ASA: network address translation troubles. Part 2. Static broadcast
Static broadcast
Static broadcasts, in contrast to dynamic ones, rigidly associate addresses (or addresses with ports). It is this feature that allows them to initiate sessions from both inside and outside the ITU. But in order not to get confused in writing static broadcasts once and for all, I will teach you to “read” them correctly. So, the command format is pretty simple:
Where
')
And the translation is read like this:
When a packet runs from source_int interface to dest_int interface, its source address is replaced with real_address by translated_address.
When the package runs in the opposite direction, i.e. comes to the dest_int interface and goes further through the source_int interface; its destination address changes from translated_address to real_address
Because addresses are tightly connected, you can initiate a session from the inside, from the source address real_address, or from the outside, to the destination address translated_address. It is about this property that I say that static translation works in both directions.
Actually, the whole difficulty is to memorize “hidden” words (highlighted in bold) and never confuse them.
Static PAT translation is not more difficult. You just need to specify the transport protocol and a couple of ports.
At the same time, the ports can be both identical and different, i.e. broadcast you can replace the real ports on which the application runs.
Sometimes there is a task to statically bind one network to another of the same capacity. For this is the command
Such a translation specifies the substitution of the network prefix, but leaves the “suffix”, i.e. the host address itself within this network.
Example: linking the internal address 10.1.1.100 to the external 192.168.1.100, internal address and port of the web server 10.1.1.101 with the external address and port 8080, and also changing the network 10.1.1.128/25 to 192.168.1.128/25
Just like dynamic broadcasts have regular broadcasts and broadcasts with a condition (policy NAT), with static ones you can also apply rules with a condition (policy static)
For this, the access list is also used, describing immediately what we are broadcasting (source address) and when we are broadcasting (destination address).
The command format is:
Let us consider an example problem: let us need to translate the address 10.1.1.100 to 192.168.1.100 only if the server communicates with the network 2.0.0.0/8
Thus, the access list and broadcast entry are integral parts of the design. In the access list, deny lines are not allowed, and if there are several such broadcasts, then the destination addresses in the access lists should not intersect (otherwise it will not be possible to unambiguously decide which broadcast to perform).
This static translation also works in both directions, but with the preservation of the condition: the destination address 192.168.1.100 will be changed to 10.1.1.100 only if the call comes from the network 2.0.0.0/8
Important: the source address in the access list for policy static is either the address if we are doing NAT, or the address with the port and the protocol by which we do the PAT translation, or the subnet we want to broadcast to another subnet.
Examples:
_______________
UPD 7:50 16/02
For static broadcasts, as well as for dynamic ones, you can limit the maximum number of open TCP and UDP sessions, as well as the number of half-open sessions, after which the SYN Cookie technology is enabled.
_______________
And now let's look at the most insidious: the order of static broadcasts:
- The first are static policy translations (with access lists). At the same time, the ASA monitors itself so that access lists do not conflict with each other.
- Next, perform the usual static broadcast. And this is where the cunning awaits: translations are performed in the sequence in which they are recorded in the configuration!
An example of cunning:
So, let's summarize the sequence of rules:
# Is a number greater than or equal to zero
If it is possible to use NAT (address pool) in dynamic translations, it will be used until it ends, then PAT will be used in addresses not assigned to the interface and only the PAT will be used last in the address of the interface
Here I will also give you a little problem: how to translate the address 10.1.1.100 to 192.168.1.100, if we go to all networks except the network 192.168.100.0/24. And if we go to 192.168.100.0, we need to translate 10.1.1.100 to 192.168.100.100.
Static broadcasts, in contrast to dynamic ones, rigidly associate addresses (or addresses with ports). It is this feature that allows them to initiate sessions from both inside and outside the ITU. But in order not to get confused in writing static broadcasts once and for all, I will teach you to “read” them correctly. So, the command format is pretty simple:
static ({source_int},{dest_int}) {translated_address} {real_addess}Where
source_int - the interface to which the package comesdest_int - the interface from which the packet will go onreal_address - real host addresstranslated_address - translated_address host address')
And the translation is read like this:
When a packet runs from source_int interface to dest_int interface, its source address is replaced with real_address by translated_address.
When the package runs in the opposite direction, i.e. comes to the dest_int interface and goes further through the source_int interface; its destination address changes from translated_address to real_address
Because addresses are tightly connected, you can initiate a session from the inside, from the source address real_address, or from the outside, to the destination address translated_address. It is about this property that I say that static translation works in both directions.
Actually, the whole difficulty is to memorize “hidden” words (highlighted in bold) and never confuse them.
