ASA: network address translation troubles. Part 1. Dynamic translation
Network Address Translation (NAT) is the substitution of an address or port in a packet. It is usually required at the boundary between the company’s network and the Internet provider. However, this is not the only task. Consider a few typical tasks and solutions using the ASA firewall.
To begin with, we define the terms. As you already know, on the ASA, by comparing the security levels of the source interface and the destination interface, the direction “out” and “inside” of the firewall is easily determined (we will consider the situation with the same security levels separately).
Usually separate internal (inside) and external (outside) broadcast. The internal broadcast replaces the source address when the firewall exits “outside”, and the external broadcast replaces the source address when the ME is “inside”.
As a rule, it is enough to use internal broadcasting to replace private, non-routable Internet addresses (RFC1918) with global ones, issued by the provider.
Also, address-to-address (NAT, performed at OSI model level 3, one address is replaced by another), and port-based translation (Port Address Translation, PAT, performed at OSI level 4, and replaces not only the address, but also port). It is clear that PAT broadcasting can be performed only for protocols that have ports (TCP, UDP). But using the PAT, it is possible to send several local addresses into one global address: the translation cache caches the correspondence between the source address and the port and the addresses and port received as a result of the translation.
Example: Let 2 local users with addresses 10.1.1.100 and 10.1.1.200 decide to visit the same site www.anticisco.ru . If we use NAT, in this case we need to give each internal user to the global address from the ISPPool () provider pool:
')
If we use PAT, we can match one global address to different private addresses, but we also record the source ports:
And when the answer comes from the server, the ASA selects from the broadcast cache the one to whose port the answer comes.
To finally finish you, dear readers, I will also say that the broadcasts are divided into static and dynamic . Static strictly bind one address to another (in the case of NAT) or a pair of address and port (in the case of PAT). And dynamic ones are created as needed, if the incoming packet satisfies the selection criteria for the translation rules.
From words to customization.
To understand how the translation will be performed, it is necessary to remind that the first thing that arrives at the interface is the packet checked by the routing table. After that, the outgoing interface is determined or the packet is destroyed if the route to the destination network is not found. If the destination network is “outside” ME (behind an interface with a lower security level as compared to the incoming interface), then the rules of internal (inside) broadcasts are checked, and if “inside” - then external (outside)
Unlike cisco routers, on the ASA, translation rules are inextricably linked with the interfaces involved in receiving and transmitting the packet. This makes it easy to write rules.
Another difference from routers: on the ASA, you can strictly forbid the passage of packets for which there are no translation rules. This is regulated by the team.
By default, this command is disabled, i.e. if there are no translation rules, the packets are simply routed, and if there are rules, then a translation will be performed. If this command is enabled, then packages that are clearly not trapped under the translation rules will be brutally destroyed.
Dynamic Broadcast
Let me remind you that dynamic broadcasts are created as needed, when an “interesting” packet arrives at the receiver interface. The rule describing which package is to be advertised is described by the nat command, with which the source addresses of the package are specified:
interface - the name of the interface from which the packet came
# Is the translation number. It is necessary to find the appropriate instructions in which to broadcast the address.
Example:
As you can see, there can be many rules with the same number.
It is clear that one indication that broadcast is not enough. We must also describe what to broadcast. This is done with the global command.
interface - the name of the interface through which the packet will go outside
# - broadcast number. It should be the same as the nat condition of interest to us.
pool - an explicit assignment of a range of addresses in the ip_start-ip_end format to which we will translate. In this case, you get a dynamic NAT translation.
address - if you specify not an address pool, but one address, then all broadcasts will be made into it, which means that PAT will be broadcast.
Example:
If you want to translate to the address of the outgoing interface, then you need to explicitly indicate this using the interface keyword
If you have several global rules with the same number, then NAT will be translated first (to the address pool), then PAT to a separate address, and only then PAT to the interface. A reasonable question may arise: when does this come later? About the address pool, I hope, it is clear: when will the addresses in the pool run out, and between addresses in the broadcast of the PAT? What, really such a question did not arise? Well, think again :)
Repeat all together: when there is a switch between the addresses used in the PAT broadcast and in general, can there be a lot of them?
