CCIE Security Notes: NAT Notes & Labbing

NAT Sections designate the processing order of a NAT rule. There are three different sections in which a NAT rule may reside. 

  • Section 1 - Manual NAT or Twice NAT
  • Section 2 - Auto NAT or Object NAT
  • Section 3 - Manual NAT using the after-auto keyword in your NAT rule

 

NAT is processed by the rule order and section. In Section 1 and Section 3, you can manually configure the line order. In Section 2, you cannot. The line order in Section 2 is determined by the following:

  • Type - Static first, then dynamic
  • Then the amount of IPs contained in the object network
  • Then object network containing the same amount of IPs will then address the lowest IP address number first
  • If there is a tie breaker needed if the rule is equal, it's decided by the alphabetical order of the names

 

Source NAT Syntax:

object network name
[host | subnet | range] ... 
nat (real-interface,mapped-interface) ...

 

Destination NAT Syntax:

object network name
[host | subnet | range] ...
nat (mapped-interface,real-interface) ...

If traffic is coming from an interface with a higher security level, make sure to add an ACL to allow a port, protocol, and/or IP address/subnet through. Use real IP in the access list. 

 

NAT lab I working with while doing all these configurations. I'm using VIRL in this case. 

NAT lab I working with while doing all these configurations. I'm using VIRL in this case. 

Download: VIRL Topology

 

Object NAT

Object NAT always consists of an object configuration which holds a configuration for the host address/subnet/range and binds that to a NAT rule which is also inside the same object. That gives you the ability to have the NAT configuration under a single object. 

Parameters you can use: 

  • object-group network name - Used for multiple networks, host addresses, or combination of both
  • object network name - Used to define single subnet, range, or host address 

PAT:

object network LAN
subnet 10.1.100.0 255.255.255.0
nat (inside,outside) dynamic interface

 

PAT Pool:

object network PATPOOL
range 100.0.0.15 100.0.0.20

object network LAN
subnet 10.1.100.0 255.255.255.0
nat (inside,outside) dynamic pat-pool PATPOOL {block-allocation | extended | flat | interface | round-robin}

Extended commands mentioned above for PAT:

  • block-allocation - Enables port block allocation
  • extended - Extends PAT uniqueness to per destination instead of per interface. It'll show an extended NAT entry on the NAT table where it'll not only show the sourced translated ports but also look at the destination ports.
  • flat - Translate TCP and UDP ports into flat range 1024-65535
  • interface - Use interface address as mapped IP. Can be used as teh backup IPs if you want for the interface. 
  • round-robin - Specify to use PAT IP addresses in round robin order when it fetches an IP from the pool

 

Destination NAT:

object network DMZ_Host
host 100.0.0.100
nat (outside,dmz) static 200.0.0.10

 

Dynamic NAT:

object network WAN-POOL
range 100.0.0.11 100.0.0.l4

object network DMZ-POOL
range 200.0.0.11 200.0.0.14
nat (dmz,outside) dynamic WAN-POOL

 

Static NAT: 

object network SRV
host 200.0.0.10
nat (dmz,outside) static 100.0.0.5 {dns | no-proxy-arp | route-lookup}

Extended commands mentioned above for static NAT: 

  • dns - Uses the created xlate to rewrite DNS records
  • no-proxy-arp - Disables proxy ARP on the egress interfaces
  • route-lookup - Perform route lookup for this rule

 

Static PAT (Port Redirection):

object network SRV-GLOBAL
host 100.0.0.5

object network SRV
host 200.0.0.10
nat (dmz,outside) static SRV-GLOBAL service tcp telnet 23 2323

 

Identity NAT: Per the Cisco Configuration guide: “You might have a NAT configuration in which you need to translate an IP address to itself. For example, if you create a broad rule that applies NAT to every network, but want to exclude one network from NAT, you can create a static NAT rule to translate an address to itself. Identity NAT is necessary for remote access VPN, where you need to exempt the client traffic from NAT.”

