Cu hnh NAT trn Cisco ASA

http://hocmang.net/2014/09/07/cau-hinh-nat-tren-cisco-asa/
K t software version 8.3, NAT c thit k li hon ton nhm mc ch n gin v d dng
hn trong vic to ra cc translation rules, chuyn i ng thi c a ch source v destination IP.
Ngoi ra, kh nng ty chnh th t x l cc lnh NAT cng l mt tnh nng ni bt trong m hnh
NAT mi. C 2 NAT mode l:

Network Object NAT: Translation rule c nh ngha bn trong mt network object.

Cch ny ch c th chuyn i a ch source IP, v cn c gi l Auto NAT v cc entries
s c ASA t ng sp xp theo th t c quy nh trc.

Twice NAT: Mode ny ph hp khi cn khi cn chuyn i c a ch source v destination

IP. Twice NAT thng c gi l Manual NAT v ta c th ty chnh th t m ASA s x l
cc lnh NAT.

Trong software version 8.3 tr v sau th ASA s dng mt bng NAT thng nht (unified NAT table).
Bng NAT ny c chia lm 3 section, v cc translation rules s c x l theo th t t trn
xung, nu gi tin tha dng no th s c NAT da theo translation rule . Network Object NAT
lun c t section 2, cn Twice NAT mc nh c t section 1.

Ta xt m hnh sau:

Trong m hnh trn, cu hnh cho cc host thuc mng inside (192.168.2.0/24) c th truy cp
Internet th ta s thc hin nh sau:

ASA1(config)# object network INSIDE_NETWORK

ASA1(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside2) dynamic
interface
Cu hnh trn ang thc hin Network Object NAT, v lnh nat c t trong mt network object.
Lnh nat (inside,outside2) dynamic interface c ngha l khi gi tin c source IP thuc mng
192.168.2.0/24 i t cng inside ra outside2 th source IP s c chuyn i thnh a ch IP ca
cng outside2. C ch chuyn i y l PAT (Port Address Translation).
Kim tra cu hnh NAT bng lnh show nat detail. Ta thy Network Object NAT c t section
2 (Auto NAT Policies):

Sau khi cho PC1 truy cp mt s trang web (traffic ny mc nh c implicit rules cho php, v i
t cng inside c security level = 100 n cng outside2 c security level = 0), ta kim tra bng NAT
ca ASA bng lnh show xlate:

a ch 192.168.2.5 ca PC1 c chuyn i thnh a ch 192.168.0.250 ca cng outside2, v

hin ti c r (portmap) v i (dynamic) ang c bt, c ngha l ASA ang thc hin dynamic PAT.
Nu cn th ta cng c th cu hnh PAT vi mt range IP bng cch s dng t kha patpool trong lnh nat.
Tip theo, cho php PC2 (mt host bn ngoi Internet) c th truy cp c SERVER1 vng
dmz th ta phi public SERVER1 ra bn ngoi bng static NAT. Ta thc hin nh sau:

ASA1(config)# object network DMZ_SERVER1

ASA1(config-network-object)# host 192.168.3.5
ASA1(config-network-object)# nat (dmz,outside1) static 50.0.0.6
Trong cu hnh trn, ta thc hin chuyn i a ch IP tht (192.168.3.5) ca SERVER1 thnh a
ch public 50.0.0.6. Cc host bn ngoi Internet s truy cp SERVER1 bng a ch public ny. Tuy
nhin, nu ch cu hnh static NAT l cha , v traffic s b drop do implicit rules khi i t cng
outside1 (security level = 0) n cng dmz (security level = 50). Ta cn phi cu hnh thm mt ACL
p trn cng outside1 theo chiu inbound cho php traffic ny. Lu rng ACL phi tham chiu
n a ch IP tht ca SERVER1.

ASA1(config)# access-list OUTSIDE1_INBOUND extended permit ip any

object DMZ_SERVER1
ASA1(config)# access-list OUTSIDE1_INBOUND extended deny ip any
any
ASA1(config)# access-group OUTSIDE1_INBOUND in interface outside1
Kim tra li cu hnh NAT, ta thy static NAT c t trn dynamic NAT trong bng NAT:

Network Object NAT t ng a cc translation rules vo section 2 ca bng NAT. Cc translation

rules c ASA sp xp theo cc quy tc sau:
1) Static rules lun lun u tin hn dynamic rules.
2) Bn trong mi loi (static hoc dynamic), th t sp xp nh sau:

S lng a ch IP tht trong network object: t nh nht n ln nht (ngha l t prefix

ln nht n prefix nh nht).

i vi 2 network object c s lng a ch bng nhau th s so snh a ch IP (t thp

nht n cao nht). V d, 10.10.10.0/24 s ng trc 10.10.20.0/24.

