Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Chapter 14
Configuring NAT and Zone-Based Firewalls

CISCO CCNA SECURITY EXAM OBJECTIVES COVERED IN THIS CHAPTER:

5.3 Implement NAT on Cisco ASA 9.x
- Static
- Dynamic
- PAT
- Policy NAT
- Verify NAT operations
5.4 Implement zone-based firewall
- Zone to zone
- Self-zone

images Network Address Translation (NAT) is a feature found in firewalls and many router platforms that allows for the translation of private IP addresses to public IP addresses at the network edge. While one of the driving forces behind the development of NAT was the conservation of public IPv4 address space, NAT also has a security component in that the process helps to hide the interior addressing scheme. Zone-based firewalling is an approach that makes traffic filtering decisions between zones rather than by specific IP addresses. In this chapter, you will learn how to implement several types of NAT and configure zone-based firewalling.

In this chapter, you will learn the following:

How to implement NAT on Cisco ASA 9.x platforms
How to implement zone-based firewalls

Implementing NAT on ASA 9.x

There are three types of NAT that can be implemented. This section discusses how these three types operate, and you’ll learn how to implement each type on the Adaptive Security Appliance (ASA).

In static NAT, each private IP address is mapped to a public IP address. While this does not save any of the public IPv4 address space, it does have the benefit of hiding your internal network address scheme from the outside world.

In dynamic NAT, a pool of public IP addresses is obtained that is at least equal to the number of private IP addresses that require translation. However, rather than mapping the private IP addresses to the public IP addresses, the NAT device maps the public IP addresses from the pool on a dynamic basis much like a DHCP server does when assigning IP addresses.

Finally, Port Address Translation (PAT) is a form of NAT in which all private IP addresses are mapped to a single public IP address. This provides both benefits of saving the IPv4 address space and hiding the network address scheme. This system is called PAT because the ephemeral port numbers that devices choose as the source port for a connection (which are chosen randomly from the upper ranges of the port numbers) are used to identify each source computer in the network. This is required since all devices are mapped to the same public IP address.

When configuring NAT on the ASA, you need to understand that it uses an object-oriented approach. In other words, an object is created for each host, for each translated address, and for each service that is used in the translation process. Translations are configured as network objects. A network object is defined as a single address or as a network ID.

The resulting host or network defined in a network object is used to represent the private IP address prior to translation. When ACLs are used to define traffic allowed from a lower-security interface to a higher-security interface, these pretranslation objects are referenced.

The ASA uses a NAT table to hold the translations. This table has three sections. When an outgoing packet arrives at the ASA, the sections are read from top to bottom, and the first translation match is applied. The three sections are as follows:

Manual NAT This contains translations that have been defined to be applied by the appliance before the other sections are consulted. These translations are typically very specific and may indicate a translation on both the source and destination IP addresses.

Auto NAT In this section, also called object NAT, translations that are defined on the object itself are contained. These translations, one for each object, are typically either static translations for servers that must be reached from the outside world (and require the same public IP address always) or dynamic translations for clients trying to reach the Internet.

Manual NAT after Auto NAT This contains more general translations not handled by the first two sections. These are used only when no translation matches in the first two sections.

If a packet doesn’t match any of the mappings found in any of the three tables, the packets are sent untranslated.

Static

To configure a static NAT translation, follow the steps in the next procedure.

Configuring Static NAT

In this procedure, you will create a static NAT mapping for a device.

Connect to the ASA using the Adaptive Security Device Manager (ASDM).
Navigate to Configuration ➢ Firewall ➢ Network Objects ➢ Groups. Select Add Network Object. Define the parameters of this object. Enter the type and the IP address of the device to be translated with the static mapping. Ensure that this is the pretranslation IP address.
In the NAT section of the Add Network Object dialog box, select the Add Automatic Address Translation Rules check box and select Static as the type in the drop-down box just below the Add Automatic Address Translation Rules check box.
Just below the drop-down box where you select Static is the Translated Addr field. In the Translated Addr field, click the Browse button. You can browse for objects that have been created here, but you will be creating a new object, so click the Add button at the top of the page.
When the Add Network Object dialog box appears, enter a name for the translated object and the address type and public IP address to which the device should be translated. Then click OK.
Back on the Add Network Object page where you defined the pretranslation information, click the Advanced button in the NAT section. In the Advanced NAT Settings dialog box, select the source interface for the translation and the destination interface. These will be network objects that would need to have been created previously to represent the internal and external interfaces on the ASA. You will choose these from a drop-down box.
Click OK and then Apply. The configuration is now complete.

