![]() ![]() When pinging from R1 to R2 the ASA shows us the following. Static (inside,outside) 123.123.123.13 access-list STATIC-IDENTITY-NAT Static (inside,outside) 10.10.10.1 access-list STATIC-IDENTITY-NONAT For example, if we want R1 to bypass NAT when accessing R2 but NAT as usual when accessing R3 we can do something like this: access-list STATIC-IDENTITY-NONAT extended permit ip host 10.10.10.1 host 123.123.123.2Īccess-list STATIC-IDENTITY-NAT extended permit ip host 10.10.10.1 host 123.123.123.3 This can be used to bypass NAT in certain situations but NAT as usual in other situations. Syntax: static(inside,outside) real_IP access-list.Purpose: Conditionally bypass NAT by translating a real IP address to the same IP address based on ACL.NAT from inside:10.10.10.1 to outside:10.10.10.1 flags s Static policy identity NAT Notice, the static translation is always present in the ASA: ciscoasa# sh xlate detail | b NAT This has the same effect as what we just did with NAT exemption in this specific scenario. We apply the following to the ASAĬiscoasa(config)# static (inside,outside) 10.10.10.1 10.10.10.1 I have removed the previous NAT configuration. ![]() It is basically a special version of a static NAT and the static NAT stays in the translation table indefinitely ![]() With static identity NAT we specifically tie things to an inbound and outbound interface. That means we can bypass NAT for a certain source going to multiple different places like the outside or a DMZ. One key difference is with NAT exemption we only specify the inbound interface, then let the ACL decide where the traffic is going. On the surface the point of this looks very similar to our NAT exemption. Syntax: static(inside,outside) real_IP real_IP netmask.Direction: Communication can be initiated from either the higher or lower security level interface.Purpose: Bypass NAT by translating a real IP address to the same IP address.Good! Moving on to static identity NAT then… Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: The ASA tells us very clearly: %ASA-3-305005: No translation group found for icmp src inside:1.1.1.1 dst outside:123.123.123.2 (type 8, code 0)ĭoes it work the other way (low to high) ? R2# ping 10.10.10.1 Why? We sourced it from 1.1.1.1 and that source was not included in the NAT exemption. Packet sent with a source address of 1.1.1.1Īs expected, everything worked fine except the last ping. Sending 5, 100-byte ICMP Echos to 3.3.3.3, timeout is 2 seconds: Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: Sending 5, 100-byte ICMP Echos to 123.123.123.3, timeout is 2 seconds: Sending 5, 100-byte ICMP Echos to 123.123.123.2, timeout is 2 seconds: Nat (inside) 0 access-list NAT-EXEMPTION-INSIDE We will simply configure an access-list that defines traffic moving from the inside to the outside and then apply the NAT exemption on the ASA access-list NAT-EXEMPTION-INSIDE extended permit ip 10.10.10.0 255.255.255.0 123.123.123.0 255.255.255.0Īccess-list NAT-EXEMPTION-INSIDE extended permit ip 10.10.10.0 255.255.255.0 host 2.2.2.2Īccess-list NAT-EXEMPTION-INSIDE extended permit ip 10.10.10.0 255.255.255.0 host 3.3.3.3 We will start our labbing by configuring NAT exemption. My goal in this post is to cover every basic type of NAT or PAT I can think of on the ASA and configure each of them individually. Some of the more advanced things and weird rule restrictions are a bit “fuzzy” to me but I am confident they will come with time, experience and practice like anything. I have spent a lot of time this week trying to straighten things out. I have to admit that NAT and PAT on the ASA has been an intimidating topic for me for a long time. I mainly stuck to learning routing and switching really well and usually there was a dedicated team of guys doing the “security stuff”. I was not one of those RS CCIEs that did a lot of security work on the old PIX and the ASA when I was coming up the ranks of the routing and switching track. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |