Cisco ASA 8.4.2 unidirectional static NAT Configuration

April 13, 2013 — 2 Comments

Since the version 8.3 Cisco ASA supports the unidirectional NAT. With the Unidirectional NAT you are able to determine the initialization direction which is already permitted to starts the connection.
The unidirectional NAT can be a part of your security policy to make sure that unsafe networks can’t access to your internal network.
I did crate a scenario which you can see the utilization and the usability for this opportunity.

In this example we have two networks:
unidire_NAT

My internal networks on the inside Interface of the ASA :

1
obj-192.168.17.0 ( 192.168.17.0 255.255.255.0)

And the remote peer network which came from outside interface :

1
obj-10.10.10.0 (10.10.10.0 255.255.255.0)

The NAT should realize the connection between these networks but only my internal networks (obj-192.168.17.0) should initialize the connection.

Unidirectional NAT Configuration on ASA 8.3

On the ASA 8.3 you can use the keyword “unidirectional” at the end of the NAT configuration; you should pay attention to choose the right direction:

1
nat (inside,OUTSIDE) 3 source static obj-192.168.17.0 obj-192.168.17.0 destination static obj-10.10.10.0 obj-10.10.10.0 unidirectional

As you see we just configure an identity NAT from inside interface to outside interface, it mapped my inside Network-Object 192.168.17.0/24 to the remote Network-Object 10.10.10.0/24 and at the end we determine the direction to initialize the connection from inside network only.

Unidirectional NAT Configuration on ASA 8.4.2 or higher

The identity NAT in Version 8.4.2 has been extended with two new keywords; the new keywords are “route-lookup” and “no-proxy-arp”.
If you enable one of these keywords then you are not able to apply a unidirectional NAT anymore, so we have to know what these both keywords exactly do, that will help us to deicide to enable or disable these keywords for our scenario

Route-lookup

The item “route-lookup” describes ASA’s behavior to determine the egress interface for each IP-packet; when the ASA receives a packet it will always looks at his XLATE-Table to determine outgoing interface for first, if there is no entry exist regarding the Packet’s destination ASA looks in its NAT-Table to find an static NAT entry. If there is no entry either, then the ASA looks in its routing-Table. In Version 8.4.1 and earlier ASA always looked in routing-Table but since 8.4.2 the ASA does not look-up at the Routing-Table by default; if the ASA should look up the Routing-Table explicitly you have to use the keyword “route-lookup” in the NAT configuration.

In this scenario we know that there is no entry exist about that destination Network 10.10.10.0/24 in our Routing-Table, you can check your Routing-Table by using the command:

1
show route

So it is not necessary that ASA does a lookup and that is why we can still disable the keyword “route-lookup”.

No-proxy-arp
As the name suggest the ASA will act as Proxy Server for you server behind the ASA.

In case if some from outside of your network, sends your server a package, first request will be the ARP-Request to your server. If you enabled proxy-arp’s feature for this connection, then the ASA will answer all ARP request from outside of your network. Additionally your server and ASA will deliver their MAC Addressed to source of origin, which means any server which want to contact to your server.

The Proxy-Arp is a useful tool to protect your Access-Server from list of Attacks like “ARP Spoofing Attacks” or “Man-in-the-Middle Attacks”(MITM) and you should keep in mind, that command should be executed.

1
no-proxy-arp

If you are using ASDM ( I don’t prefer to use ASDM for NAT Configurations) you have to know that “route-lookup” and “no-proxy-arp” are enabled at default(see screenshot)

asdm

Finally looks our NAT Command in ASA 8.4.2 pretty likes the ASA 8.4.1 configuration:

1
nat (inside,OUTSIDE) 3 source static obj-192.168.17.0 obj-192.168.17.0 destination static obj-10.10.10.0 obj-10.10.10.0 unidirectional

Control the setting

If you apply the unidirectional NAT correctly, you should be able to initialize the connection from the correct direction; in our scenario you can start the connection from 192.168.17.0/24 to 10.10.10.0/24.

To test the setting I just try to initial a SSH-Connection from 10.10.10.5 to 192.168.17.100:

4
As you see the connection does not establish because the connection have been initialized from the wrong direction.
Now I test the NAT in the correct direction and I try to connect the 192.168.17.100 to 10.10.10.5, as you will see, it works.

PING Problem

Please keep in mind that the ping is not a good indicator to test the NAT configuration, because ping has no protocol and also there is no real payload; for instance as you see I am not able to ping the peer 10.10.10.5 from the host 192.168.17.

ping

But I get answer from 10.10.10.5, if I try telnet port 3389(RDP) I can also reach the 10.10.10.5 by using rdp client ; don’t get mad if the ping does not respond and try to establish a real IP connection .
telnet1

telnet 2

1
Debugging

You can find any established connection in the XLATE-Table, use the command:

1
Show  xlate [ select your host or your translated interface]

Also you can see the connection by using:

1
Show conn address [select your or the remote host IP-Address]

With

1
Sho run NAT

you can see your NAT configuration , I prefer to use :

1
sho nat translated interface outside detail

As the result the ASA will print out all your static and dynamic NAT Configurations:

1
2
3
4
5
Manual NAT Policies (Section 1)
1 (development) to (OUTSIDE) source static obj-192.168.17.0 obj-192.168.17.0   destination static obj-10.10.10.0 obj-10.10.10.0 unidirectional
    translate_hits = 15, untranslate_hits = 0
    Source - Origin: 192.168.17.0/24, Translated: 192.168.17.0/24
    Destination - Origin: 10.10.10.0/24, Translated: 10.10.10.0/24

Take Care

2 responses to Cisco ASA 8.4.2 unidirectional static NAT Configuration

  1. Excellent !!!!

  2. good !!!

Leave a Reply

Text formatting is available via select HTML. <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*