\n(Basically the difference is that with Identity NAT the connections can only be established by hosts within the subnet specified in the NAT statement, whereas in NAT Exemption either direction may initiate the connection)<\/p>\n
Identity NAT:<\/strong> nat (inside) 0 10.1.0.0 255.255.0.0\u00a0 <== (This example disables NAT for anything sourced from the 10.1.0.0\/16 network which is received on the inside interface). nat (inside) 0 10.1.1.0 255.255.255.0 This statement bypasses NAT for the 10.10.1.0\/24, 10.1.2.0\/24, 10.1.3.0\/24 and 172.16.5.0\/24 networks. NAT Exemption<\/strong>: NAT Exemption Configuration Example (NAT Exemption references an ACL to match the traffic):<\/span><\/p>\n access-list NAT-EXEMPT permit ip 10.1.1.0 255.255.255.0 10.50.0.0 255.255.255.0 <== (match any traffic sourced from 10.1.1.0\/24 to 10.50.0.0\/24).nat (inside) 0 access-list NAT-EXEMPT <== (apply the ACL to the inside interface with nat 0 to disable NAT). NOTE:<\/strong> If you remove a NAT exemption configuration, existing connections that use NAT exemption are not affected. To remove these connections, enter the “clear local-host” command.<\/p>\n CISCO ASA 8.3+<\/strong><\/span> Enabling NAT from inside to outside:<\/strong> object network INTERNAL-NET PAT for port-forwarding to a service such as https (TCP\/443):<\/strong><\/p>\n object network EMAIL-SERVER One-to-One NAT (with example for PPTP passthrough):<\/strong><\/p>\n object network PPTP-SERVER Unidirectional Identity NAT:<\/strong><\/p>\n (mitigates the potential security risk in the configuration of NAT Exemption, where connections can be established in either direction): Create objects for the internal and remote networks:<\/p>\n object network THE-CORP-NETWORK In the example above, the connection may only be established from the direction of the THE-CORP-NETWORK to the REMOTE-NETWORK<\/p>\n NOTES:<\/strong><\/span> No-NAT Statements (for disabling NAT when connecting into the network via a VPN such as Cisco AnyConnect): Proxy-ARP:<\/strong> no sysopt noproxyarp management Why is it important to understand Proxy ARP?\u00a0 In the NAT Object statement above, the Object that is referenced is “THE-CORP-NETWORK”, which covers the entire internal network.\u00a0 What this means is that any ARP broadcasts seen on the LAN segment where the ASA resides will proxied by the firewall.\u00a0 So, if say, two servers on the same segment sent an ARP request for the MAC address of the other machine, the ASA would say “send it to my MAC address” instead.<\/p>\n If you wish to avoid this behaviour, you can either disable proxy ARP “globally” by removing the negation of “noproxyarp” in sysopt OR you can choose to do this on a per-NAT statement basis, by adding the “no-proxy-arp” keyword at the end, as in the No-NAT example shown above.<\/p>\n There is considerable debate and confusion about the use of Proxy ARP and whether to enable it or not. Proxy ARP is a useful tool to protect your Access-Server from list of Attacks like \u201cARP Spoofing Attacks\u201d or \u201cMan-in-the-Middle Attacks\u201d(MITM).\u00a0 Proxy ARP can also hide misconfiguration such incorrect subnet masks (imagine two networks, 192.168.1.0\/24 and 192.168.2.0\/24 separated by a router. If say, one host on the 192.168.1.0 network incorrectly sets a \/16 mask, it will assume that the hosts on the 192.168.2.0\/24 network are within it’s own subnet and so will ARP for the IP address of the host rather than the default gateway.\u00a0 Proxy ARP would “intercept” this ARP request and may route the packet, thereby hiding the incorrect mask setting.