February 7, 2010 at 23:36ASA: network address translation troubles. Part 1. Dynamic broadcasts
Network Address Translation (NAT) is a spoofing of an address or port in a packet. It is usually required at the border between the company’s network and the Internet service provider. However, this is far from the only task. Let's look at some common tasks and solutions using the ASA firewall.
First, let's define the terms. As you already know, on the ASA, by comparing the security levels of the source interface and the destination interface, the direction “outside” and “inside” of the firewall is easily determined (we will consider the situation with the same security levels separately).
Usually separate the inside (inside) and the outside(outside) broadcasts. Internal broadcasting replaces the source address when the firewall exits “outside”, and external broadcasting replaces the source address when passing through the ME.
As a rule, it is enough to use internal translation to replace private, non-routable Internet addresses (RFC1918) with global ones issued by the provider.
Also, they divide address-to-address translation (NAT, runs at OSI model level 3, one address is replaced by another), and translation based on port(Port Address Translation, PAT, runs on the 4th level of the OSI model and replaces not only the address, but also the port). It is clear that PAT broadcasting can be performed only for protocols that have ports (TCP, UDP). But using PAT, you can translate several local addresses into one global: in the translation cache, the correspondence of the source address and port and the address and port received as a result of translation is recorded.
Example: let 2 local users with the addresses 10.1.1.100 and 10.1.1.200 decide to visit the same site www.anticisco.ru . If we use NAT, in this case we need to give each internal user at the global address from the ISPPool () provider pool:
If we use PAT, we can map one global address to different private addresses, but we also write down the source ports:
And when the response comes from the server, the ASA will select from the translation cache the one on whose port the answer will come.
To finally finish you off, dear readers, I’ll also say that broadcasts are divided into static and dynamic . Static ones strictly bind one address to another (in the case of NAT) or a pair of address and port (in the case of PAT). And dynamic ones are created by necessity if the incoming packet meets the selection criteria for translation rules.
From words to customization.
To understand how the broadcast will be carried out, it must be recalled that the first thing that came to the interface is the packet is checked by the routing table. After that, the outgoing interface is determined or the packet is destroyed if the route to the destination network is not found. If the destination network is located “outside” of the ME (behind an interface with a lower security level compared to the incoming interface), then the rules for internal broadcasts are checked, and if “inside” - then external (outside)
Unlike cisco routers, on the ASA broadcast rules are inextricably linked with the interfaces involved in receiving and transmitting a packet. This makes writing rules easy.
Another difference from routers: on the ASA, you can strictly prohibit the passage of packets for which there are no translation rules. Regulated by the team
By default, this command is disabled, i.e. if there are no translation rules, packets are simply routed, and if there are rules, then translation will be performed. If you enable this command, then packages that clearly did not fall under the translation rules will be brutally destroyed.
Dynamic translations
Let me remind you that dynamic translations are created by necessity when an “interesting” package arrives at the receiver interface. The rule that describes which package needs to be translated is described by the nat command, with which the source addresses of the package are set:
interface - the name of the interface from which the packet came
# is the broadcast number. It is necessary to search for an appropriate indication of what to translate the address into.
Example:
As you can see, there can be many rules with the same number.
It is clear that one indication of what to broadcast is not enough. It is also necessary to describe what to broadcast. This is done using the global command.
interface - the name of the interface through which the packet will go outside
# - the broadcast number. It should be the same as the nat
pool conditions of interest to us - explicitly specifying the range of addresses in the ip_start-ip_end format to which we will broadcast. In this case, you will get dynamic NAT translation.
address - if you specify not a pool of addresses, but one address, then all translations will be performed in it, which means that the PAT will be broadcast.
Example:
If you want to translate to the address of the outgoing interface, then you must explicitly specify this using the keyword interface
If you have several global rules with the same number, then NAT will be translated first (to the address pool), then PAT to a separate address and only then PAT to the interface address. A reasonable question may arise: when does this “later” come? About the address pool, I hope it’s clear: when will the addresses in the pool run out, and between the addresses in the RAT broadcasts? What, really, such a question did not arise? Well, think
again :) Repeat all together: when there is a switch between the addresses used in the PAT broadcast and in general, can there be a lot of them?
