Cisco ASA 5500 Series Configuration Guide using the CLI, 8.2
Bypassing NAT
Downloads: This chapterpdf (PDF - 165.0KB) The complete bookPDF (PDF - 14.43MB) | Feedback

Bypassing NAT

Table Of Contents

Bypassing NAT

Configuring Identity NAT

Information About Identity NAT

Licensing Requirements for Identity NAT

Guidelines and Limitations for Identity NAT

Default Settings for Identity NAT

Configuring Identity NAT

Monitoring Identity NAT

Feature History for Identity NAT

Configuring Static Identity NAT

Information About Static Identity NAT

Licensing Requirements for Static Identity NAT

Guidelines and Limitations for Static Identity NAT

Default Settings for Static Identity NAT

Configuring Static Identity NAT

Configuring Policy Static Identity NAT

Configuring Regular Static Identity NAT

Monitoring Static Identity NAT

Feature History for Static Identity NAT

Configuring NAT Exemption

Information About NAT Exemption

Licensing Requirements for NAT Exemption

Guidelines and Limitations for NAT Exemption

Configuring NAT Exemption

Monitoring NAT Exemption

Configuration Examples for NAT Exemption

Feature History for NAT Exemption


Bypassing NAT


If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. You might want to bypass NAT when you enable NAT control so that local IP addresses appear untranslated. You also might want to bypass NAT if you are using an application that does not support NAT. See the "When to Use Application Protocol Inspection" section for information about inspection engines that do not support NAT.

You can bypass NAT using identity NAT, static identity NAT, or NAT exemption.

This chapter describes how to bypass NAT, and it includes the following topics:

Configuring Identity NAT

Configuring Static Identity NAT

Configuring NAT Exemption

Configuring Identity NAT

This section includes the following topics:

Information About Identity NAT

Licensing Requirements for Identity NAT

Guidelines and Limitations for Identity NAT

Default Settings for Identity NAT

Configuring Identity NAT

Monitoring Identity NAT

Feature History for Identity NAT

Information About Identity NAT

Identity NAT translates the real IP address to the same IP address. Only "translated" hosts can create NAT translations, and responding traffic is allowed back.

When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. For example, you cannot choose to perform normal translation on real addresses when you access interface A and then use identity NAT when accessing interface B. Because you use identity NAT for all connections through all interfaces, make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access list.


Note If you need to specify a particular interface on which to translate the addresses, use regular dynamic NAT.


Figure 31-1 shows a typical identity NAT scenario.

Figure 31-1 Identity NAT

Licensing Requirements for Identity NAT

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License.


Guidelines and Limitations for Identity NAT

This section includes the guidelines and limitations for this feature:

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall modes.

Additional Guidelines and Limitations

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using the clear xlate command. However, clearing the translation table disconnects all current connections that use translations.

The real addresses for which you use identity NAT must be routable on all networks that are available according to your access lists.

For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.

Default Settings for Identity NAT

Table 31-1 lists the default settings for identity NAT parameters.

Table 31-1 Default Identity NAT Parameters 

Parameters
Default

emb_limit

The default is 0, which means unlimited embryonic connections

tcp tcp_max_conns

The default is 0, which means unlimited connections.

udp udp_max_conns

The default is 0, which means unlimited connections.


Configuring Identity NAT

To configure identity NAT, enter the following command:

Command
Purpose
nat (real_interface) 0 real_ip [mask [dns] 
[outside] [norandomseq] [[tcp] 
tcp_max_conns [emb_limit]] [udp 
udp_max_conns]
 
        
Example:
hostname(config)# nat (inside) 0 10.1.1.0 
255.255.255.0
 
        

Configures identity NAT for the inside 10.1.1.0/24 network.

The real_interface argument specifies the name of the interface connected to the real IP address network.

For identity NAT, use the NAT ID of 0. This ID is referenced by the global command to associate a global pool with the real_ip.

The real_ip argument specifies the real address that you want to translate. You can use 0.0.0.0 (or the abbreviation 0) to specify all addresses.

The optional mask argument specifies the subnet mask for the real addresses. If you do not enter a mask, then the default mask for the IP address class is used.

The optional dns keyword rewrites the A record, or address record, in DNS replies that match this command. For DNS replies traversing from a mapped interface to any other interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped interface, the A record is rewritten from the real value to the mapped value.

You must enter outside if this interface is on a lower security level than the interface you identify by the matching global statement.

The optional norandomseq keyword disables TCP ISN randomization protection.

The optional tcp tcp_max_conns keyword and argument specify the maximum number of simultaneous TCP connections allowed to the local host. The default is 0, which means unlimited connections.

The optional emb_limit argument specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.