Dynamic

To configure dynamic NAT translation, follow the steps in the next procedure.

Configuring Dynamic NAT

Connect to the ASA using the ASDM.
Navigate to Configuration ➢ Firewall ➢ Network Objects ➢ Groups. Select Add Network Object. Define the parameters of this object. Enter the type and the IP address of the device to be translated with the static mapping. Ensure that this is the pretranslation IP address.
In the NAT section of the Add Network Object dialog box, select the Add Automatic Address Translation Rules check box and select Dynamic as the type in the drop-down box just below the Add Automatic Address Translation Rules check box.
Just below the drop-down box where you select Static is the Translated Addr field. In the Translated Addr field, click the Browse button. You can browse for objects that have been created here, but you will be creating a new object, so click the Add button at the top of the page.
In this case, the object you will be creating will be a range of public IP addresses, which you will name Translated Pool. Enter a range of addresses using the Start Address and End Address fields. While you are creating only one mapping to the pool in this exercise, in the real world ensure that you have enough public IP addresses in the pool for the private address to be translated.
Back on the Add Network Object page where you defined the pretranslation information, choose the new network object by double-clicking it and then click the Advanced button in the NAT section. In the Advanced NAT Settings dialog box, select the source interface for the translation and the destination interface. These will be network objects that would need to have been created previously to represent the internal and external interfaces on the ASA. You will choose these from a drop-down box.
Click OK and then Apply. The configuration is now complete.

PAT

To configure PAT translation, follow the steps in the next procedure.

Configuring PAT

Connect to the ASA using the ASDM.
Navigate to Configuration ➢ Firewall ➢ Network Objects ➢ Groups. Select Add Network Object. Define the parameters of this object. Enter the type and the IP address of the device to be translated with the static mapping. Ensure that this is the pretranslation IP address.
In the NAT section of the Add Network Object dialog box, select the Add Automatic Address Translation Rules check box and select Dynamic PAT (Hide) as the type in the drop-down box just below the Add Automatic Address Translation Rules check box.
In this case, you are not mapping to an individual IP address or to a pool of IP addresses; you will be mapping to the Internet-facing interface of the ASA. When you do this with PAT (Hide) selected, all mappings will use the public address configured on that Internet interface. Use the Browse button to browse to the Internet-facing interface on the ASA. If an object has not been created for the interface, do so now by specifying its public IP address.
Back on the Add Network Object page where you defined the pretranslation information, choose the new network object by double-clicking it and then clicking the Advanced button in the NAT section. In the Advanced NAT Settings dialog box, select the source interface for the translation and the destination interface. These will be network objects that would need to have been created previously to represent the internal and external interfaces of the ASA. You will choose these from a drop- down box.
Click OK and then Apply. The configuration is now complete.

Policy NAT

In some scenarios, you may need more options than are available with Auto NAT (as you will see in the next procedure), or you may need to specify exceptions to the Auto NAT rules. By using the Manual NAT section, these options will be available to you. This section also has the advantage of being checked for a translation match before the other two sections. When you do this, it is also called Policy NAT. It is also sometimes called Twice NAT because the same rule can perform translation in both directions (translating not only the address in the device inside the network outgoing but also the IP address of the exterior device incoming).

In the scenario you will use in the next procedure, you will use Policy NAT to create a mapping for an internal device that is effective only when the internal device is communicating with one specific exterior device and not effective otherwise.

To configure Policy NAT to support this scenario, follow the steps in the next procedure.