There is only one answer to both of these questions: only about 4,000 translations to the same address for RAT are reserved on the ASA. After this, new broadcasts will not be created. So what to do? Use multiple addresses for PAT. Those. multiple lines of global with the same number.
Standing alone is the nat rule with number 0. This rule describes what you don’t need to broadcast when you go outside. This rule is especially necessary when strict nat-control mode is enabled. This rule does not require the word global to work. In fact, we can imagine that for these packets the rule of translating the address into itself applies.
So, we have described the rules of internal dynamic translation (NAT and PAT). Those. when the packet goes “outside”, the presence of nat rules on the incoming interface is checked, and if there are rules there and the packet fell under them, then on the outgoing interface we look for the corresponding global rule. At the same time, the outgoing interface has a security level lower than that of the incoming interface
If we need to dynamically change the source addresses of packets that go "inside" the ASA, then we must explicitly indicate that global rules must be sought on interfaces with a high level of security. This is done using the outside keyword in the nat command (also applicable to nat 0 rules):
Example: let us want to “hide” all real addresses of the source of calls from the Internet, replacing them with the address of the internal interface
As you can see, the command format is very similar. By the way, the type of translation shown in the example, unfortunately, is not supported by cisco routers (outside PAT).
An additional possibility of address translation is the ability to limit the maximum number of open TCP sessions, the maximum number of UDP sessions, as well as the number of half-open TCP sessions (embryonic), after which it turns on SYN Flood DoS protection technology (a huge number of requests to open a session). The technology is called SYN Cookie.
If you specify 0, it will mean "do not track this parameter."
And now the backfill question: how do we translate into one pool, if we go to one network and to another pool - if to another network? We have not seen anywhere so far that the destination network may come in as a criterion.
To solve this problem, the above commands are not enough. To do this, use policy NAT (the “regular” NAT described earlier is called regular).
But do not be scared ahead of time: there is nothing complicated in policy NAT, you just need to specify the source network and the access list in which we specify the word permit was not just what we were going to broadcast, but also when.
For example, we want to translate our LAN to the IPSPool (1) address when we go to the PARTNER network.
There is a restriction on the access lists used in policy NAT: you cannot use deny lines in it. Those. everything you want to translate must be explicitly described by permit lines. An exception is made only for the access list for nat 0. It may contain deny lines. And these lines will mean that you need to look at other translation rules - suddenly the address requires a substitution.
Policy NAT is more privileged than regular NAT.
The order of processing NAT rules is a complicated thing, but you need to know. Therefore, without waiting for the part about static broadcasts, we will try to arrange these rules.
The very first rule is always policy NAT 0
Next comes the block of static broadcasts, which we will deal with later. The main thing to remember is that static translations are more privileged than dynamic ones.
Policy NAT translations follow it
In doing so, the ASA makes sure that these access lists do not overlap.
Next are the regular NAT rules for which the longest match rule applies. Moreover, for nat 0 rules it is also true.
For example, you can translate the address 10.1.1.1, not broadcast the network 10.1.1.0/24 and translate everything else into something else.
To fix this piece, 2 small exercises:
1. You have access from outside to the ASA, behind which a computer with an incorrectly configured (missing) default gateway is connected behind the internal interface. It is necessary to get to it (for example, RDP is included there)
2. Arrange the translation rules in the order in which they will be executed
Static broadcasts (do not blame me: it should be continued)
PS Friends, when reprinting, translating, using in working with employees, please refer to me and www.anticisco.ru ! Thank you in advance for your understanding :)
Sergey Fedorov, instructor
First, let's define the terms. As you already know, on the ASA, by comparing the security levels of the source interface and the destination interface, the direction “outside” and “inside” of the firewall is easily determined (we will consider the situation with the same security levels separately).
Usually separate the inside (inside) and the outside(outside) broadcasts. Internal broadcasting replaces the source address when the firewall exits “outside”, and external broadcasting replaces the source address when passing through the ME.
As a rule, it is enough to use internal translation to replace private, non-routable Internet addresses (RFC1918) with global ones issued by the provider.