The optional udp udp_max_conns keyword and argument specify the maximum number of simultaneous UDP connections allowed to the local host. The default is 0, which means unlimited connections.

(For additional information about command options, see the nat command in the Cisco Security Appliance Command Reference.)


Monitoring Identity NAT

To monitor NAT bypass, enter the following command:

Command
Purpose
show running-config nat

Displays a pool of global IP addresses that are associated with the network.


Feature History for Identity NAT

Table 31-2 lists the release history for this feature.

Table 31-2 Feature History for Identity NAT

Feature Name
Releases
Feature Information

Identity NAT

7.0

Identity NAT translates the real IP address to the same IP address. You use identity NAT for connections through all interfaces.

The following command was introduced: nat.

NAT for transparent mode

8.0(2)

NAT began support in transparent firewall mode.


Configuring Static Identity NAT

This section includes the following topics:

Information About Static Identity NAT

Licensing Requirements for Static Identity NAT

Guidelines and Limitations for Static Identity NAT

Default Settings for Static Identity NAT

Configuring Static Identity NAT

Monitoring Static Identity NAT

Feature History for Static Identity NAT

Information About Static Identity NAT

Static identity NAT translates the real IP address to the same IP address. Static identity NAT enables you to specify the interface on which you want to allow the real addresses to appear, so you can use identity NAT when you access interface A, and use regular translation when you access interface B. Static identity NAT also enables you to use policy NAT, which identifies the real and destination addresses when determining the real addresses to translate. (See the "Policy NAT" section for more information about policy NAT.) For example, you can use static identity NAT for an inside address when it accesses the outside interface and the destination is server A, but you can use a normal translation when accessing the outside server B. The translation is always active, and both "translated" and remote hosts can originate connections.

Figure 31-2 shows a typical static identity NAT scenario.

Figure 31-2 Static Identity NAT

Licensing Requirements for Static Identity NAT

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License.


Guidelines and Limitations for Static Identity NAT

This section includes the guidelines and limitations for this feature:

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall modes.

Additional Guidelines and Limitations

The following guidelines and limitations apply to static identity NAT:

You cannot clear static translations from the translation table with the clear xlate command; you must remove the static command instead. Only dynamic translations created by the nat and global commands can be removed with the clear xlate command.

If you remove a static command, existing connections that use the translation are not affected. To remove these connections, enter the clear local-host command.

Policy static identity NAT does not consider the inactive or time-range keywords; all ACEs are considered to be active for policy NAT configurations. (See the"Policy NAT" section for more information.)

For static policy NAT, in undoing the translation, the ACL in the static command is not used. If the destination address in the packet matches the mapped address in the static rule, the static rule is used to untranslate the address.

Default Settings for Static Identity NAT

Table 31-3 lists the default settings for static identity NAT parameters.

Table 31-3 Default Static Identity NAT Parameters 

Parameters
Default

emb_limit

The default is 0, which means unlimited embryonic connections.

tcp tcp_max_conns

The default is 0, which means unlimited embryonic connections.

udp udp_max_conns

The default is 0, which means unlimited embryonic connections.


Configuring Static Identity NAT

This section describes how to configure policy static identity NAT and regular static identity NAT, and it includes the following topics:

Configuring Policy Static Identity NAT

Configuring Regular Static Identity NAT

Configuring Policy Static Identity NAT

To configure policy static identity NAT, enter the following command:

Command
Purpose
static (real_interface,mapped_interface) 
real_ip access-list acl_id [dns] 
[norandomseq] [[tcp] tcp_max_conns 
[emb_limit]] [udp udp_max_conns]
 
        
Example:
hostname(config)# static (inside,outside) 
209.165.202.129 access-list NET1

Configures policy static NAT.

The real_interface,mapped_interface arguments specify the name of the interface connected to the real IP address network and the name of the interface connected to the mapped IP address network.

The real_ip argument specifies the real address that you want to translate.

The access-list keyword and acl_id argument identify the real addresses and destination/source addresses using an extended access list. Create the extended access list using the access-list extended command. (See Chapter 11 "Adding an Extended Access List.") This access list should include only permit ACEs. Make sure that the source address in the access list matches the real_ip in this command.

The optional dns keyword rewrites the A record, or address record, in DNS replies that match this static command. For DNS replies traversing from a mapped interface to any other interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped interface, the A record is rewritten from the real value to the mapped value. DNS inspection must be enabled to support this functionality.

The optional norandomseq keyword disables TCP ISN randomization protection.

The optional tcp tcp_max_conns keyword and argument specify the maximum number of simultaneous TCP connections allowed to the local host. The default is 0, which means unlimited connections.

The optional emb_limit argument specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.

