Cisco IP Solution Center Security User Guide, 3.0
NAT Services
Downloads: This chapterpdf (PDF - 691.0KB) The complete bookPDF (PDF - 3.65MB) | Feedback

NAT Services

Table Of Contents

NAT Services

ISC NAT Features

NAT Provisioning Setup

Marking Interfaces for NAT

Adding IP Address Ranges for NAT

Creating NAT Service Requests

Primary Address Translations

Alternate Address Translations

Device Peer IP Address Ranges

Adding Templates To Service Requests (Optional)


NAT Services


This chapter contains the following sections:

ISC NAT Features

NAT Provisioning Setup

Creating NAT Service Requests

Adding Templates To Service Requests (Optional)


Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each target device as a CPE device.

CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you must define at least one outside and one inside interface on each device.

For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.


ISC NAT Features

The NAT features supported by ISC deliver static and dynamic address translation on Cisco IOS and Cisco PIX Firewall devices. The following features are supported:

Host-based, port-based, and network-based static translations.

Dynamic translations based on either an address pool or an interface name for Internet-bound traffic.

No-NAT for site-to-site traffic. (No-NAT designates traffic to which NAT is not applied.)

NAT for both Internet-bound and site-to-site traffic. This enables you to manage sites with overlapping IP addresses by using NAT to shield the overlapping addresses from each other.

For Cisco IOS devices with overlapping IP addresses, ISC also supports alternative IP address pools for site-to-site traffic, so that the Internet-bound traffic and site-to-site traffic can use different address pools.

NAT Provisioning Setup

Before you can begin NAT provisioning, your ISC device inventory must be populated. Please refer to the Cisco IP Solution Center: Infrastructure Reference, 3.0 for how to populate your device inventory and use ISC Inventory Manager.

Marking Interfaces for NAT

Either through the ISC Inventory Manager, or when assigning the CPE device to a customer in CPE Devices, CPE device interfaces need to be assigned their roles and attributes. As appropriate, interfaces are assigned Inside or Outside based on how the NAT service should be deployed. NAT interfaces must be marked during CPE creation for a Cisco IOS device. There is no need to mark NAT interfaces for the PIX Firewall because we select the PIX Firewall interface at the time of configuration.


Step 1 To mark CPE interfaces for Cisco IOS devices, click Service Inventory > Inventory and Connection Manager. Click CPE Devices in the TOC column on the left of the page. The CPE Devices page appears as shown in Figure 5-1.

Figure 5-1 CPE Devices Page

Step 2 Check the box next a CPE device that you want to use in your NAT service request and click Edit. The Edit CPE Device page appears as shown in Figure 5-2. (To create a new CPE device, refer to the Cisco IP Solution Center: Infrastructure Reference, 3.0.)

Figure 5-2 The Edit CPE Device Page

Step 3 Mark each device interface in the NAT column as either Inside, Outside, or None. Select Inside for the inward-facing NAT interface, Outside for the outward-facing NAT interface, and None for interfaces on the device that are not being used for NAT.


Adding IP Address Ranges for NAT

NAT services require that you define IP address ranges for all CPE devices used for NAT.


Step 1 Click Service Design > Service and Inventory Manager > CPE Device > Edit. The Edit CPE Device page appears as shown in Figure 5-3.

Figure 5-3 The Edit CPE Device Page with CPE Selected

Step 2 To check or define the IP Address Ranges, click Edit next to IP Address Ranges. The Edit CPE IP Address Ranges page appears as shown in Figure 5-4.

Figure 5-4 The Edit CPE IP Address Ranges Page

Step 3 Check that all IP address ranges for the device are defined.

Step 4 If you need to add an IP address range, click Create. The Address Range dialog box appears as shown in Figure 5-5.

Figure 5-5 Address Range Dialog Box

Step 5 Enter the summarized IP address and subnet mask in the Summarized IP and Subnet Address text box.

Step 6 Check Inclusion to include the device in No NAT, or check Exclusion to exclude the device from No NAT.

