Skip to main content

Static Identity NAT question

More
14 years 4 months ago #35286 by Redpix
Hi All,

Hope you all are doing great :)

I have been working on ASA and was stuck on how Static NAT really works and how to use it while communicating from lower security interface to higher security interface and vice-versa.

Please refer below and give your valuable thoughts:

It's like this:

for example:

I have few sub interfaces on the inside named as:

mgmt: security level 100 10.10.17.1/24
lab: security level 90 10.10.18.1/24
server: 80 10.10.20.1/24
app server:70 10.10.19.1/24
database:60 10.10.21.1/24
internet: 0 XX.XX.35.35/28

So I would like to know the meaning of and how it works -
static (app server, database) 10.10.19.0 10.10.19.0 netmask 255.255.255.0

Also,
Can i also apply
static (database,server) 10.10.20.0 10.10.20.0 netmask 255.255.255.0

Is the above one valid, if yes what does it mean or is the traffic permitted by default from lower sec int to higher sec int.

One more please: what does it mean:
static (app server,internet) xx.xx.122.51 172.20.19.25 netmask 255.255.255.255

Please explain me detail so that i can master this concept of Natting between interfaces, when to do it and how to do it.

Also, Can i do a static nat for allowing a single inside host to access internet instead of a PAT. If yes can anyone please post an example. If not what is the alternate way.

Please can someone spare some time and explain me the above things and if possible give me a link so that i can review.

Thanks in advance and appreciate your inputs.
Redpix



8)
More
14 years 4 months ago #35287 by S0lo

So I would like to know the meaning of and how it works -
static (app server, database) 10.10.19.0 10.10.19.0 netmask 255.255.255.0


You can do this but I'd rather explain a more general case so it would be easier to understand, have a look at the following:

static (app server, database) 10.10.21.0 10.10.19.0 netmask 255.255.255.0

This means: "Map every address from the database interface (having an address in the range 10.10.21.0/24) to it's corresponding address in the app server interface (having an address in the range 10.10.19.0/24). In other words, once a packet arrives at the database interface (and passes the ACL's if any), then if the packet has a destination address of the form 10.10.21.0/24 (say 10.10.21.50), this address will be translated to an address in the range 10.10.19.0/24 (so 10.10.19.50). Like wise, 10.10.21.60 will be translated to 10.10.19.60. 10.10.21.76 to 10.10.19.76 and so on. Then the packet gets sent normally using the routing table rules.

Now back to your example:

static (app server, database) 10.10.19.0 10.10.19.0 netmask 255.255.255.0

This would map 10.10.19.x to (the same range) 10.10.19.x. Now this might sound not useful, But it can be useful if you don't want to translate the IPs and just allow normal routing. In other words, the database network can address the app server network by their real IPs.

Also,
Can i also apply
static (database,server) 10.10.20.0 10.10.20.0 netmask 255.255.255.0


Hmm, even if the ASA accepts this, it (as far as I know) will not do any thing. because the 10.10.20.0/24 range does not exist in the database, so when packets (having a destination address of say 10.10.20.80) gets sent their, no one will respond. On the other hand, you can do this:

static (database,server) 10.10.21.0 10.10.21.0 netmask 255.255.255.0

or is the traffic permitted by default from lower sec int to higher sec int.


Traffic is permitted by default from higher sec to lower sec. The reverse needs a permitting access list placed on the lower sec interface. Note that static and nat / global commands don't permit or deny. They only do translation. But the ASA ALWAYS needs a translation to move packets (lower to higher sec or vise versa), even if the translation does NOT really translate IPs (as we saw above).

One more please: what does it mean:
static (app server,internet) xx.xx.122.51 172.20.19.25 netmask 255.255.255.255


It means: translate packets coming from the internet (having the destination IP xx.xx.122.51) and replace that IP with 172.20.19.25.

But this statement will probably NOT work because the IP 172.20.19.25 does not exist in app server interface (range 10.10.19.1/24)

Also, Can i do a static nat for allowing a single inside host to access internet instead of a PAT. If yes can anyone please post an example. If not what is the alternate way.


Yes you can, because static works both ways. But that single inside host will also be reachable by inbound traffic. In other words, it's acting like a sever, although it might not have any type of server installed on it.

Hope this helps.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 3 months ago #35383 by Redpix
Hello SOlo,

Thank you very much for your response and my sincere apologies for not getting back to you soon.

I once again need your great help in understanding the below answers, could you please shed more light with examples SOlo.