Also, they divide address-to-address translation (NAT, runs at OSI model level 3, one address is replaced by another), and translation based on port(Port Address Translation, PAT, runs on the 4th level of the OSI model and replaces not only the address, but also the port). It is clear that PAT broadcasting can be performed only for protocols that have ports (TCP, UDP). But using PAT, you can translate several local addresses into one global: in the translation cache, the correspondence of the source address and port and the address and port received as a result of translation is recorded.
Example: let 2 local users with the addresses 10.1.1.100 and 10.1.1.200 decide to visit the same site www.anticisco.ru . If we use NAT, in this case we need to give each internal user at the global address from the ISPPool () provider pool:
10.1.1.100 -> ISPPool (1) 10.1.1.200-> ISPPool (2)
If we use PAT, we can map one global address to different private addresses, but we also write down the source ports:
10.1.1.100:29010 -> ISPPool (1): 1024 10.1.1.200:18932 -> ISPPool (1): 1025
And when the response comes from the server, the ASA will select from the translation cache the one on whose port the answer will come.
To finally finish you off, dear readers, I’ll also say that broadcasts are divided into static and dynamic . Static ones strictly bind one address to another (in the case of NAT) or a pair of address and port (in the case of PAT). And dynamic ones are created by necessity if the incoming packet meets the selection criteria for translation rules.
From words to customization.
To understand how the broadcast will be carried out, it must be recalled that the first thing that came to the interface is the packet is checked by the routing table. After that, the outgoing interface is determined or the packet is destroyed if the route to the destination network is not found. If the destination network is located “outside” of the ME (behind an interface with a lower security level compared to the incoming interface), then the rules for internal broadcasts are checked, and if “inside” - then external (outside)
Unlike cisco routers, on the ASA broadcast rules are inextricably linked with the interfaces involved in receiving and transmitting a packet. This makes writing rules easy.
Another difference from routers: on the ASA, you can strictly prohibit the passage of packets for which there are no translation rules. Regulated by the team
nat-control
By default, this command is disabled, i.e. if there are no translation rules, packets are simply routed, and if there are rules, then translation will be performed. If you enable this command, then packages that clearly did not fall under the translation rules will be brutally destroyed.
Dynamic translations
Let me remind you that dynamic translations are created by necessity when an “interesting” package arrives at the receiver interface. The rule that describes which package needs to be translated is described by the nat command, with which the source addresses of the package are set:
nat ({interface}) # {network} {mask}
interface - the name of the interface from which the packet came
# is the broadcast number. It is necessary to search for an appropriate indication of what to translate the address into.
Example:
nat (ins) 1 10.1.1.0 255.255.255.0 nat (ins) 1 10.2.2.2 255.255.255.255
As you can see, there can be many rules with the same number.
It is clear that one indication of what to broadcast is not enough. It is also necessary to describe what to broadcast. This is done using the global command.
global ({interface}) # {pool | address}
interface - the name of the interface through which the packet will go outside
# - the broadcast number. It should be the same as the nat
pool conditions of interest to us - explicitly specifying the range of addresses in the ip_start-ip_end format to which we will broadcast. In this case, you will get dynamic NAT translation.
address - if you specify not a pool of addresses, but one address, then all translations will be performed in it, which means that the PAT will be broadcast.
Example:
global (out) 1 81.1.1.10-81.1.1.20 global (out) 1 81.1.1.21
If you want to translate to the address of the outgoing interface, then you must explicitly specify this using the keyword interface
global (out) 1 interface
If you have several global rules with the same number, then NAT will be translated first (to the address pool), then PAT to a separate address and only then PAT to the interface address. A reasonable question may arise: when does this “later” come? About the address pool, I hope it’s clear: when will the addresses in the pool run out, and between the addresses in the RAT broadcasts? What, really, such a question did not arise? Well, think
again :) Repeat all together: when there is a switch between the addresses used in the PAT broadcast and in general, can there be a lot of them?
There is only one answer to both of these questions: only about 4,000 translations to the same address for RAT are reserved on the ASA. After this, new broadcasts will not be created. So what to do? Use multiple addresses for PAT. Those. multiple lines of global with the same number.
Standing alone is the nat rule with number 0. This rule describes what you don’t need to broadcast when you go outside. This rule is especially necessary when strict nat-control mode is enabled. This rule does not require the word global to work. In fact, we can imagine that for these packets the rule of translating the address into itself applies.