<\/p>\n Route-lookup<\/strong>: Note TROUBLESHOOTING:<\/strong><\/p>\n Useful CLI show commands:<\/span> show conn address [ip address] Testing authentication<\/span>:\u00a0 Example SDI (Authentication): test aaa authentication AAA_GROUP_NAME host [ip address of auth. server] username\u00a0 [username] password [password or pin\/token]<\/p>\n show current VPN sessions:\u00a0<\/span> show vpn-sessiondb svc This aide-memoir describes and compares NAT configuration (Identity NAT, NAT Exemption\/Identity NAT and also compares the syntax between ASA version 8.4.2 and below.\u00a0 There are some considerable differences to the syntax and some of the better-known commands have been deprecated.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[83,27,13],"tags":[34,36,44],"_links":{"self":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1868"}],"collection":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1868"}],"version-history":[{"count":9,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1868\/revisions"}],"predecessor-version":[{"id":2189,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1868\/revisions\/2189"}],"wp:attachment":[{"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1868"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1868"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/darenmatthews.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1868"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nThis allows connections to connect from the inside interface to through the outside interface without changing the address. This would be suitable for a private MPLS network where the address space does not overlap.\u00a0 Identity NAT is enabled by using the NAT id of zero:<\/p>\n
\nnat (inside) 0 0.0.0.0 0.0.0.0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <== (This example disables NAT for any IP received on the inside interface).<\/p>\n
\nnat (inside) 0 10.1.2.0\u00a0 255.255.255.0
\nnat (inside) 0 10.1.3.0\u00a0 255.255.255.0
\nnat (inside) 0 172.16.5.0 255.255.255.0<\/p>\n
\nIt is possible to configure more than one “nat 0” statements.<\/p>\n
\nThis is typically used for VPN connections. You should exercise careful consideration before configuring NAT Exemption because unlike Identity NAT above, NAT Exemption allows the remote network to establish connections inbound to your internal network.\u00a0 In later versions of ASA software it is possible to configure Uni-directional NAT statements to avoid this potential security hole.\u00a0 Unidirectional NAT is described further below in this post.<\/p>\n
\nThis “Policy-Based NAT” is the preferred way to support VPN access.<\/p>\n
\nNOTE:\u00a0 In ASA version\u00a0 8.3 and above, the “nat 0” command has been deprecated. The new syntax is ironically named “Simplified” NAT. In 8.2 and below NAT exemptions (nat 0) were used to exempt traffic from being translated through the VPN. In ASA version 8.3+ there is no such term as “NAT Exemption” – the new term is “Identity NAT”.<\/p>\n
\nSteps:\u00a0 Create a network object for the subnet that you wish to be translated, then add the NAT statement to the object:<\/p>\n
\nsubnet 192.168.1.0 255.255.255.0
\nobject network INTERNAL-NET
\nnat (inside,outside) dynamic interface\u00a0 <=== (or use IP address of ISP-assigned address)<\/p>\n
\nhost 192.168.5.200
\nobject network EMAIL-SERVER
\nnat (inside,outside) static interface service tcp https https
\naccess-list ANY-INBOUND extended permit tcp any object EMAIL-SERVER eq https
\naccess-group ANY-INBOUND in interface outside<\/p>\n
\nhost 192.168.23.10
\nobject network PPTP-SERVER
\nnat (inside,outside) static 192.168.10.50
\naccess-list ANY-INBOUND extended permit tcp any object PPTP-SERVER eq pptp
\naccess-list ANY-INBOUND extended permit gre any object PPTP-SERVER
\naccess-group ANY-INBOUND in interface outside<\/p>\n
\n(Unidirectional NAT Configuration is available from ASA version 8.4.2 or above).<\/p>\n