Step 7 Click OK when done to return to the Edit CPE IP Address Ranges page.

Step 8 Click OK to return to the Edit CPE Device page.


Creating NAT Service Requests

Unlike the other security services ISC, you do not need to create a policy for NAT. NAT services are defined and deployed using service requests.

To create a NAT service request, you add CPE devices to the NAT service request and edit the NAT parameters for each device individually.


Note By default, if you add multiple devices into one service request, it is assumed that traffic between the IP address ranges defined among the devices is to be designated as No-NAT. You can change the default behavior for individual devices within the NAT service request.


To create a NAT service request perform the following steps:


Step 1 Click Home > Service Inventory > Inventory and Connection Manager > Service Requests. The Service Requests page appears.

Figure 5-6 The Service Requests Page

Step 2 Click Create > NAT. The NAT Service Editor page appears as shown in Figure 5-7.

Figure 5-7 The NAT Service Editor Page

Step 3 Click Select next to Customer field. The Customer for NAT SR dialog box appears as shown in Figure 5-8.

Figure 5-8 Customer for NAT SR Dialog Box

Step 4 Click the button next to the customer to which the NAT service belongs and click Select. This returns you to the NAT Service Editor page.

Figure 5-9 The NAT Service Editor Page with Customer Added

Step 5 Click Select on the lower right of the NAT Service Editor page (directly above the Edit and Remove buttons). The CPEs Associated with NAT SR dialog box appears, as shown in Figure 5-10.

Figure 5-10 CPEs Associated with NAT SR Dialog Box

Step 6 Check the box next to the CPE device you want to use for NAT and click Select. The NAT Service Editor page appears as shown in Figure 5-11.

Figure 5-11 The NAT Service Editor Page with CPE Device Added

Step 7 Next, locate Peer IP address Ranges. The purpose of the Peer IP address Ranges option is to be able to share the IP address ranges among multiple devices in the same service request. For example, if you have a hub-spoke topology, many of the spoke devices share the same peer IP address ranges. You can define the peer IP address range once and point all the spoke devices to it by using the Peer IP Address Ranges option.

Step 8 Click Edit in the Peer IP Address Ranges row to add or modify peer IP addresses. The Peer IP Address Ranges dialog box appears as shown in Figure 5-12.

Figure 5-12 Peer IP Address Ranges Dialog Box

Step 9 Enter the IP Address Ranges of the CPE device peers. Check Is Exclusion to exclude the host or network from No NAT.

Step 10 Click OK to return to the NAT Service Editor page. The NAT Service Editor page appears as shown in Figure 5-13.

Figure 5-13 The NAT Service Editor Page with Peer IP Addresses Added

Step 11 Enter a description of the NAT service in the Description text box. The NAT Service Editor page appears as shown in Figure 5-14.

Figure 5-14 The NAT Service Editor Page with Description Added

Step 12 Next, fill in the fields in the lower portion of the NAT Service Editor page, as shown in Figure 5-15.

Figure 5-15 The Lower Portion of the NAT Service Editor Page

Step 13 Follow the instructions in Table 5-1 for the fields in the lower portion of NAT Service Editor page.

Table 5-1 NAT Service Editor Fields 

Field Name
Type
Instructions

Device Name

non-editable field

The name of the CPE device(s) you selected for NAT.

Device Type

non-editable field

Displays the CPE device type.

Addr Overlapping

checkbox

Check this box if the device has overlapping IP addresses with any other networks. When checked, all the IP address ranges behind this device are translated.

Note Traffic between your IP address ranges and the peer IP address ranges is not NATed unless the Addr Overlapping option is used.

If a Cisco IOS device has Addr Overlapping checked, when you edit the device you have the option to define alternative IP address pools for the traffic to the peer IP address ranges.

In this way, traffic can be translated with primary translations using the primary IP address pool or with alternative translations using an alternate IP address pool. For example, traffic going to the Internet can be translated using the primary IP address pool (primary translations) while traffic going to the peer IP address ranges can be translated using another IP address pool (alternative translations).