Static PAT translation is not more difficult. You just need to specify the transport protocol and a couple of ports.
static ({source_int},{dest_int}) {tcp|udp} {translated_address} {translated_port} {real_addess} {real_port}
At the same time, the ports can be both identical and different, i.e. broadcast you can replace the real ports on which the application runs.
Sometimes there is a task to statically bind one network to another of the same capacity. For this is the command
static ({source_int},{dest_int}) {translated_address} {real_addess} netmask {mask}
Such a translation specifies the substitution of the network prefix, but leaves the “suffix”, i.e. the host address itself within this network.
Example: linking the internal address 10.1.1.100 to the external 192.168.1.100, internal address and port of the web server 10.1.1.101 with the external address and port 8080, and also changing the network 10.1.1.128/25 to 192.168.1.128/25
static (ins,out) 192.168.1.100 10.1.1.100
static (ins,out) tcp 192.168.1.101 8080 10.1.1.100 80
static (ins,out) 192.168.1.128 10.1.1.128 netmask 255.255.255.128
Just like dynamic broadcasts have regular broadcasts and broadcasts with a condition (policy NAT), with static ones you can also apply rules with a condition (policy static)
For this, the access list is also used, describing immediately what we are broadcasting (source address) and when we are broadcasting (destination address).
The command format is:
static ({source_int},{dest_int}) {translated_address} access-list {ACLNAME}Let us consider an example problem: let us need to translate the address 10.1.1.100 to 192.168.1.100 only if the server communicates with the network 2.0.0.0/8
access-list STATIC permit ip host 10.1.1.1 2.0.0.0 255.255.255.0
static (ins,out) 192.168.1.100 access-list STATIC
Thus, the access list and broadcast entry are integral parts of the design. In the access list, deny lines are not allowed, and if there are several such broadcasts, then the destination addresses in the access lists should not intersect (otherwise it will not be possible to unambiguously decide which broadcast to perform).
This static translation also works in both directions, but with the preservation of the condition: the destination address 192.168.1.100 will be changed to 10.1.1.100 only if the call comes from the network 2.0.0.0/8
Important: the source address in the access list for policy static is either the address if we are doing NAT, or the address with the port and the protocol by which we do the PAT translation, or the subnet we want to broadcast to another subnet.
Examples:
access-list STATICPAT permit tcp host 10.1.1.100 eq 80 2.0.0.0 255.0.0.0
static (ins,out) tcp 192.168.1.101 8080 access-list STATICPAT
!
access-list STATICNET permit ip 10.1.1.128 255.255.255.128 2.0.0.0 255.0.0.0
static (ins,out) 192.168.1.128 access-list STATICNET
_______________
UPD 7:50 16/02
For static broadcasts, as well as for dynamic ones, you can limit the maximum number of open TCP and UDP sessions, as well as the number of half-open sessions, after which the SYN Cookie technology is enabled.
static ({source_int},{dest_int}) { } tcp {max} {embryonic} udp {max}_______________
And now let's look at the most insidious: the order of static broadcasts:
- The first are static policy translations (with access lists). At the same time, the ASA monitors itself so that access lists do not conflict with each other.
- Next, perform the usual static broadcast. And this is where the cunning awaits: translations are performed in the sequence in which they are recorded in the configuration!
An example of cunning:
! web- 10.1.1.101 192.168.1.100
! 8080, 192.168.1.100 «»
! 10.1.1.100
!
static (ins,out) tcp 192.168.1.100 8080 10.1.1.101 80
static (ins,out) 192.168.1.100 10.1.1.100
!
! –
!
static (ins,out) 192.168.1.100 10.1.1.100
static (ins,out) tcp 192.168.1.100 8080 10.1.1.101 80
So, let's summarize the sequence of rules:
nat (ins) 0 access-list
static (ins,out) Glob_ip access-list ACL
static (ins,out) Glob_ip Loc_ip
nat (ins) 1 access-list ACL (policy NAT)
nat (ins) # NETWORK (regular NAT)
# Is a number greater than or equal to zero
If it is possible to use NAT (address pool) in dynamic translations, it will be used until it ends, then PAT will be used in addresses not assigned to the interface and only the PAT will be used last in the address of the interface
global (out) 1 {start_ip}-{end_ip}
global (out) 1 {ip_address}
global (out) 1 interface
Here I will also give you a little problem: how to translate the address 10.1.1.100 to 192.168.1.100, if we go to all networks except the network 192.168.100.0/24. And if we go to 192.168.100.0, we need to translate 10.1.1.100 to 192.168.100.100.
Source: https://habr.com/ru/post/84377/
All Articles