Hello!

Welcome to part 2 of this series of blog posts covering Network Address Translation on the ASA and Firepower threat Defense.  In this installment, we’re going to cover some terminology.

Notes on (confusing) terminology

Something that has always made NAT somewhat confusing to work with is overlapping terminology.  And it’s not just between vendors, or even vendor platforms, but also within the product documentation and the implementation of the same product.

Here’s the most relevant example.  The first screenshot is from the ASA 9.6 documentation. CLI book 2, NAT section.  The second screenshot is show output from an ASA that has the items referenced in the documentation snippet configured.

If you are brand new to the ASA, you’d never know from looking at these images that they are referencing the exact same thing.  When you’re trying to learn and discern what’s important, this terminology discrepancy presents an impediment.  This section is intended to help with that as best as I can.

Overall there are two categories where the terminology can be a bit confusing.  The first is items referred to with one term in the documentation, and a different one in the device .  We’ll call these synonymous terms:

The second is terms for what I would call use cases in the documentation, that don’t have an analog in the device configuration.  It’s just a term for specific use.  We’ll call these use case terms

When discussing configuring the technology where terms are synonymous, I’ll do my best to always use the term that’s referenced in the device configuration as it’s the most relevant.

When discussing use cases, I’ll point out where there’s a specific term defined for that use, but it’s not used anywhere in the device itself.

Synonymous terms

Auto NAT = Object NAT

They are the same thing,  the documentation calls it Object NAT, the command line interface calls it Auto NAT.  It’s called Object NAT in the documentation because the translation is always the property of an object.

!——-auto nat example—–!
object network foo
host 1.1.1.1
nat (i,o) static 2.2.2.2

Manual NAT = Twice NAT

They are exactly the same thing.  It’s called Twice NAT in the documentation to signify that both source and destination fields in the packet can be matched and altered.  NOTE: This can also be done with object NAT on a limited basis by using multiple statements, one in each direction.

!——-manual nat example—–!
object network foo
host 1.1.1.1
!
object network MAP-foo
host 2.2.2.2
!
object puppy
host 3.3.3.3
!
object MAP-puppy 1.1.1.2
!
nat (i,o) source static foo MAP-foo destination static puppy MAP-puppy

Use Case Terms

Identity NAT

Identity NAT is a use of Manual NAT.  The firewall is instructed  not to translate any of the fields in the flow.  This is used in situations where you would be performing NAT for most traffic flows, but you want to exempt speicifc destinations from translations.

The most common case for Identity NAT is VPN traffic..  As NAT is performed prior to encryption, most of the time you’ll want to make sure that the firewall doesn’t translate the source IP of the return packets, which prevent it from being sent over the tunnel as it would no longer match the crypto ACL.  Even if for the sake of argument the packet did get sent over the tunnel, because it’s source address has been altered, the receiving host would not recognize the packet as part of a flow and it would be dropped.

Here’s an illustrated example:

Policy NAT

Policy NAT is a use of manual NAT.  The term policy means setting the condition based on a specific destination.  Identity NAT does the same thing, but the difference is in the case of policy NAT a translation will be performed.

A common use for Policy NAT is Extranets and Software as a Service (SaaS) providers.  These types of connectivity typically call for the customer server to be seen as coming from a specific Mapped address.

For example, let’s say Server-web runs a web app that’s accessed from the Internet with Mapped address of 203.0.113.121.  A  SaaS provider needs to get information from this server, but the server-web must appear to be at the IP address 198.51.100.111, which has been designated by the SaaS provider.

Here’s a graphical representation:

 

Destination NAT

A strict definition of Destination NAT is Manual Nat where destination address and/or port number is being translated.  On the surface this implies the use of manual NAT, as it’s the only form of NAT that allows us to map the destination address or port to a different value.

Considered this for a moment:

Object network Server-A-In
host 10.11.11.11
nat (i,o) static 203.1.113.111
!
Object network Server-A-Out
host host 203.1.113.111
nat (o,i) 10.11.11.11

These two statements produce the exact same end result.  The distinction being with the second object, we’re making the public facing address the real address and the internal address the mapped address.   So the term destination NAT is really a matter of perspective.