To configure alternative IP address pools, go to the Alternate section in the NAT Configuration Details page as shown in Figure 5-16.

If a PIX Firewall device is marked Addr Overlapping, traffic to any destination is translated using only the primary IP address pool because the PIX Firewall does not support alternative translations.

Auto Translation

checkbox

Check if you want to translate all IP address ranges behind the device to one IP address on the outside interface using port address translation (PAT). (This is commonly used for a SOHO router.)

Note You can still define additional static translations in the NAT Configuration Details page.

IP Addr Range Option

drop-down list

This option creates the access control list (ACL) that determines which traffic should or should not undergo NAT. The translation defined takes effect unless the traffic is matched.

Select one of the following options to define the IP address ranges to use as the peer IP address range:

Computed - This option generates the peer IP address range from the sum of all device IP address ranges in the service request. This is easiest approach, but depending on the number of devices in the service request, it may result in large No-NAT ACL.

Service Request Peer IP Address Range - This option uses the IP address range previously defined in the Service Request Editor page.

Device Peer IP Address Range - This option uses the device peer IP address range to define the peer IP address range for the current device. For example, the peer IP address ranges for a hub device can be summarized and defined using the Device Peer IP Address Range option since this IP address range is only used by the hub device.

If you select this option, refer to the "Device Peer IP Address Ranges" section to define the device peer IP address range.

Note Each CPE device must have its IP address ranges defined in the ISC repository.

Add Templates

link

Refer to the "Adding Templates To Service Requests (Optional)" section for information on how to use templates.


Step 14 After you have selected the NAT service options, check the box next to the Device Name on which you want to set up NAT and click Edit. You can only select one device at a time, otherwise Edit will be disabled.

The NAT Configuration Details page appears as shown in Figure 5-16.


Note If you checked Addr Overlapping for this device, the Primary and Alternate IP address sections display on the NAT Configuration Details page. If Addr Overlapping is off, or the device is not a Cisco IOS device, the Alternate section does not display.


Figure 5-16 The NAT Configuration Details Page

Step 15 Look at the TOC on the left of the page, as shown in Figure 5-17.

Figure 5-17 TOC for NAT Configurations Details Page

Step 16 The TOC entries listed under Primary are for translations using the primary IP address pools, and the TOC entries listed under Alternate are for translations using alternate IP Address pools. Continue to "Primary Address Translations" section for Cisco IOS and PIX Firewall Devices.


Primary Address Translations

In this section, you define the primary NAT address pool, dynamic translations, and static translations.


Step 1 Click NAT Address Pool under the Primary section of the NAT Configuration Details page TOC as shown in Figure 5-17.

Figure 5-18 The NAT Configuration Details Page TOC with Primary NAT Address Pools Highlighted

Step 2 The Primary NAT Address Pools page appears as shown in Figure 5-19.

Figure 5-19 The NAT Address Pools Page

Step 3 Click Add. The Address Pools dialog box appears as shown in Figure 5-20.

Figure 5-20 Address Pools Dialog Box

Step 4 Click Add in the Address Pools dialog box.

Figure 5-21 Address Pools Dialog Box After Clicking Add

Table 5-2 Address Pool Fields 

Field Name
Type
Instructions

Pool Name

text box

Type in a name for the address pool.

Allow Overloading

checkbox

Check Allow Overloading if you want to do Port Address Translation (PAT).

Network Mask

text box

Enter the network mask.

Entry Type

drop-down list

Select one of the following options:

IP Address - Select IP Address from the Entry Type drop-down list. The dialog updates and displays the Start IP Address and Stop IP Address text boxes as shown in Figure 5-21.

Interface - Select Interface from the Entry Type drop-down list to use the IP address of the interface for PAT. The dialog updates and displays as shown in Figure 5-22. Click the ... box and the Interfaces for Device Pool Entry Interface Selection dialog box appears as shown in Figure 5-23. Click the button next to the interface you want to use and click Select. This returns you to the main Address Pools dialog box, as shown in Figure 5-24.