There is one answer to both of these questions: only about 4,000 broadcasts are reserved for the ASA to the ASA. After this, new broadcasts will not be created. And what to do? Use multiple addresses for PAT. Those. several lines of global with the same number.
The nat rule with number 0 stands apart. This rule describes what should not be translated when going outside. This rule is especially necessary when strict nat-control is enabled. This rule does not require the word global for its work. In fact, one can imagine that for these packets the rule of address translation into itself is valid.
So, we described the rules for internal dynamic translation (NAT and PAT). Those. when the packet goes “outward”, the presence of nat rules on the incoming interface is checked, and if there are rules there and the packet has fallen under them, then we look for the corresponding global rule on the outgoing interface. At the same time, the outgoing interface has a security level (security level) lower than that of the incoming interface.
If we need to dynamically change the source addresses of packets going "inside" the ASA, then we need to explicitly indicate that global rules should be searched for interfaces with a high level of security. This is done using the outside keyword in the nat command (applicable for nat 0 rules):
Example: let us want to “hide” all real addresses of the source of calls from the Internet, replacing them with the address of the internal interface
As you can see, the format of commands is very similar. By the way, the type of broadcasts shown in the example, unfortunately, is not supported by cisco routers (outside PAT)
Additional address translation capability is the ability to limit the maximum number of open TCP sessions, the maximum number of UDP sessions, and the number of half-open TCP sessions (embryonic), after which the SYN Flood DoS attack protection technology (a huge number of requests to open a session) is activated. The technology is called SYN Cookie.
If you specify 0, this will mean "do not monitor this parameter."
And now the backfill question is: how can we broadcast to one pool, if we go to one network and to another pool - if to another network? We have never seen anywhere that a destination network can enter as a criterion.
To solve this problem, the above commands are not enough. This is done using policy NAT (the “regular” NAT described earlier is called regular)
But you shouldn’t be frightened ahead of time: there’s nothing complicated about policy NAT, it’s just that as a criterion you need to specify not the source network, but the access list, in which we indicate with the word permit not only what we gathered to broadcast, but also when.
For example, we want to broadcast our LAN to IPSPool (1) when we go to the PARTNER network.
There is a restriction on access lists used in policy NAT: you cannot use the deny lines in it. Those. everything that you want to refer to should be explicitly described in lines of permit. An exception is made only for the access list for nat 0. It may contain the string deny. And these lines will mean that you need to look at other translation rules - all of a sudden the address requires a substitution.
Policy NAT is more privileged than regular NAT.
The procedure for processing NAT rules is confusing, but you need to know. Therefore, without waiting for the part about static translations, we will try to streamline these rules
The very first rule is always policy NAT 0
Next comes a block of static broadcasts, which we will deal with later. The main thing to remember is that static translations are more privileged than dynamic ones.
He is followed by a policy NAT translation.
At the same time, the ASA ensures that these access lists do not overlap.
Next are the regular NAT rules for which the mask longest match rule applies. Moreover, for the rules of nat 0 it is also true.
For example, you can broadcast the address 10.1.1.1, do not broadcast the network 10.1.1.0/24, and broadcast everything else to something else.
To fix this piece of 2 small exercises:
1. You have access from the outside to the ASA, behind which a computer with an incorrectly configured (missing) default gateway is connected behind the internal interface. You must get to it (for example, RDP is enabled there)
2. Place the translation rules in the order in which they will be performed.
Static Broadcasts (do not be hard on you: to be continued)
Threat Friends, when reprinting, translation, use in working with employees, please refer to me and www.anticisco.ru ! Thanks in advance for your understanding :)
Sergey Fedorov, instructor
To begin with, we define the terms. As you already know, on the ASA, by comparing the security levels of the source interface and the destination interface, the direction “out” and “inside” of the firewall is easily determined (we will consider the situation with the same security levels separately).
Usually separate internal (inside) and external (outside) broadcast. The internal broadcast replaces the source address when the firewall exits “outside”, and the external broadcast replaces the source address when the ME is “inside”.
As a rule, it is enough to use internal broadcasting to replace private, non-routable Internet addresses (RFC1918) with global ones, issued by the provider.