Access Control Rule Processing and NAT

Access control rules in ASA NAT are always applied to the real address.  This is really very straightforward, but it can be a bit counter-intuitive at first.  Let’s illustrate with a simple example:

Let’s say we have a web server in a DMZ, and we want to allow access to it from the internet.

Object network server-web
host 172.16.1.11
nat (d,o) static 203.1.113.121
!
access-list outside-in permit tcp any host 172.16.1.11 eq www
access-group outside-in in interface outside
!

The intuitive thing would be to consider that an internet user would use the address 203.1.113.121 to access the web server, therefore that would be the destination IP you would use in the access control list.  so this is very confusing.  A good way to think of this is that we’re really applying the ACL to the object.  Since the object can only have one real address, but potentially many mapped addresses, it makes sense for the ACL logic work this way.

In fact, using objects and object groups in Access-control lists instead of bare ip addresses is quite handy.  If you get in the mindset of working with objects instead of addresses (which are the properties of an object), the operational logic of the ASA then becomes more intuitive.

Let’s re-write our ACL to use the object instead:

Object network server-web
host 172.16.1.11
nat (d,o) static 203.1.113.121
!
access-list outside-in permit tcp any host object server-web eq www
access-group outside-in in interface outside
!

Makes more sense now right?

 

Wrap up

My goodness, where does the time go.  In our next installment we’ll we’ll talk about static and dynamic NAT and PAT, services, objects and object groups.

Hello!

In this series of posts, I’m going to discuss NAT on Firepower and the ASA in the way that I comprehend it. For this post I don’t plan on to getting too far into the configuration and verification aspects, we’ll dive into that later.

It’s not as complex as it looks.  Really.

In my opinion this is one of those topics where the difficulty level can be measured by the quality of your foundation knowledge. Put plainly – if you can clearly visualize what the traffic flow should look like, then it’s easy.   The actual configuration syntax is easy to learn and work with.  And although the configuration interface may look different, there is in actuality zero difference between FTD and ASA NAT.  So you only have to learn it once for both platforms, nice right?!?

Armed with these insights, let’s do a level set on traffic flows.  This baseline will give NAT syntax and semantics their context, so please at least skim it.  You can always come back to it as needed.

The 5 tuple flow (and stateful firewalls).

A unique IP traffic flow is defined by 5 fields.

• Source IP address
• Destination IP address
• Transport protocol (Ex: TCP/UDP)
• Source port
• Destination port

For the purpose of working with NAT, I find it helpful to visualize this in a left to right fashion like this:

[203.0.113.111| 10.10.10.10 | TCP | 50922 | 80]

In this example a device at 203.0.113.111 is communicating with a web server at 10.10.10.10

A conversation between two hosts can be seen as two unidirectional Flows were the IP addresses and Ports are a mirror image in the reverse direction.

Taking our above example, that is what the two flows in the conversation look like:

[203.0.113.111 | 10.10.10.10 | TCP | 50922 | 80]
[10.10.10.10 | 203.0.113.111 | TCP | 80 | 50922]

And that’s pretty much what it looks like in a packet capture:

firewall# capture example int inside
firewall# sh capture example

5 packets captured

1: 00:39:03.453925 203.0.113.111.50922 > 10.10.10.10.80: […] 1520352048:1520352048(0) win 4128 <mss 536>
2: 00:39:03.459921 10.10.10.10.80 > 203.0.113.111.50922: […]

 

A stateful firewall recognizes these mirror image flows and identifies them as related.  This simplifies usage – we only have to define our traffic rules in one direction, and the firewall can imply how the return traffic should be processed.

This logic also applies to NAT.  If you define the flow in one direction, the NAT engine in the firewall processes the mirror image packets to look for a match.

Note how the firewall sees the two flows as a single connection:

firewall# sh conn
1 in use, 1 most used

TCP outside 203.0.113.111:50922 inside 10.10.10.10:80, idle 0:00:07, bytes 0, flags UB

Nat rule types

FTD and the ASA have two types of NAT rules:  Auto and Manual.

Auto Nat

Auto NAT is the simplest and easiest form of NAT to configure.  I think of it as the microwave popcorn button of NAT.    We define a network object, then attach a NAT statement to the object that tells that firewall what translation we want to perform based on the source and destination interface.