So, we have described the rules of internal dynamic translation (NAT and PAT). Those. when the packet goes “outside”, the presence of nat rules on the incoming interface is checked, and if there are rules there and the packet fell under them, then on the outgoing interface we look for the corresponding global rule. At the same time, the outgoing interface has a security level lower than that of the incoming interface
If we need to dynamically change the source addresses of packets that go "inside" the ASA, then we must explicitly indicate that global rules must be sought on interfaces with a high level of security. This is done using the outside keyword in the nat command (also applicable to nat 0 rules):
nat ({interface}) # {network} {mask} outside
Example: let us want to “hide” all real addresses of the source of calls from the Internet, replacing them with the address of the internal interface
nat (out) 10 0 0 outside global (ins) 10 interface
As you can see, the command format is very similar. By the way, the type of translation shown in the example, unfortunately, is not supported by cisco routers (outside PAT).
An additional possibility of address translation is the ability to limit the maximum number of open TCP sessions, the maximum number of UDP sessions, as well as the number of half-open TCP sessions (embryonic), after which it turns on SYN Flood DoS protection technology (a huge number of requests to open a session). The technology is called SYN Cookie.
nat ({interface}) # {network} {mask} tcp {max} {embryonic} udp {max}
If you specify 0, it will mean "do not track this parameter."
And now the backfill question: how do we translate into one pool, if we go to one network and to another pool - if to another network? We have not seen anywhere so far that the destination network may come in as a criterion.
To solve this problem, the above commands are not enough. To do this, use policy NAT (the “regular” NAT described earlier is called regular).
But do not be scared ahead of time: there is nothing complicated in policy NAT, you just need to specify the source network and the access list in which we specify the word permit was not just what we were going to broadcast, but also when.
For example, we want to translate our LAN to the IPSPool (1) address when we go to the PARTNER network.
access-list NAT permit ip LAN PARTNER nat (ins) 1 access-list NAT global (out) 1 ISPPool (1)
There is a restriction on the access lists used in policy NAT: you cannot use deny lines in it. Those. everything you want to translate must be explicitly described by permit lines. An exception is made only for the access list for nat 0. It may contain deny lines. And these lines will mean that you need to look at other translation rules - suddenly the address requires a substitution.
Policy NAT is more privileged than regular NAT.
The order of processing NAT rules is a complicated thing, but you need to know. Therefore, without waiting for the part about static broadcasts, we will try to arrange these rules.
The very first rule is always policy NAT 0
nat ({interface}) 0 access-list {NONAT}
Next comes the block of static broadcasts, which we will deal with later. The main thing to remember is that static translations are more privileged than dynamic ones.
Policy NAT translations follow it
nat ({interface}) # access-list {ACL}
In doing so, the ASA makes sure that these access lists do not overlap.
Next are the regular NAT rules for which the longest match rule applies. Moreover, for nat 0 rules it is also true.
For example, you can translate the address 10.1.1.1, not broadcast the network 10.1.1.0/24 and translate everything else into something else.
nat (ins) 0 10.1.1.0 255.255.255.0 nat (ins) 1 10.1.1.1 255.255.255.255 nat (ins) 2 0 0
To fix this piece, 2 small exercises:
1. You have access from outside to the ASA, behind which a computer with an incorrectly configured (missing) default gateway is connected behind the internal interface. It is necessary to get to it (for example, RDP is included there)
2. Arrange the translation rules in the order in which they will be executed
access-list NAT1 permit ip any host 198.133.219.25 access-list NAT1 deny ip any host 216.255.83.40 global (out) 2 int global (out) 2 1.1.1.1-1.1.1.100 nat (ins) 0 10.1.1.1 255.255.255.255 nat (ins) 2 10.1.1.0 255.255.255.0 global (out) 1 1.1.1.254 global (out) 1 1.1.1.101-1.1.1.110 nat (ins) 1 access-list NAT1
Static broadcasts (do not blame me: it should be continued)
PS Friends, when reprinting, translating, using in working with employees, please refer to me and www.anticisco.ru ! Thank you in advance for your understanding :)
Sergey Fedorov, instructor