Wednesday, 10 February 2016

10.2.16

By Peter

In: , ,

No comments

NAT'ing with IOS 8.3+

With the introduction of IOS 8.3 there were some fundemental changes to the why NAT'ing was done.

One of these changes was that NAT exemptions (NAT 0) no longer existed - rather you are now required to do a Identity NAT instead - depedent on scenerio this can either be done using Auto NAT OR Manual NAT. For example if we wanted to ensure traffic between two networks is ommited from being 'NAT'd' - we could define a Policy Base Identity NAT - e.g:
object network internal_network
subnet 10.0.0.0 255.255.255.0
object network vpn_network
subnet 172.30.20.0 255.255.255.0
exit 
nat (dmz,outside) source static internal_network internal_network destination static vpn_network vpn_network no-proxy-arp route-lookup
The NAT rule above basically translates the source to itself if the destination matches up - otherwise if the destination is different it simply won't be used.

The way in which ACL's are applied on interfaces has also changed with 8.3 - Pre 8.3 when allowing traffic that was to be NAT'd on an interface you would define an explicit rule to allow the untranslated packet access inbound - for example:

In the event that a packet was destined for your outside interface of which was assigned a public IP of 88.77.66.55 - that had a NAT rule to then forward this packet by NAT translation to an IP (192.168.10.10) in your DMZ - you would add an ACL to permit traffic to 88.77.66.55. Although in 8.3 the packet is now untranslated before checking the interface ACL's - this means we would rather add a rule allowing access to the DMZ IP instead! (192.168.10.10)

Auto NAT is configured within a network object. An advantage of Auto NAT is that it will automatcially organize NAT rules, preventing any collisons. Although this comes at a price of granularity as you are unable to make a translation decision based on destination unlike that of manual NAT.

An example of auto nat that provides dynamic PAT for inside clients out to the internet:

object network inside-subnet
 subnet 10.0.0.0 255.255.255.0
 nat (inside,outside) dynamic interface

Manual NAT (twice NAT) 

An example of manual NAT:

object network inner_ip
host 10.0.0.100

object network outside_ip
host 44.55.66.77
exit

source static inner_ip outside_ip

0 comments:

Post a Comment