Also, address-to-address (NAT, performed at OSI model level 3, one address is replaced by another), and port-based translation (Port Address Translation, PAT, performed at OSI level 4, and replaces not only the address, but also port). It is clear that PAT broadcasting can be performed only for protocols that have ports (TCP, UDP). But using the PAT, it is possible to send several local addresses into one global address: the translation cache caches the correspondence between the source address and the port and the addresses and port received as a result of the translation.
Example: Let 2 local users with addresses 10.1.1.100 and 10.1.1.200 decide to visit the same site www.anticisco.ru . If we use NAT, in this case we need to give each internal user to the global address from the ISPPool () provider pool:
')
10.1.1.100 -> ISPPool (1) 10.1.1.200-> ISPPool (2)
If we use PAT, we can match one global address to different private addresses, but we also record the source ports:
10.1.1.100:29010 -> ISPPool (1): 1024 10.1.1.200:18932 -> ISPPool (1): 1025
And when the answer comes from the server, the ASA selects from the broadcast cache the one to whose port the answer comes.
To finally finish you, dear readers, I will also say that the broadcasts are divided into static and dynamic . Static strictly bind one address to another (in the case of NAT) or a pair of address and port (in the case of PAT). And dynamic ones are created as needed, if the incoming packet satisfies the selection criteria for the translation rules.
From words to customization.
To understand how the translation will be performed, it is necessary to remind that the first thing that arrives at the interface is the packet checked by the routing table. After that, the outgoing interface is determined or the packet is destroyed if the route to the destination network is not found. If the destination network is “outside” ME (behind an interface with a lower security level as compared to the incoming interface), then the rules of internal (inside) broadcasts are checked, and if “inside” - then external (outside)
Unlike cisco routers, on the ASA, translation rules are inextricably linked with the interfaces involved in receiving and transmitting the packet. This makes it easy to write rules.
Another difference from routers: on the ASA, you can strictly forbid the passage of packets for which there are no translation rules. This is regulated by the team.
nat-control
By default, this command is disabled, i.e. if there are no translation rules, the packets are simply routed, and if there are rules, then a translation will be performed. If this command is enabled, then packages that are clearly not trapped under the translation rules will be brutally destroyed.
Dynamic Broadcast
Let me remind you that dynamic broadcasts are created as needed, when an “interesting” packet arrives at the receiver interface. The rule describing which package is to be advertised is described by the nat command, with which the source addresses of the package are specified:
nat ({interface}) # {network} {mask}
interface - the name of the interface from which the packet came
# Is the translation number. It is necessary to find the appropriate instructions in which to broadcast the address.
Example:
nat (ins) 1 10.1.1.0 255.255.255.0 nat (ins) 1 10.2.2.2 255.255.255.255
As you can see, there can be many rules with the same number.
It is clear that one indication that broadcast is not enough. We must also describe what to broadcast. This is done with the global command.
global ({interface}) # {pool | address}
interface - the name of the interface through which the packet will go outside
# - broadcast number. It should be the same as the nat condition of interest to us.
pool - an explicit assignment of a range of addresses in the ip_start-ip_end format to which we will translate. In this case, you get a dynamic NAT translation.
address - if you specify not an address pool, but one address, then all broadcasts will be made into it, which means that PAT will be broadcast.
Example:
global (out) 1 81.1.1.10-81.1.1.20 global (out) 1 81.1.1.21
If you want to translate to the address of the outgoing interface, then you need to explicitly indicate this using the interface keyword
global (out) 1 interface
If you have several global rules with the same number, then NAT will be translated first (to the address pool), then PAT to a separate address, and only then PAT to the interface. A reasonable question may arise: when does this come later? About the address pool, I hope, it is clear: when will the addresses in the pool run out, and between addresses in the broadcast of the PAT? What, really such a question did not arise? Well, think again :)
Repeat all together: when there is a switch between the addresses used in the PAT broadcast and in general, can there be a lot of them?
There is one answer to both of these questions: only about 4,000 broadcasts are reserved for the ASA to the ASA. After this, new broadcasts will not be created. And what to do? Use multiple addresses for PAT. Those. several lines of global with the same number.
The nat rule with number 0 stands apart. This rule describes what should not be translated when going outside. This rule is especially necessary when strict nat-control is enabled. This rule does not require the word global for its work. In fact, one can imagine that for these packets the rule of address translation into itself is valid.
