Search This Blog

Monday, July 1, 2013

NAT order of operation on Cisco ASA firewall

There are many types of NAT you can configure on the ASA FW. This is a short summary with examples for ASA 8.2/8.3 software.
  • Dynamic NAT
! The pool-number parameter ( 2, in this case) binds the 'global' and 'nat' commands
nat (dmz) 2
global (out) 2 netmask
  • Dynamic PAT
! Configuring PAT using the global address
ASA2(config)# nat (dmz) 1
ASA2(config)# global (out) 1
  • Identity NAT
! Configuring Identity NAT
ASA2(config)# nat (dmz) 0
  • Static NAT
! Static translation for an individual host (/32 is the default netmask)
ASA2(config)# static (dmz,out)
  • Static Policy NAT
ASA2(config)# access-list STATIC-POLICY1 extended permit ip host host
ASA2(config)# static (dmz,out) access-list STATIC-POLICY1

! For other destinations source address is translated to
ASA2(config)# static (dmz,out) netmask
  • Dynamic Policy NAT
! Packets from travelling to host undergo Policy NAT
access-list DYN-POLICY1 extended permit ip host
nat (dmz) 4 access-list DYN-POLICY1
global (out) 4 netmask
  • Dynamic Policy PAT
! Policy PAT for source subnet going to host
access-list DYN-POLICY2 extended permit ip host
ASA2(config)# nat (dmz) 3 access-list DYN-POLICY2
ASA2(config)# global (out) 3
  • NAT Exemption
! Connections between and are exempted from NAT
access-list NONAT extended permit ip
nat (dmz) 0 access-list NONAT


In what order and precedence is ASA firewall processing various NAT configurations.

NAT precedence rules 

Step 1.
NAT Exemption: This is always the first to be checked and has precedence over any other type of NAT rule that eventually conflicts with it.

Step 2.
Static Policy NAT: The motivation for this type of rule is to allow the selection of distinct global addresses for a given laddr, depending on the destination address (faddr) being contacted. This can be thought of as an exception to a generic static statement and, as such, needs to be configured before regular statics.

Step 3.
Static NAT: This is checked before all the Dynamic, Dynamic Policy, and Identity NAT rules. If some hosts that fall within a NAT Exemption range require static translation, the pertinent exceptions in the nat 0 access-list command need to be created, as previously illustrated in Example 8-14.

Step 4.
Dynamic Policy NAT/PAT: These rules are checked before the Dynamic and Identity NAT rules. If two rules of this category exist, the precedence is given by the order in which they were configured (does not matter if is a Policy PAT or Policy NAT).

Step 5.
Identity NAT: This unidirectional translation bypass method is evaluated before any Dynamic NAT or Dynamic PAT rule.

Step 6.
Dynamic NAT: This category has precedence over Dynamic PAT only.

Step 7.
Dynamic PAT: If after running through all the previous NAT types, ASA does not find a match, it still searches for a Dynamic PAT. If no matching rule is located, the implicit deny rule that characterizes the NAT-control model is enforced.


No comments:

Post a Comment