The Cisco Adaptive Security Appliance (ASA) is one of the most important appliances in Cisco’s security range. It is Cisco’s implementation of a firewall and one of the features that this firewall supports is Network Address Translation (NAT). In this article, we will be looking at some of the NAT types that the ASA supports, when to use the different types, and how they are implemented.
Note that from version 8.3 of the ASA image, the NAT configuration changed considerably. In this article, we will be using version 8.4 which is based on the new configuration so keep that in mind in case you still have not upgraded your ASA image. Perhaps in another article, we will look at the comparison between pre-8.3 and post-8.3.
Cisco ASA NAT Overview
The aim of this article is to look at the different implementations of NAT; however, it is necessary to lay a foundation of NAT in general and then NAT on the Cisco ASA.
One of the main reasons for using NAT is to enable internal users using private IP addresses to connect to the Internet. This is because with the address range of IPv4, it is not possible for all computers and devices to have routable IP addresses. Also, this is not feasible because of cost, as public IP addresses come at a price.
Another reason we use NAT is for security purposes because NAT is able to “hide” the real source of traffic. You will commonly hear the terms “real address” and “mapped address” when dealing with NAT and these terms are pretty much self-explanatory but for clarity sake, let’s define these terms: the real address of a host is the untranslated address of a host; the mapped address of a host is the address it is seen as after translation. Let’s have an example to explain this.
In the diagram below, a host with IP address 10.0.0.10 on the inside is being translated to 126.96.36.199 on the outside. This means that the real address of the host is 10.0.0.10; however, any device on the outside network will “see” this host as having an IP address of 188.8.131.52 (mapped address). This is how NAT hides IP addresses.
It is good to note at this point that NAT does not have to be about hiding of IP addresses. There could be an instance of NAT called Identity NAT where the real address and the mapped address are the same. We will consider this in another article.
Now that we have gotten a basic understanding of NAT, let’s discuss NAT on the Cisco ASA for a moment. Starting with version 8.3, NAT can be implemented in two ways on the ASA: Network Object NAT and Twice NAT. Like some of us who were familiar with the ASA before this version, you may find it a bit weird understanding the new configuration but as long as you understand the basics of NAT, you will be fine after a couple of configurations. (The change was such a hit for me that I once downgraded an ASA with version 8.3 to version 8.2).
The difference between these two new NAT implementations can be summarized as this: Network Object NAT is the recommended implementation method for most NAT requirements, it is easier to configure and it supports most of the NAT types; Twice NAT on the other hand allows more flexibility and if you had to do policy NAT, you will have to use this implementation method.
In this article, we will keep things simple and focus on Network Object NAT. We will use this NAT implementation method to configure three types of NAT: Dynamic NAT, Dynamic PAT, and Static NAT.
When dynamic NAT is used, a group of real addresses are translated to a usually smaller pool of mapped addresses. Real addresses are assigned mapped addresses from the pool on a first-come, first-served basis. Also like I mentioned, it is usually the case that the pool of mapped addresses is smaller than the real addresses; however this is not a requirement.
The dynamic nature of this type of NAT is the fact that no real address has a fixed mapped address; a real address is mapped to an available address in the pool of mapped addresses.
Now, let’s look at the configuration for Dynamic NAT. We will be using the following network diagram:
The green arrow represents what we want to achieve. Let’s assume we want LAN users to be able to connect to the DMZ but we want their real IP addresses to be hidden. We can configure a Dynamic NAT rule in this situation.
In the above configuration, we defined two network objects: the LAN-MAPPED defines the pool of mapped addresses as 172.16.0.51-60; the LAN-REAL defines the LAN subnet. Finally, we add the NAT rule under the network object of the real addresses, which we can read as: if the IP addresses defined under the LAN-REAL network object on the inside are opening a connection to a host in the dmz, they should be dynamically translated to IP addresses in the pool defined by LAN-MAPPED.
Let’s look at the running configuration.
You will notice that even though we configured NAT under the network object, it splits the NAT configuration and the network object configuration into two. That’s because you can use the network object for other configurations apart from NAT.
Let’s test this. The server in the diagram above is simulated using a router so we can check what IP address is being used when the host connects. I’d open a telnet connection to the server and we can run a “who” command.