Configuring Policy NAT

Connect to the ASA using the ASDM.
Navigate to Configuration ➢ Firewall ➢ Objects ➢ Network Objects/Groups. Select Add Network Object.
Create three network objects: one for the private IP address of the internal device, one for the public IP address to which the internal device will be mapped, and one for the private IP address to which the external device will be mapped incoming. Define the parameters of each object. When you are finished, click Apply.
Now you will define the manual translation that will apply only between these two systems. Navigate to Configuration ➢ Firewall ➢ NAT Rules.
The NAT Rules table appears. When you configure manual NAT entries, they can be applied either before or after Network Object NAT rules such as those you configured in the earlier procedures. In this case, you want this rule to apply before those rules do, so click Add and then Add NAT Rule before “Network Object” NAT Rules. The Add NAT Rule box appears.
The top section of the Add NAT Rule dialog box is where you configure how the packet will be identified for transition using this rule. In the Source Interface field, select Any from the drop-down box, and in the Source Address field use the drop-down box to select the object you created in step 3 representing the private IP address of the internal device.
In the Destination Interface field, select Any from the drop-down box, and in the Destination Address field use the drop-down box to select the object you created in step 3 representing the public IP address of the external device.
Now that you have defined the match parameters for the translation, you need to configure the translation. In the Action: Translation Packet section in the Source NAT Type drop-down box, select Static. In the Source Address drop-down box, select the object you created in step 3 representing the public IP address to which the internal device should be translated. In the Destination Address field, select Original from the drop-down box.
Select OK and then Apply. The configuration is now complete.

Verifying NAT Operations

There are several ways to verify that NAT is operating correctly. They include viewing the NAT translations in the translation table using the show xlate command, and in cases where you are not getting any NAT translations, you can view the configuration and check for errors using the show nat command.

Viewing Translations

Using the show xlate command on an ASA on which PAT has been configured, you can see in the following output that three translations have occurred. As PAT is in use, all three have received the same public IP address.

hostname# show xlate
 
3 in use, 3 most used
PAT Global 103.61.3.9(0) Local 10.1.1.15 ICMP id 340
PAT Global 103.61.3.9(1024) Local 10.1.1.15(1028)
PAT Global 103.61.3.9(1024) Local 10.1.1.15(516)

The following is sample output from the show xlate detail command. It shows the translation type and interface information with three active PATs.

The r flag indicates that the translation is PAT. The i flag indicates that the translation applies to the inside address port.

hostname# show xlate detail
 
3 in use, 3 most used
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
       r - portmap, s - static
TCP PAT from inside:10.1.1.15/1026 to outside:103.61.3.9/1024 flags ri
UDP PAT from inside:10.1.1.15/1028 to outside:103.61.3.9/1024 flags ri
ICMP PAT from inside:10.1.1.15/21505 to outside:103.61.3.9/0 flags ri

Viewing the Configuration

Using the show nat command, you can view the configuration. In the following output, there is a single static translation configured in the inside interface that translates the host at 192.168.5.6 to 128.10.6.2. You can also see that there have been no translations (hits) in either direction using this configuration.

hostname(config)# show nat
 
NAT policies on Interface inside:
  match ip inside host 192.168.5.6 outside any
    static translation to 128.10.6.2
    translate_hits = 0, untranslate_hits = 0

Configuring Zone-Based Firewalls

Zones are collections of networks reachable over a router interface. Zone pairs are used to define a unidirectional firewall policy. The direction is indicated by specifying the source and destination zones. There is one special type of zone that will be covered in the next section.

When zone-based firewalling is used, each interface (including both physical and virtual interfaces) is assigned to a zone, and a policy is applied to traffic moving between zones. These configurations use a syntax known as the Cisco Common Classification Policy Language. When using the Cisco Common Classification Policy Language, class maps are used to define traffic classes, and policy maps are used to apply policies (actions) to these traffic classes. Finally, service policies are used to activate policy maps on zone pairs.

While only a single service policy can be used on a zone pair, the policy maps within can include multiple class maps. These class maps will be checked for a traffic match in the order in which they are configured. If a match is not found in the first map, the second will be consulted. When there are no matches, the default policy will be applied to the traffic. Figure 14.1 shows this logic.

Flow chart shows zone 1 leads to service policy: apply policy map to traffic flowing between zones in zone pair, which leads to if traffic matches class… and zone 2, where if traffic matches class… leads to …then perform action and …else, if traffic matches class…, et cetera. — **FIGURE 14.1** Multiple class maps

Moreover, these class maps can be used in more than one service policy. In Figure 14.2 , two class maps have been created, and they have both been used in two different service polices.

