP-PUB
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network DMZ-WEB-PUB
ciscoasa(config-network-object)# host 209.165.200.228
ciscoasa(config-network-object)# exit
ciscoasa(config)# object network DMZ-WEB-PRIV
ciscoasa(config-network-object)# host 172.16.0.5
ciscoasa(config-network-object)# nat (DMZ,outside) static DMZ-WEB-PUB

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)