 

Identity NAT Configuration (Basic):

object-group network DMZ-INTERNAL
network-object 200.0.0.0 255.255.255.0

object network DMZ
subnet 200.0.0.0 255.255.255.0
nat (dmz,outside) static DMZ-INTERNAL

 

    Identity NAT with objects:

    object network DMZ
    subnet 200.0.0.0 255.255.255.0
    nat (dmz,outside) static DMZ

     

    NAT Control:

    Basically says that anything not explicitly allowed should be dropped like a catch-all/blackhole for NAT. 

    object network ZERO
    host 0.0.0.0
    nat (inside,outside) after-auto source dynamic any ZERO

     

    Manual NAT

    Manual NAT gives you the ability to add NAT entries on the top or bottom of NAT processing and gives many more options you might not otherwise find in Object NAT. With Manual NAT, you'll see the static entry built into the xlate and see the hits against the NAT table. Show conn will give you the connection table that shows that translations. You can also debug nat but if you want to see more details without turning on debugging, make sure logging is enabled at 7 and check the show log to troubleshoot the recent NAT connections. 

    You always want to put the most specific NAT rules on top so they get matched first.

    Parameters you can use:

    • object-group network name Used for multiple networks or host addresses
    • object network name - Used for single subnet, range or host address
    • object service name - Used for source or destination services

    Static NAT: 

    object network DMZ-SRV
    host 200.0.0.10

    object network MAP-SRV
    host 100.0.0.5

    Global config mode:

    (config)# nat (dmz,outside) source static DMZ-SRV MAP-SRV

     

    Network Static NAT: 

    object network LAN
    subnet 10.1.100.0 255.255.255.0

    object network MAP-OUTSIDE
    subnet 100.0.0.128 255.255.255.128

    (config)# nat (inside,outside) source static LAN MAP-OUTSIDE

     

    Dynamic NAT:

    object network LAN
    subnet 10.1.100.0 255.255.255.0

    object network NATPOOL
    range 100.0.0.15 100.0.0.20

    (config)# nat (inside,outside) source dynamic LAN NATPOOL

     

    PAT: 

    object network OUTSIDE
    host 100.0.0.5

    object network LAN
    subnet 10.1.100.0 255.255.255.0

    (config)# nat (inside,outside) [after-auto] source dynamic LAN OUTSIDE

     

    PAT Pool: 

    object network PATPOOL
    range 100.0.0.15 100.0.0.20

    object network LAN
    subnet 10.1.100.0 255.255.255.0

    (config)# nat (inside,outside) [after-auto] source dynamic LAN pat-pool PATPOOL

     

    Destination NAT:

    object network MAP-PARTNER1
    host 10.1.100.15

    object network PARTNER1
    host 100.11.11.22

    (config)# nat (inside,outside) [after-auto] source dynamic any interface destination static MAP-PARTNER1 PARTNER1

     

    Identity NAT with source and destination specified:

    object network DMZ
    subnet 200.0.0.0 255.255.255.0

    object network PARTNER2-NETWORK
    subnet 100.22.22.0 255.255.255.0

    (config)# nat (dmz,outside) 1 source static DMZ DMZ destination static PARTNER2-NETWORK PARTNER2-NETWORK {description | inactive | net-to-net | no-proxy-arp | route-lookup | service | unidirectional} 

    Extended options mentioned above:

    • description - Specify NAT rule description
    • inactive - Disable a NAT rule
    • net-to-net - Net to net mapping of IPv4 and IPv6
    • no-proxy-arp - Disable proxy ARP on egress interface
    • route-lookup - Perform route lookup for this rule
    • service - NAT service parameters
    • unidirectional - Enable per-session NAT

     

    Identity NAT with just source:

    object network LOOPBACK2
    host 10.1.100.37

    nat (inside,outside) source static LOOPBACK2 LOOPBACK2

     

    Show commands that are useful:

    • show run nat
    • show run object
    • show conn [detail]
    • show nat [detail]
    • show xlate
    • packet-tracer
    • show log