Diagram shows boxes for policy 1 where class 1 leads to drop and class 2, which leads to drop, and policy 2 where class 1 leads to log and class 2, which leads to log, and diagram shows labels for DMZ1 zone, outside zone, inside zone, and DMZ2 zone, and markings for policy 1 and policy 2. — **FIGURE 14.2** Reuse of class maps

Class Maps

Class maps have two parts; the first identifies the traffic, and the second specifies an action. A match statement is used to specify the traffic and can match traffic based on the following:

An ACL
A protocol
Another class map

The actions that can be defined using action statements. The actions can be as follows:

Inspect: Triggers stateful packet inspection
Drop: Denies traffic
Pass: Permits traffic

Default Policies

When no class map matches the traffic type, the default policy is invoked. This policy’s actions depend on whether the interface has been assigned to a zone and, if so, what policy is currently in effect for that zone pair if it exists. Sound complicated? It can be. Figure 14.3 shows the rules.

Figure 14.3 applies to traffic that is not coming from or destined to the router (self-zone). When that is the case, the rules are as shown in Figure 14.4 .

**FIGURE 14.4** Default policies (self-zone)

Understanding the Self-Zone

The self-zone is a special zone that has no interface members. It applies to any traffic destined for the router rather than traffic that the router is routing. An example of this type of traffic would be traffic to manage the device using SSH. It also applies to traffic generated by the router. The traffic going from the router back to the device making the SSH connection to manage the device would be an example of such router-generated traffic.

Configuring Zone-to-Zone Access

The firewall you will use in the following procedure has three interfaces: one connected to the Internet, one connected to the LAN, and another connected to the DMZ. To configure zone-based policies to support this scenario, follow the steps in the next procedure.

Configuring Zone-Based Firewall

In this procedure, you will configure a policy that performs stateful inspection of HTTP and FTP traffic coming to the DMZ from the Internet.

Define three security zones: Inside, Outside, and DMZ. Use the following commands to do so:

RTR64(config)#zone security inside
RTR64(config)#zone security outside
RTR64(config)#zone security dmz

Assign each interface to its proper zone.

RTR64(config)#int gi0/1
RTR64(config-if)#zone-member inside
RTR64(config)#int gi0/2
RTR64(config-if)#zone-member outside
RTR64(config)#int gi0/3
RTR64(config-if)#zone-member dmz

Create a class map that defines the traffic. In this case, that traffic will be HTTP or FTP. The map will be named HTTP_FTP_filter and will perform stateful inspection of the HTTP traffic.
```
RTR64(config)#class-map type inspect match-any HTTP_FTP_filter
RTR64(config-cmap)#match protocol http
RTR64(config-cmap)#match protocol ftp
```

Define a policy map named DMZ_inspect that specifies traffic that matches the HTTP_FTP_filter class map.

RTR64(config)#policy-map type inspect DMZ_inspect
RTR64(config-pmap)#class type inspect HTTP_FTP_filter
RTR64(config-pmap-c)#inspect

Define a zone pair called outside_to_DMZ with the outside zone being the source and the DMZ zone being the destination.
```
RTR64(config)#zone-pair security outside_to_DMZ source outside destination dmz
```

Apply the DMZ_inspect policy to the zone pair called outside_to_DMZ.

RTR64(config-sec-zone-pair)#service-policy type inspect DMZ_inspect

The configuration is now complete.

Summary

In this chapter, you learned about the three forms of NAT: static NAT, dynamic NAT, and PAT. You also learned about the NAT options available in the ASA. You learned about the benefits of NAT and how to configure it and verify its operation. Class maps, policy maps, and service policies and their respective functions in a zone-based firewall were covered as well. Finally, the steps to configure and verify a zone-based firewall ended the chapter.

Exam Essentials

Identify the forms of Network Address Translation (NAT). These include static NAT, dynamic NAT, and Port Address Translation (PAT).

Describe the three sections of the NAT table in the ASA. The Manual NAT section represents translations that have been defined to be applied by the appliance before the other sections are consulted. The Auto NAT section represents translations that are defined on the object itself. The Manual NAT After Auto NAT section contains more general translations not handled by the first two sections.

Identify benefits of policy NAT. In some scenarios, you may need more options than are available with Auto NAT, or you may need to specify exceptions to the Auto NAT rules. By using the Manual NAT section, these options will be available to you. This section also has the advantage of being checked for a translation match before the other two sections.

Verify NAT operations. There are several ways to verify that NAT is operating correctly. They include viewing the NAT translations in the translation table using the show xlate command, and in cases where you are not getting any NAT translations, you can view the configuration and check for errors using the show nat command.