\nsubnet 192.168.23.0 255.255.255.0
\nobject network REMOTE-NETWORK
\nsubnet 172.16.50.0 255.255.255.0
\nnat (inside,OUTSIDE) 1 source static THE-CORP-NETWORK THE-CORP-NETWORK destination static REMOTE-NETWORK REMOTE-NETWORK unidirectional<\/p>\n
\n– Unidirectional NAT Configuration is available from ASA version 8.4.2 or above
\n– The identity NAT in version 8.4.2 was extended with the addition of new keywords “route-lookup” and “no-proxy-arp” (which is explained below)
\n– If you enable either “route-lookup” or “no-proxy-arp” then you are no longer able to apply Unidirectional NAT.<\/p>\n
\nobject network THE-CORP-NETWORK
\nsubnet 192.168.23.0 255.255.255.0
\nobject network VPN-USERS
\nsubnet 192.168.80.0 255.255.255.0
\nnat (inside,any) source static THE-CORP-NETWORK THE-CORP-NETWORK destination static VPN-USERS VPN-USERS no-proxy-arp route-lookup<\/p>\n
\nBy default, Proxy ARP is enabled on ALL interfaces globally in sysopt, so the use of the no-proxy-arp keyword at the end of the NAT Object statement (and understanding what it does) is very important.\u00a0 You can see the sysopt setting in the output of the CLI command “show run all sysopt”, where “noproxyarp” is actually negated (thereby turning ON proxy ARP):<\/p>\n
\nno sysopt noproxyarp outside
\nno sysopt noproxyarp inside<\/p>\n
\nThe item \u201croute-lookup\u201d describes how the ASA determines the egress interface for each packet:
\n–\u00a0 When a packet is received the ASA checks the\u00a0 XLATE table in order to determine the egress interface.
\n–\u00a0 If there is no XLATE entry the ASA then checks the NAT table for the presence of a static NAT entry.
\n–\u00a0 If there is no static NAT entry, the ASA will then examine it’s routing tables. (In ASA version 8.4.1 and below, a routing table lookup was always performed.\u00a0 The current (ASA version 8.4.2+) behaviour is NOT to check the routing tables by default – you have to explicitly enable this using the “route-lookup” keyword.<\/p>\n![\"\"](\"http:\/\/www.cisco.com\/c\/dam\/en\/us\/td\/i\/templates\/blank.gif\"){kind=spacer}
<\/strong>The no-proxy-arp<\/b>, route-lookup<\/b>, pat-pool<\/b>, and round-robin <\/b>keywords were added in 8.4(2).<\/p>\n
\n
\nshow run all sysopt\u00a0 (to check for noproxyarp setting)
\nshow run object
\nshow run nat (to see nat statements configured)
\nshow nat (to see hit counts on nat statements)<\/p>\n
\nshow nat translated interface outside detail (reveal all current dynamic and static NAT entries)<\/p>\n
\n(example):
\nSession Type: AnyConnect
\nUsername\u00a0\u00a0\u00a0\u00a0 : darenm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Index\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : 154
\nAssigned IP\u00a0 : 10.10.5.2\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Public IP\u00a0\u00a0\u00a0 : 76.44.127.39
\nProtocol\u00a0\u00a0\u00a0\u00a0 : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
\nLicense\u00a0\u00a0\u00a0\u00a0\u00a0 : AnyConnect Essentials
\nEncryption\u00a0\u00a0 : AnyConnect-Parent: (1)none\u00a0 SSL-Tunnel: (1)RC4\u00a0 DTLS-Tunnel: (1)AES128
\nHashing\u00a0\u00a0\u00a0\u00a0\u00a0 : AnyConnect-Parent: (1)none\u00a0 SSL-Tunnel: (1)SHA1\u00a0 DTLS-Tunnel: (1)SHA1
\nBytes Tx\u00a0\u00a0\u00a0\u00a0 : 10344\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Bytes Rx\u00a0\u00a0\u00a0\u00a0 : 3680
\nGroup Policy : My_RSA_Group
\nTunnel Group : My_RSA_Group
\nLogin Time\u00a0\u00a0 : 11:39:24 UTC Thu Nov 21 2013
\nDuration\u00a0\u00a0\u00a0\u00a0 : 0h:00m:15s
\nInactivity\u00a0\u00a0 : 0h:00m:00s
\nNAC Result\u00a0\u00a0 : Unknown
\nVLAN Mapping : N\/A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 VLAN\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 : none
\nCisco-ASA-5525x#<\/p>\n","protected":false},"excerpt":{"rendered":"