Static NAT defines a one-to-one mapping from one IP subnet
to another IP subnet. The mapping includes destination IP address translation
in one direction and source IP address translation in the reverse direction.
From the NAT device, the original destination address is the virtual host IP
address while the mapped-to address is the real host IP address.
Static NAT allows connections to be originated from either
side of the network, but translation is limited to one-to-one or between blocks
of addresses of the same size. For each private address, a public address must
be allocated. No address pools are necessary.
Lets look at this example, an outside host on the Internet wants to reach a
server in DMZ. But we cant do this with dynamic NAT or PAT. To make a successful connection to the right server following need to be done:
- Configure static NAT so that the internal server is reachable through an outside public IP address.
- Configure an access-list so that the traffic is allowed.
To demonstrate static NAT I will use the following topology:
ASA firewall : two interfaces; 1) DMZ 2) outside world.
R1 webserver
on the DMZ
R2 is some host on the Internet that wants to reach our
webserver.
STATIC NAT CONFIGURATION
First we will create a network object that defines our
“webserver” in the DMZ and also configure to what IP address it should be
translated. This configuration is for ASA version 8.3 and later:
ASA1(config)# object network
WEB_SERVER
ASA1(config-network-object)# host
192.168.1.1
ASA1(config-network-object)# nat
(DMZ,OUTSIDE) static 192.168.2.200
The configuration above tells the ASA that whenever an
outside device connects to IP address 192.168.2.200 that it should be
translated to IP address 192.168.1.1. This takes care of NAT but we still have
to create an access-list or traffic will be dropped:
ASA1(config)# access-list
OUTSIDE_TO_DMZ extended permit tcp any host 192.168.1.1
The access-list above allows any source IP address to
connect to IP address 192.168.1.1. When using ASA version 8.3 or later you need
to specify the “real” IP address, not the “NAT translated” address. Let’s
activate this access-list:
ASA1(config)# access-group
OUTSIDE_TO_DMZ in interface OUTSIDE
This enables the access-list on the outside
interface. Let’s telnet from R2 to R1 on TCP port 80 to see if it works:
R2#telnet 192.168.2.200
Trying 192.168.2.200 ... Open
Great, we are able to connect from R2
to R1, let’s take a look at the ASA to verify some things:
ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I -
identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.1.1 to
OUTSIDE:192.168.2.200
flags s idle 0:08:44 timeout 0:00:00
ASA1# show access-list
access-list cached ACL log flows: total
0, denied 0 (deny-flow-max 4096)
alert-interval 300
access-list OUTSIDE_TO_DMZ; 1 elements;
name hash: 0xe96c1ef3
access-list OUTSIDE_TO_DMZ line 1
extended permit tcp any host 192.168.1.1 eq www (hitcnt=6) 0x408b914e
Above you can see the static NAT entry
and also the hit on the access-list. Everything is working as it is supposed to
be.
Static NAT for
entire subnet
The previous example was fine if you
have only a few servers since you can create a couple of static NAT
translations and be done with it. There is another option though, it’s also
possible to translate an entire subnet to an entire pool of IP addresses. Let
me give you an example of what I’m talking about:
The topology above is
the exact same as the previous example but I have added R3 to the DMZ. Now
imagine that our ISP gave us a pool of IP addresses, let’s say 10.10.10.0 /24.
We can use this pool to translate all the servers in the DMZ, let me show you
how:
ASA1(config)# object network PUBLIC_POOL
ASA1(config-network-object)# subnet
10.10.10.0 255.255.255.0
First we configure the pool with IP
addresses. Our next step is to create a network object for the DMZ subnet and
to enable NAT:
ASA1(config)# object network DMZ
ASA1(config-network-object)# subnet
192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat
(DMZ,OUTSIDE) static PUBLIC_POOL
The configuration above tells the ASA
to translate any IP address from the subnet DMZ (192.168.1.0 /24) to an IP
address in the PUBLIC_POOL (10.10.10.0 /24). Last but not least, let’s make the
access-list:
ASA1(config)# access-list
OUTSIDE_TO_DMZ permit tcp any 192.168.1.0 255.255.255.0
and activate it on the outside:
ASA1(config)# access-group
OUTSIDE_TO_DMZ in interface OUTSIDE
That’s all we have to configure, let’s
verify our work:
ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I -
identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from DMZ:192.168.1.0/24 to
OUTSIDE:10.10.10.0/24
flags s idle 0:02:00 timeout 0:00:00
You can see that the entire DMZ subnet
192.168.1.0 /24 will be translated to our 10.10.10.0 /24 pool. Let’s enable a
debug so we can see what addresses are used when we translate:
ASA1# debug nat 255
debug nat enabled at level 255
Now I’ll connect from R2 to the first
IP address in the pool:
R2#telnet 10.10.10.1
Trying 10.10.10.1 ... Open
You can see that it connects and the
ASA will show the following output:
ASA1# nat: untranslation - OUTSIDE:10.10.10.1/23 to
DMZ:192.168.1.1/23 (xp:0xab2b3980, policy:0xad2632a0)
Whenever we connect to 10.10.10.1 it
corresponds with the first IP address of the DMZ so we are connected to R1.
Let’s see how we can connect to R3:
R2#telnet 10.10.10.3
Trying 10.10.10.3 ... Open
It’s connected and this is what the ASA
thinks of it:
ASA1# nat: untranslation - OUTSIDE:10.10.10.3/23 to
DMZ:192.168.1.3/23 (xp:0xab2b3980, policy:0xad2632a0)
The third IP address in the pool is
translated to the third IP address of the DMZ which is R3.
This demonstrates that each IP address
in the pool is translated to the “same” IP address in the DMZ. For example:
·
10.10.10.1 > 192.168.1.1
·
10.10.10.3 > 192.168.1.3
·
10.10.10.200 > 192.168.1.200
·
etc.
That’s all I have about static NAT on
the Cisco ASA firewall for now. Hopefully this lesson has been useful, if you
have any questions feel free to leave a comment!