Here is a basic example:

Object network Server-A
host 10.10.10.10
nat (inside,outside) static 203.0.113.10

This is how the fields relate to the flow:

Original packet:
[10.10.10.10 | 198.51.100.100 | TCP | 80 | 50922]
Translated packet:
[203.0.113.10 | 198.51.100.100 | TCP | 80 | 50922]

The individual components:.

Host 10.10.10.10 – The firewall will evaluate this against the first interface in the NAT statement.  With object NAT this is always going to be the source IP address

Nat (inside,outside) – The source ip address is coming from the inside interface of the router, and the destination ip address is on the outside interface of the router.  the destination interface is determined by the routing table.

Static – The source and destination address will be linked together in a fixed 1:1 relationship.  This is most commonly used for servers that require a fixed public (mapped) ip address.  Examples would be a web or email server.

203.0.113.10  – The mapped (public) ip address.  If source address, source interface, and destination interfaces all match, then the firewall will perform the translation.

Here’s what our NAT table looks like with the Auto Nat Rule Configured:

firewall# sh nat

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Server-A 203.0.113.10
translate_hits = 0, untranslate_hits = 0

Manual NAT

Manual NAT is useful for more advanced requirements, such as translating multiple fields in both directions, and conditional translation.

Happily, the way the NAT configuration syntax is structured makes it very easy to work with  once one can relate the fields in the flow to how that NAT statements are laid out.

In Manual Nat, the full five tuple flow can be matched and transformed. Be aware that unlike object Nat where the mapped address can be given directly, Manual Nat requires that all addresses/ranges/subnets in the statement be predefined as objects.

Manual NAT basic example:

Object network Server-A
host 10.10.10.10
!
Object network MAP-Server-A
host 203.0.113.10
!
nat (inside,outside) source static Server-A MAP-Server-A

As you can see, when you’re doing simple source translation Manual NAT requires more lines of configuration to accomplish the same result as auto nat.

Here’s what our NAT rule looks like for the above manual NAT example:

firewall# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static Server-A MAP-Server-A
translate_hits = 0, untranslate_hits = 0

Let’s look at common use for Manual NAT.  We’ll dive deeper in a subsequent post, This is just to give you a starting example.

Let’s say you’ve configured the Auto NAT translation shown earlier.  You are then asked to create a site to site VPN with a branch office.  In that case, when users from the branch office attempt to connect to Server-A, the auto NAT rule will kick in, translating the source address of the server on the return leg, and traffic will not return over the VPN tunnel.

10.10.11.11——————————————————————–>10.10.10.10
(Branch-PC)———-(Firewall)——–Internet——–(Firewall)——–(Server-A)
10.10.11.11<————————————————-*203.0.113.10—–10.10.10.10
*source IP in return traffic is translated, breaking the flow

So how do we fix this problem?  We use manual NAT to tell the firewall not to translate the address of Server-A when the destination is Branch-PC.  Like This:

Object network Srv-A
host 10.10.10.10
!
Object network Br-PC
host 10.10.11.11
!
exit
!
nat (inside,outside)  source static Srv-A Srv-A destination static Br-PC Br-PC

Here is the generalized form is what this statement is doing:
(incoming, exit) static source real mapped destination static real mapped

The important thing to grasp is that for both source and destination, we’re setting a condition.  Match this . If all conditions match, then change to this.

We’re telling the firewall, if you have this source and destination pair, Don’t change anything.  This overrides the Auto NAT and allows it and our VPN connection to co-exist.  This a use called Identity NAT.

 

Nat rule table structure

The Nat rule Table has Three sections.

1. Manual before auto

2. Auto

3. Manual After Auto

The user can set the order of the Manual NAT rules.  The Auto Nat rule order is set by the firewall automatically from most to least specific traffic match.  i.e. a host object would be ordered before a subnet object.

NAT table with Auto NAT rule, plus the identity nat override

firewall# sh nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static Srv-A Srv-A destination static Br-PC Br-PC
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static Server-A 203.0.113.10
translate_hits = 0, untranslate_hits = 0

Now a reason to order Manual NAT ahead of Auto NAT makes some sense right?

Wrap up

Well that’s quite a few words for an introduction, so let’s stop here.  In our next post we’ll go deeper into the terminology and usage examples .