Nu 2 network object va c s lng a ch bng nhau, va c a ch IP ging nhau th

th t alphabe s c s dng (t thp nht n cao nht). V d, 2 network object tn AHOST v B-HOST cng c a ch 10.10.10.10, th translation rule ca A-HOST s c xp
trc.

l l do ti sao m ta thy static NAT, mc d cu hnh sau nhng li c xp trn dynamic

NAT. Ngoi ra, cc entries ca static NAT s lun tn ti trong bng NAT, d cho khng c traffic
hoc l ta xa bng NAT bng lnh clear xlate:

Nu nh ta ch mun public dch v HTTP ca SERVER1 ra bn ngoi th thc hin nh sau:

ASA1(config)# object network DMZ_SERVER1

ASA1(config-network-object)# host 192.168.3.5
ASA1(config-network-object)# nat (dmz,outside1) static 50.0.0.6
service tcp 80 80

Trong cu hnh trn, s 80 u tin l port m SERVER1 ang lng nghe, cn s 80 th hai l port
m ta mun cc host bn ngoi s dng truy cp n dch v HTTP ca SERVER1.
Khc vi Auto NAT, Manual NAT c s dng chuyn i c source v destination IP ca gi tin
(mc d vy, Manual NAT cng c th dng ch chuyn i source IP). Gi s ta c yu cu khi
host 192.168.2.5 (thuc cng inside) truy cp n host 192.168.4.99 (thuc cng outside2), th ASA
s chuyn i source IP thnh 192.168.0.250 v destination IP thnh 8.8.8.8. Ta thc hin nh sau:

ASA1(config)# object network REAL_OUTSIDE2

ASA1(config-network-object)# host 8.8.8.8
ASA1(config)# object network MAPPED_OUTSIDE2
ASA1(config-network-object)# host 192.168.4.99
ASA1(config)# nat (inside,outside2) source dynamic INSIDE_NETWORK
interface destination static MAPPED_OUTSIDE2 REAL_OUTSIDE2
Kim tra cu hnh NAT, ta thy Manual NAT mc nh c t section 1, v do c u tin
hn Auto NAT. Ngoi ra, Manual NAT khng t ng sp xp cc translation rules nh Auto NAT, m
rules no c cu hnh trc th s c ng trc trong bng NAT. Ta c th thay i th t
ny bng cch chn thm s sequence number trong lnh nat.

Nu mun Manual NAT nm sau Auto NAT trong bng NAT th ta thm t kha after-auto vo
lnh nat:

ASA1(config)# nat (inside,outside2) after-auto source dynamic

INSIDE_NETWORK interface destination static MAPPED_OUTSIDE2
REAL_OUTSIDE2
Kim tra li ta thy translation rule va cu hnh c a vo section 3, v do s c u
tin km hn Auto NAT:

Ngoi ra, khi cu hnh Manual NAT th ta c th dng thm t kha unidirectional cui lnhnat.
Mc ch ca t kha ny l ngn chn a ch destination khi to traffic n a ch source.
Ch :
Khi ASA nhn c traffic vi destination l a ch mapped th n s untranslate a ch da theo
NAT rule v gi gi tin n a ch tht. ASA xc nh cng ra (egress interface) cho gi tin da theo
cc cch sau:
1) transparent mode, ASA xc nh cng ra cho a ch tht bng cch s dng NAT rule, do ta
phi ch nh c source v destination interface trong NAT rule.
2) routed mode, ASA xc nh cng ra da theo cc cch sau:

Nu ta ch nh r cc interface trong NAT rule th ASA s s dng NAT rule xc nh

cng ra. Nu l Identity NAT th mc nh ASA s dng NAT rule, nhng ta c th thm t

kha route-lookup vo cui lnh nat buc ASA s dng routing table.
Nu ta khng ch nh r interface (m l any) trong NAT rule th ASA s s dng routing
table xc nh cng ra.

Xem thm:
Cisco ASA All-in-One Next-Generation Firewall, IPS, and VPN Services by Jazib Frahim,
Omar Santos & Andrew Ossipov
Cisco Firewalls by Alexandre de Moraes
Understanding When A Cisco ASA NAT Rule Can Override The ASA Routing Table
Configuring Twice NAT