So, we described the rules for internal dynamic translation (NAT and PAT). Those. when the packet goes “outward”, the presence of nat rules on the incoming interface is checked, and if there are rules there and the packet has fallen under them, then we look for the corresponding global rule on the outgoing interface. At the same time, the outgoing interface has a security level (security level) lower than that of the incoming interface.
If we need to dynamically change the source addresses of packets going "inside" the ASA, then we need to explicitly indicate that global rules should be searched for interfaces with a high level of security. This is done using the outside keyword in the nat command (applicable for nat 0 rules):
nat ({interface}) # {network} {mask} outside
Example: let us want to “hide” all real addresses of the source of calls from the Internet, replacing them with the address of the internal interface
nat (out) 10 0 0 outside global (ins) 10 interface
As you can see, the format of commands is very similar. By the way, the type of broadcasts shown in the example, unfortunately, is not supported by cisco routers (outside PAT)
Additional address translation capability is the ability to limit the maximum number of open TCP sessions, the maximum number of UDP sessions, and the number of half-open TCP sessions (embryonic), after which the SYN Flood DoS attack protection technology (a huge number of requests to open a session) is activated. The technology is called SYN Cookie.
nat ({interface}) # {network} {mask} tcp {max} {embryonic} udp {max}
If you specify 0, this will mean "do not monitor this parameter."
And now the backfill question is: how can we broadcast to one pool, if we go to one network and to another pool - if to another network? We have never seen anywhere that a destination network can enter as a criterion.
To solve this problem, the above commands are not enough. This is done using policy NAT (the “regular” NAT described earlier is called regular)
But you shouldn’t be frightened ahead of time: there’s nothing complicated about policy NAT, it’s just that as a criterion you need to specify not the source network, but the access list, in which we indicate with the word permit not only what we gathered to broadcast, but also when.
For example, we want to broadcast our LAN to IPSPool (1) when we go to the PARTNER network.
access-list NAT permit ip LAN PARTNER nat (ins) 1 access-list NAT global (out) 1 ISPPool (1)
There is a restriction on access lists used in policy NAT: you cannot use the deny lines in it. Those. everything that you want to refer to should be explicitly described in lines of permit. An exception is made only for the access list for nat 0. It may contain the string deny. And these lines will mean that you need to look at other translation rules - all of a sudden the address requires a substitution.
Policy NAT is more privileged than regular NAT.
The procedure for processing NAT rules is confusing, but you need to know. Therefore, without waiting for the part about static translations, we will try to streamline these rules
The very first rule is always policy NAT 0
nat ({interface}) 0 access-list {NONAT}
Next comes a block of static broadcasts, which we will deal with later. The main thing to remember is that static translations are more privileged than dynamic ones.
He is followed by a policy NAT translation.
nat ({interface}) # access-list {ACL}
At the same time, the ASA ensures that these access lists do not overlap.
Next are the regular NAT rules for which the mask longest match rule applies. Moreover, for the rules of nat 0 it is also true.
For example, you can broadcast the address 10.1.1.1, do not broadcast the network 10.1.1.0/24, and broadcast everything else to something else.
nat (ins) 0 10.1.1.0 255.255.255.0 nat (ins) 1 10.1.1.1 255.255.255.255 nat (ins) 2 0 0
To fix this piece of 2 small exercises:
1. You have access from the outside to the ASA, behind which a computer with an incorrectly configured (missing) default gateway is connected behind the internal interface. You must get to it (for example, RDP is enabled there)
2. Place the translation rules in the order in which they will be performed.
access-list NAT1 permit ip any host 198.133.219.25 access-list NAT1 deny ip any host 216.255.83.40 global (out) 2 int global (out) 2 1.1.1.1-1.1.1.100 nat (ins) 0 10.1.1.1 255.255.255.255 nat (ins) 2 10.1.1.0 255.255.255.0 global (out) 1 1.1.1.254 global (out) 1 1.1.1.101-1.1.1.110 nat (ins) 1 access-list NAT1
Static Broadcasts (do not be hard on you: to be continued)
Threat Friends, when reprinting, translation, use in working with employees, please refer to me and www.anticisco.ru ! Thanks in advance for your understanding :)
Sergey Fedorov, instructor
Source: https://habr.com/ru/post/83396/
All Articles