Example NAT Rules (Important)

(Note: NAT rules are looked at, but not implemented until after the security policy run)

PAT (Inside to Outside): Many-to-One, Hide NAT, Source NAT:
NAT Rule:
Sourcezone: Inside | SourceIP: PrivateIP/InsideSubnet | DestinationZone: Outside | DestinationIP: Any | DestinationInterface: OutsideInterface |
SourceAddressTranslation:(TranslateType: DynamicIP&Port | AddressType: Interface | Interface: OutsideInterface | IP: PublicIP)
Security Policy: 
Sourcezone: Inside | SourceIP: PrivateIP/InsideSubnet | DestinationZone: Outside | DestinationIP: Any | Service: http

Many-to-Many NAT

A variation on the simple hide NAT policy, is to add more source addresses if more are available. If, for example, your ISP provided a public subnet of /29 or larger, you have additional IP addresses that can be used for all sorts of things. If your internal network is quite large, these additional addresses may be needed to prevent oversubscription of the NAT pool.

For this configuration the Address Type is changed from ‘Interface’ to ‘translated Address.’ Then the available IP addresses are added either as an IP range, or an IP subnet:

2016-09-28_16-15-33.png

The firewall will select an IP from the available pool based on a hash of the source IP address. This source address will remain the same for all sessions from that source IP. The source port will still be randomized.

If the source ports need to remain the same (some applications may require a specific source port) the Translation Type can be set to Dynamic IP, which will preserve the client’s source port per session. The translated address is assigned by ‘next available’ which means there are some caveats:

  • No more than 32.000 consecutive IP addresses are supported
  • The translated addresses pool needs to be of the same size or greater than your internal number of hosts, as each internal host is assigned its own translated address

If the above criteria are usually met but could sometimes be broken, a backup can be set to fail back to Dynamic IP and Port. Both the Translated Address and the Interface Address options are available, the default is none:

2016-09-28_16-46-49.png

Source NAT (DMZ server) (Perspective of the Server): (Bi-directional)
NAT Rule:
Sourcezone: DMZ | SourceIP: PrivateIP | DestinationZone: outside | DestinationIP: Any | DestinationInterface: OutsideInterface |
SourceAddressTranslation:(TranslateType: Static | TranslatedAddress: PublicIP (Bi-directional))
Security Policy:
(Remains the same i.e. PostNATZones and PreNATAddreses)
Sourcezone: Outside | SourceIP: Any | DestinationZone: DMZ | DestinationIP: PublicIP | Service: http

Destination NAT (DMZ Server) (Perspective of the Client): Destination NAT Example—One-to-One Mapping:(Uni-Directional: Allows PAT)
NAT Rule:
Sourcezone: Outside | SourceIP: Any | DestinationZone: Outside | DestinationIP: PublicIP | DestinationInterface: OutsideInterface |
DestinationAddressTranslation:(TranslatedAddress: PrivateIP)
Security Policy:
(Remains the same i.e. PostNATZones and PreNATAddreses)
Sourcezone: Outside | SourceIP: Any | DestinationZone: DMZ | DestinationIP: PublicIP | Service: http

Destination NAT with Port Translation Example:

Destination NAT Example—One-to-Many Mapping:

Source and Destination NAT Example:

In some scenarios it may be required to perform source and destination NAT at the same time. One common example is a U-Turn situation, where internal hosts need to connect to an internal server, that is on the same network as the client, on it’s public IP address.

To be able to reach internal resources on a public IP, a new NAT policy needs to be created to accomodate trust to untrust translation.

If source translation is not included in this policy, the server will receive packets with the original source address, causing the server to send reply packets directly to the client.

This creates an asymmetric loop: client-firewall-server-client and the firewall session will be terminated as it violates TCP sanity checks.

The solution is to add source translation to, for example, the firewall IP, so the server’s reply packets are sent to the firewall, allowing for ‘stateful’ sessions.

2016-09-29_17-13-56.png

In this example, NAT rules translate both the source and destination IP address of packets between the clients and the server.

Source NAT—The source addresses in the packets from the clients in the Trust-L3 zone to the server in the Untrust-L3 zone are translated from the private addresses in the network 192.168.1.0/24 to the IP address of the egress interface on the firewall (10.16.1.103). Dynamic IP and Port translation causes the port numbers to be translated also.

Destination NAT—The destination addresses in the packets from the clients to the server are translated from the server’s public address (80.80.80.80) to the server’s private address (10.2.133.15).

source_dest_nat_example.png

The following address objects are created for destination NAT.
  • Server-Pre-NAT: 80.80.80.80
  • Server-post-NAT: 10.2.133.15
The following screen shots illustrate how to configure the source and destination NAT policies for the example.
source_dest_nat_ss_original.png
source_dest_nat_ss_translated.png
To verify the translations, use the CLI command show session all filter destination 80.80.80.80. A client address 192.168.1.11 and its port number are translated to 10.16.1.103 and a port number. The destination address 80.80.80.80 is translated to 10.2.133.15.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s