Figure 5-22

Address Pools Dialog Box with Interface Selected

Figure 5-23 Interfaces for Device Pool Entry Interface Selection Dialog Box

Figure 5-24 Address Pools Dialog Box with Interface Name Displayed

Step 5 Click OK to return to the NAT Configuration Details page.

Step 6 Click Dynamic Translation in TOC section of NAT Configuration Details page as shown in Figure 5-25.

Figure 5-25 The NAT Configuration Details Page TOC with Primary Dynamic Translation Highlighted

Step 7 The Primary Dynamic Translation page appears as shown in Figure 5-26. To add a translation, click Add.

Figure 5-26 The Primary Dynamic Translations Page

Table 5-3 Dynamic Translation Fields 

Field Name
Type
Instructions

From IP Address Ranges

combo box

Click the ... box to enter the IP address ranges that need to be translated. The IP Address dialog box appears as shown in Figure 5-27. Enter the IP address and netmask. Click Add to add multiple entries. Click OK when done.

From Interface

combo box

(Not shown.) Displays for PIX Firewall devices only. Select the From interface name.

To Interface

combo box

(Not shown.) For PIX Firewall only. Select the To interface name.

To Pool

drop-down list

Select the list of pools defined in previous steps.


Figure 5-27 IP Addresses Dialog Box

Step 8 Click OK to return to the NAT Configuration Details page.

Step 9 Click Static Translation in TOC section of NAT Configuration Details page as shown in Figure 5-28.

Figure 5-28 The NAT Configuration Details Page TOC with Primary Static Translation Highlighted

Step 10 The Primary Static Translations page appears as shown in Figure 5-29.

Figure 5-29 The Primary Static Translations Page With a Host-Based Translation

Step 11 Click Add to create a new static translation. The Static Translations dialog box appears as shown in Figure 5-30. Follow the instructions in Table 5-4 to enter values in the static translation fields.

Figure 5-30 Static Translations Dialog Box

Table 5-4 Static Translation Fields 

Field Name
Type
Instructions

Translation Type

drop-down list

Select one of the following as shown in Figure 5-30:

Host Based - Select for host-based static translations. (The network mask field does not appear for this selection.) This option translates the host IP address to another IP address.

Port Based - Select for port-based static translations. This option translates traffic destined to one port on a host to another port on another host. Choose the protocol (TCP/UDP) and input the port number to be translated.

Network Based - Select to enter network-based static translations. This option translates IP addresses for an entire network of hosts to IP addresses on another network. Add the network mask and the prefixes to be translated.

From

section heading

Non-editable.

IP Address

text box

Enter the IP address for the static translation.

Interface

combo box

(Not shown.) Displays for PIX Firewall devices only. Select the From interface name.

Port

drop-down list

(Not shown.) For port-based static translations only. Enter the From port number.

To

section heading

Non-editable.

Dest Addr Type

drop-down list

Select one of the following options:

IP Address

Interface

IP or Interface

text box

Enter the IP address or interface name.

Interface

combo box

(Not shown.) For PIX Firewall only. Select the To interface name.

Port

drop-down list

(Not shown.) For port-based static translations only. Enter the To port number.


Step 12 Click OK when done to return to the Primary Static Translations page.

Step 13 Click OK when done with the static translations to return to the NAT Configuration Details page.

Step 14 Continue to "Alternate Address Translations" section for Cisco IOS devices using the Addr Overlapping option, or click Add Template and continue to the "Adding Templates To Service Requests (Optional)" section.

Step 15 Click Done on NAT Configuration Details page when you finish the all NAT configuration for a device. The NAT Service Editor appears as shown in Figure 5-31.

Figure 5-31 The NAT Service Editor Page with Configuration Details Added

Step 16 Click Save. The Service Request page appears with the status of the service request displayed in the lower left corner of the page as shown in Figure 5-32.

Figure 5-32 The Service Request Page with Status Message Displayed

Step 17 To deploy the service request, refer to the"Deploying Service Requests" section.


Alternate Address Translations

This section is only for Cisco IOS devices using the Addr Overlapping option. If you selected Addr Overlapping for a device, you must define the Alternate section options.