Let’s look at the connection entry on the ASA.
So we see that 192.168.0.3 is being translated to 172.16.0.58 which is what the ‘server’ sees. If another host on the LAN opens a connection, he/she will be assigned another free mapped address from the pool. These addresses are dynamically assigned and automatically released when the connections are closed.
If you look at our configuration, you will notice that we configured only a pool of 10 mapped addresses. So what happens when the pool is exhausted? Users will not be able to connect. This is one of the disadvantages with using Dynamic NAT because your pool may get used up. You will then wonder why you don’t use a pool that matches the size of the real addresses. Well, you may not have as many routable IP addresses (mapped addresses) on the destination network. This brings us to the next type of NAT.
This is probably the most implemented NAT type because it allows a group of real addresses to be translated to only one mapped address. So if you had one public IP address from your ISP, PAT is what you’d use to allow your Intranet (or LAN) to connect to the internet.
How does it work? It is revealed in its name: Port Address Translation. It translates the real address and source port to the mapped address and a unique port. Theoretically, you can have approximately 64000 connections using only one mapped address. Notice that I said “connections”; this is because traffic from a real address 10.0.0.1 on source port 10004 (notation is 10.0.0.1:10004) will require a separate translation entry from 10.0.0.1 on source port 10005.
We will use the same network diagram as above, but this time we will configure a single public IP address for all LAN users going to the Internet.
Notice in the configuration above that I have used the same network object. This configuration overrides the previous configuration we had because you can have only one NAT rule for any given object. If you needed to have these two rules, you will have to create two network objects with different names (even though they will match the same subnet/network/host).
So what I have done in the configuration above is to add a PAT rule that specifies that all the real addresses should be mapped to one ‘outside’ IP address. Notice that we have not specified any IP addresses here but we have used the keyword “interface” which tells the ASA to use the IP addresses of its interface as the mapped address. Let’s see this work.
As you’d notice, the IP address being used is the 184.108.40.206 which is the IP address of the outside interface of the ASA as shown below.
We can see that Dynamic NAT and Dynamic PAT are quite similar except that Dynamic NAT uses more than one mapped address. So when do we use either? Well, some protocols and applications may not work with PAT so you will have to use Dynamic NAT. However, when you are strained by IP addresses, PAT is well suited because it is more cost effective.
You would have noticed that the first two NAT types that we have discussed are ideal for unidirectional initiation of traffic, i.e. users on the source network can initiate traffic to the destination network; however, users on the destination network cannot initiate a connection to the source network on the mapped address. (It is possible for the destination network to initiate a connection to the mapped address during the time when the NAT entry is in the table; however this is very unlikely because the mapped address should not be predictable. In any case, the ASA security rule should not allow this).
This is where static NAT comes in. It allows bidirectional initiation of traffic. Static NAT finds its main use in establishing a public presence for an internal host, for example, making a web server in your DMZ accessible from the Internet.
In our network diagram, we want our server to be accessible on 220.127.116.11 from the Internet. Using our security rules, we will permit connections only on ports 80 (HTTP) and 443 (HTTPS).
Now, if a user on the Internet opens an HTTP connection to 18.104.22.168, they are presented with the web page of the ‘server’ as shown below.
This is the security rule (access list) applied on the outside interface of the ASA.
Notice that I have matched both the mapped address and the real address. This is because depending on the ASA version you have, the ASA requires you to specify either the mapped address or the real address. We can confirm which one is being matched.
From the configurations above, we can see that in this version of the ASA image, the ACL should specify the real address, so we can remove the ACEs that specify the mapped address. Just in case you ever run into a situation where you are not sure, you can confirm using this method.
Naturally, static NAT is used for one-to-one mapping but there are options like one-to-many, many-to-few, few-to-many and many-to-one. Cisco recommends sticking to one-to-one or one-to-many as the other options may produce “funny” results.
This brings us to the end of this article where we have looked at some NAT types on the Cisco ASA including Dynamic NAT, Dynamic PAT and Static NAT. We have seen the scenarios in which each of them should be used and we have also looked at how to configure them. There are still some really cool NAT types that the ASA supports and we will look at some of them in our next article. I hope you have found this article insightful. I wish you success in your careers and studies.