Describe the components of a zone-based firewall configuration. Class maps are used to define traffic classes, and policy maps are used to apply policies (actions) to these traffic classes. Finally, service policies are used to activate policy maps on zone pairs.

List the steps to configure zone-to-zone access. From a high level, to configure zone-to-zone access, the following steps must be performed: 1) define zones, 2) define zone pairs, 3) define class maps that define traffic, 4) define policy maps that apply actions to the class maps, 5) apply policy maps to zone pairs, and 6) assign interfaces to zones.

Review Questions

In which type of NAT is each private IP address manually mapped to a public IP address?
1. Dynamic
2. Static
3. PAT
4. SAT
Which section of the NAT table in the ASA is read last?
1. Auto NAT
2. Manual NAT
3. Dynamic NAT
4. Manual NAT After Auto NAT
You need to create a mapping for an internal device that is effective only when the internal device is communicating with one specific exterior device and not effective otherwise. What type of NAT must you use?
1. Auto NAT
2. Static NAT
3. Dynamic NAT
4. Policy NAT

What command generated the following output?

3 in use, 3 most used
PAT Global 103.61.3.9(0) Local 10.1.1.15 ICMP id 340
PAT Global 103.61.3.9(1024) Local 10.1.1.15(1028)
PAT Global 103.61.3.9(1024) Local 10.1.1.15(516)

show nat
show nat detail
show xlate
show pat

In the following command output, what does the r stand for?

TCP PAT from inside:10.1.1.15/1026 to outside:103.61.3.9/1024 flags ri
UDP PAT from inside:10.1.1.15/1028 to outside:103.61.3.9/1024 flags ri
ICMP PAT from inside:10.1.1.15/21505 to outside:103.61.3.9/0 flags ri

Routed
Remote
Port Address Translation
Reverse

Which of the following are collections of networks?
1. Zone pairs
2. Zones
3. Policy maps
4. Class maps
A match statement can be based on all of the following except which one?
1. An ACL
2. Protocol
3. Another class map
4. Device name
Which of the following actions triggers stateful inspection of the traffic?
1. Drop
2. Permit
3. Inspect
4. Pass
Which zone has no interface members?
1. DMZ
2. Self
3. Inside
4. Outside
In which type of NAT are all private IP addresses mapped to a single public IP address?
1. Dynamic
2. Static
3. PAT
4. SAT

In the following command output, what does the value 21505 represent?

TCP PAT from inside:10.1.1.15/1026 to outside:103.61.3.9/1024 flags ri
UDP PAT from inside:10.1.1.15/1028 to outside:103.61.3.9/1024 flags ri
ICMP PAT from inside:10.1.1.15/21505 to outside:103.61.3.9/0 flags ri

Destination port number
Sequence number
Source port number
Acknowledgment number

Which of the following is used to define traffic classes?
1. Service policy
2. Zones
3. Policy maps
4. Class maps
What command defines a security zone?
1. Zone member
2. Zone security
3. Set zone
4. Zone
Traffic to manage the device using SSH would belong to what zone?
1. Inside
2. DMZ
3. Self
4. Outside
What command assigns an interface to a zone?
1. zone-member
2. zone-security
3. set zone
4. zone
Which of the following is used to apply actions to traffic classes?
1. Service policy
2. Zones
3. Policy maps
4. Class maps
Which of the following is used to define a unidirectional firewall policy?
1. Zone pairs
2. Zones
3. Policy maps
4. Class maps

In the following command output, what does the i stand for?

TCP PAT from inside:10.1.1.15/1026 to outside:103.61.3.9/1024 flags ri
UDP PAT from inside:10.1.1.15/1028 to outside:103.61.3.9/1024 flags ri
ICMP PAT from inside:10.1.1.15/21505 to outside:103.61.3.9/0 flags ri

Inside address port
Interior
IGP
Static NAT

In which sections of the NAT table in the ASA are translations defined on the object itself?
1. Auto NAT
2. Manual NAT
3. Dynamic NAT
4. Manual NAT After Auto NAT
In which type of NAT is a pool of public IP addresses obtained that is at least equal to the number of private IP addresses that require translation?
1. Dynamic
2. Static
3. PAT
4. SAT

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Chapter 14 Configuring NAT and Zone-Based Firewalls

Create new playlist

Sign In

Sign Up