In the Alternate section of the NAT Configuration Details page TOC, you define the alternate NAT address pool, alternate dynamic translations, and alternate static translations using the same general steps as the Primary section.


Step 1 Locate the Alternate section of the NAT Configuration Details page TOC as shown Figure 5-33.

Figure 5-33 The Alternate Section of the NAT Configuration Details Page TOC

Step 2 Follow the same instructions as in the "Primary Address Translations" section, except be sure to always select from the Alternate section of the TOC.

Step 3 Click Done on the NAT Configuration Details page when you finish the all NAT configuration for a device.


Device Peer IP Address Ranges

Use this section is only if you selected the Device Peer IP Address Range option.


Step 1 If you selected the Device Peer IP Address Range option, you need to define the peer IP address range. To do this, click Peer IP Address Range in the TOC of the NAT Configuration Details page as shown in Figure 5-34.

Figure 5-34 The NAT Configuration Details Page for Device Peer IP Address Range Option

Step 2 The Peer IP Address Ranges page appears as shown in Figure 5-35.

Figure 5-35 The CPE Peer IP Address Ranges Page

Step 3 Click Add. The page updates as shown in Figure 5-36.

Figure 5-36 The CPE Peer IP Address Ranges Page Ready to Add Address Range

Step 4 Enter the IP address and mask in the IP Address/Mask text box.

Step 5 Check Is Exclusion to exclude the host or network from No NAT.

Step 6 Click OK to return to NAT Configuration Details page.

Step 7 Click Done to return to NAT Service Editor page.

Step 8 Click Add Template and continue to the "Adding Templates To Service Requests (Optional)" section, or click Save in the NAT Service Editor page to save the service request.

Step 9 To deploy the service request, refer to the"Deploying Service Requests" section.


Adding Templates To Service Requests (Optional)

You can add configuration commands to a service request from a template by performing the following steps:


Step 1 In the NAT Service Editor page, click Add Template for the device for which you want to add templates. The Add/Remove Templates dialog box appears as shown is in Figure 5-37.


Tip If you are not on the NAT Service Editor page and want to modify an existing NAT service request, click Service Inventory > Service Requests. Check the box next to the NAT service request you want to modify and click Edit.


Figure 5-37 Add/Remove Templates Dialog Box

Step 2 Click Add. The Template DataFile Chooser page appears as shown in Figure 5-38.

Figure 5-38 The Template DataFile Chooser Page

Step 3 Look at the folders on the left side of the page. These contain the templates.

Step 4 Click on a folder to expand it.

Step 5 Click on the template you want to use (when selected it appears highlighted). If there are options for that template, the Template DataFile Chooser dialog box updates and displays them. An example is shown in Figure 5-39.

Figure 5-39 The Template Datafile Chooser Page with Template Selected

Step 6 Select options as appropriate and click Accept to add the template. The Add/Remove Template dialog box appears with the selected Template as shown in Figure 5-40.

Figure 5-40 Add/Remove Templates Dialog Box with Template

Step 7 For each template, chose the appropriate fields as described in Table 5-5.

Table 5-5 Add/Remove Template Fields 

Field Name
Type
Instructions

Action

drop-down list

Select one of the following options:

APPEND - Appends the template to the configlet generated by the service request (adds it after the other service request configlets).

PREPEND - Prepends the template to the configlet generated by the service request (adds it before the other service request configlets).

Active

checkbox

Unless you check the template Active, the template will not be instantiated. This allows you to temporarily disable the template for this device.


Step 8 Click OK to return to the NAT Service Request Editor page.

Step 9 Click Save to update the service request and return to the

Step 10 Repeat, starting from Step 1, to add templates to other service requests.

Step 11 Click Save in the NAT Service Editor page to save the service request. Notice the service request state is now REQUESTED as shown in Figure 5-41.

Figure 5-41 The Deployed NAT Service Request Page

Step 12 Refer to "Provisioning Services," for instructions on how to deploy the NAT service request.