So in your answer below, per my understanding every person from database (10.10.21.0/24) would be
able to access appserver by getting translated from 10.10.21.0 to 10.10.19.0 IP's, am I correct?
I would appreciate your answer here.
Also, if appserver person wants to access database is it possible, if so i feel appserver person will be translated from 10.10.19.0 to 10.10.21.0 IP's? Forgive my ignorance SOlo if am wrong? Can you explain please. Or do I need to put another static like (databse, app server) ?

static (app server, database) 10.10.21.0 10.10.19.0 netmask 255.255.255.0

This means: "Map every address from the database interface (having an address in the range 10.10.21.0/24) to it's corresponding address in the app server interface (having an address in the range 10.10.19.0/24). In other words, once a packet arrives at the database interface (and passes the ACL's if any), then if the packet has a destination address of the form 10.10.21.0/24 (say 10.10.21.50), this address will be translated to an address in the range 10.10.19.0/24 (so 10.10.19.50)

Next one: In you answer below, I think this will help database persons to access appserver without getting translated, am I correct? If yes then why we are doing like the above translation? Please clarify SOlo.
Can you please post the Static NAT syntax here.
(app server, database) & (database, app server), is there a difference between the two things? Please shed more light on this.

static (app server, database) 10.10.19.0 10.10.19.0 netmask 255.255.255.0

This would map 10.10.19.x to (the same range) 10.10.19.x. Now this might sound not useful, But it can be useful if you don't want to translate the IPs and just allow normal routing. In other words, the database network can address the app server network by their real IPs.

Many thanks in advance for any help guys.

Regards,
Redpix
More
14 years 3 months ago #35400 by S0lo

So in your answer below, per my understanding every person from database (10.10.21.0/24) would be
able to access appserver by getting translated from 10.10.21.0 to 10.10.19.0 IP's, am I correct?


Yes, but not exactly. We don't usually map the whole database (or any network) to another. What we usually do is we map a small portion of the address range to the servers, something like this:

static (app server, database) 10.10.21.0 10.10.19.0 netmask 255.255.255.248

Notice I changed the subnet mask. This will map the range 10.10.21.1 - 10.10.21.6 to the range 10.10.19.1 - 10.10.19.6. So you can have 6 server PCs with real IPs 10.10.19.1 - 10.10.19.6 and be able to access them from the database network using the range 10.10.21.1 - 10.10.21.6

Also, if appserver person wants to access database is it possible, if so i feel appserver person will be translated from 10.10.19.0 to 10.10.21.0 IP's? Forgive my ignorance SOlo if am wrong? Can you explain please. Or do I need to put another static like (databse, app server) ?


Yes, static maps work both ways. You are right, so if an appserver person pings an IP say 10.10.19.4 (and this IP is not used in appserver network) it will be translated to 10.10.21.4 and sent to database. When the database PC with IP 10.10.21.4 replies, the IP will be untranslated back to 10.10.19.4 and sent to the pinger at appserver.

So you DON'T need to put another static like (databse, app server).

Next one: In you answer below, I think this will help database persons to access appserver without getting translated, am I correct? If yes then why we are doing like the above translation? Please clarify SOlo.


May be the above answers this.

Can you please post the Static NAT syntax here.
(app server, database) & (database, app server), is there a difference between the two things? Please shed more light on this.

static (app server, database) 10.10.19.0 10.10.19.0 netmask 255.255.255.0


The simple syntax form for the static command is:

static (real_interface,mapped_interface) mapped_ip real_ip netmask mask

There is a big deference between (app server, database) & (database, app server). To understand this deference, I better give a brief overview of the purpose of dynamic and static nat.

Dynamic NAT (using nat, global commands) is mainly used to allow PCs on a higher security interface to access (initiate a connection) to PCs on a lower security interface. The translation hides the initiators real IP.

Static NAT (using static command) is mainly used to allow PCs on a lower security interface to access (initiate a connection) to PCs (usually servers) on a higher security interface. The translation hides the receivers (servers) real IP.

Now surely you can use both types of NATs for other purposes. But this is the main "meant to be" use.

Back to (app server, database) & (database, app server). If you use the later, your telling the ASA that you have server PCs at the database network that you want to be accessible from the app server network. Which is probably NOT what you want to do, or is it?

Hope this helps and doesn't confuse.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 3 months ago #35402 by Redpix
Replied by Redpix on topic Static Identity Nat
Hello SOlo,

Great clarification indeed!!
Much appreciated for this.

Whether I would want to have the other Nat or not now i understood the difference so I think i can go ahead and use if i want to :D

Thank you,

Back to you soon :D

Redpix
More
14 years 3 months ago #35407 by S0lo
Glad to help. Good luck :)

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
Time to create page: 0.139 seconds