Policy NAT with ASA Firewalls

The below information was taken from here: http://www.rsivanandan.com/2009/09/25/policy-nat-with-cisco-asa-firewalls/

One of the most common things in every ASA/PIX firewalls is the nat configuration for outgoing connections; something like this;

hostname(config)# nat(inside) 1 0.0.0.0 0.0.0.0
hostname(config)# global (outside) 1 interface

This tells the firewall that all traffic coming from inside (local lan) interface should be PAT’ed and route before it goes out through the outside (like internet). Now you can also define this with an access-list for much filtered Natting. Say; you have 2 networks in your local lan and want only one of them to be Pat’ed like above;

We call it, 10.0.0.0/8 and 192.168.1.0/24 and only the second one should be natted; This is achieved through the following statements;

hostname(config)# nat (inside) 1 192.168.1.0 255.255.255.0
hostname(config)# global (outside) 1 interface

Similarly, you can use an access-list for much controlled Natting like below;

hostname(config)# nat (inside) 1 access-list 10
hostname(config)# global (outside) 1 interface
access-list 10 permit ip 192.168.1.0 255.255.255.0

The beauty is, you can even control this Natting using specific protocols/ports combination. Say, if you want to allow only internet browsing (http & https) to be allowed, then;

hostname(config)# nat (inside) 1 access-list 100
hostname(config)# global (outside) 1 interface
access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq 80
access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq 443

See an advantage here? You can avoid having a separate access-list to be inserted for this purpose on the outside interface. Now, there is another way where you don’t want to nat, achieved through nat(inside)0. Typically this is used for VPN connections. When you have VPN terminated onto ASA/PIX, You won’t be Natting the traffic going through that and you achieve it by adding;

nat(inside)0 access-list 10
access-list 10 permit 10.0.0.0 255.0.0.0

OR

nat(inside)0 10.0.0.0 255.0.0.0

However there is a difference with nat (inside) 0 statements, you cannot control the NAT functionality based on protocols/ports, it is only IP. For example;

nat (inside) 0 access-list 100
access-list 100 permit tcp 192.168.1.0 255.255.255.0 any eq 80

The above will not work. This is the limitation and you’d have to go for regular access-lists on your interfaces if you want to stop these traffic.

In Cisco’s own words;

On ASA, the policy nat cannot be applied on nat(0) statements and is not supported;

Identifies the local addresses and destination addresses using an extended access list, also known as policy NAT. Create the access list using the access-list command. You can optionally specify the local and destination ports in the access list using the eq operator. If the NAT ID is 0, then the access list specifies addresses that are exempt from NAT. NAT exemption is not the same as policy NAT; you cannot specify the port addresses, for example.
Note      Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s