The optional udp udp_max_conns keyword and argument specify the maximum number of simultaneous UDP connections allowed to the local host. The default is 0, which means unlimited connections.

(For additional information about command options, see the static command in the Cisco Security Appliance Command Reference.)


Example of Policy Static Identity NAT

The following policy static identity NAT example shows a single real address that uses identity NAT when accessing one destination address and a translation when accessing another:

hostname(config)# access-list NET1 permit ip host 10.1.2.27 209.165.201.0 255.255.255.224
hostname(config)# access-list NET2 permit ip host 10.1.2.27 209.165.200.224 
255.255.255.224
hostname(config)# static (inside,outside) 209.165.202.129 access-list NET1
hostname(config)# static (inside,outside) 209.165.202.130 access-list NET2

Configuring Regular Static Identity NAT

To configure regular static identity NAT, enter the following command:

Command
Purpose
static (real_interface,mapped_interface) 
real_ip real_ip [netmask mask] [dns] 
[norandomseq] [[tcp] tcp_max_conns 
[emb_limit]] [udp udp_max_conns]
 
        
Example:
hostname(config)# static (inside,outside) 
10.1.1.3 10.1.1.3 netmask 255.255.255.255
 
        

Configures static identity NAT.

The real_interface,mapped_interface arguments specify the name of the interface connected to the real IP address network and the name of the interface connected to the mapped IP address network.

The real_ip argument specifies the real address that you want to translate. Specify the same IP address for both real_ip arguments.

The netmask mask options specify the subnet mask for the real and mapped addresses.

The dns option rewrites the A record, or address record, in DNS replies that match this static. For DNS replies traversing from a mapped interface to any other interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped interface, the A record is rewritten from the real value to the mapped value.


Note Note DNS inspection must be enabled to support this functionality.


The norandomseq option disables TCP ISN randomization protection. Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in both the inbound and outbound directions.

For static PAT, the tcp option specifies the protocol as TCP.

The tcp_max_cons argument specifies the maximum number of simultaneous TCP connections allowed to the local-host. (See the local-host command.) The default is 0, which means unlimited connections.

The optional emb_limit argument specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.

The udp udp_max_conns option specifies the maximum number of simultaneous UDP connections allowed to the local-host. (See the local-host command.) The default is 0, which means unlimited connections.

The example shown uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside.


Examples of Regular Static Identity NAT

The following command uses static identity NAT for an inside IP address (10.1.1.3) when accessed by the outside:

hostname(config)# static (inside,outside) 10.1.1.3 10.1.1.3 netmask 255.255.255.255
 
   

The following command uses static identity NAT for an outside address (209.165.201.15) when accessed by the inside:

hostname(config)# static (outside,inside) 209.165.201.15 209.165.201.15 netmask 
255.255.255.255
 
   

The following command statically maps an entire subnet:

hostname(config)# static (inside,dmz) 10.1.2.0 10.1.2.0 netmask 255.255.255.0
 
   

Monitoring Static Identity NAT

To monitor static identity NAT, enter the following command:

Command
Purpose
show running-config static

Displays all static commands in the configuration.


Feature History for Static Identity NAT

Table 31-4 lists the release history for this feature.

Table 31-4 Feature History for Static Identity NAT

Feature Name
Releases
Feature Information

Static identity NAT

7.0

Static identity NAT translates the real IP address to the same IP address.

The following command was introduced: static.

NAT for transparent mode

8.0(2)

NAT began support in transparent firewall mode.


Configuring NAT Exemption

This section includes the following topics:

Information About NAT Exemption

Licensing Requirements for NAT Exemption

Guidelines and Limitations for NAT Exemption

Configuring NAT Exemption

Monitoring NAT Exemption

Configuration Examples for NAT Exemption

Feature History for NAT Exemption

Information About NAT Exemption

NAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does enable you to specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption than identity NAT. However, unlike policy NAT, NAT exemption does not consider the ports in the access list. Use static identity NAT to consider ports in the access list.

Figure 31-3 shows a typical NAT exemption scenario.

Figure 31-3 NAT Exemption

Licensing Requirements for NAT Exemption

The following table shows the licensing requirements for this feature:

Model
License Requirement

All models

Base License.


Guidelines and Limitations for NAT Exemption

This section includes the guidelines and limitations for this feature:

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported in routed and transparent firewall modes.

Additional Guidelines and Limitations

If you remove a NAT exemption configuration, existing connections that use NAT exemption are not affected. To remove these connections, enter the clear local-host command.

NAT exemption does not support connection settings, such as maximum TCP connections.

By default, the nat command exempts traffic from inside to outside. If you want traffic from outside to inside to bypass NAT, then add an additional nat command and enter outside to identify the NAT instance as outside NAT. You might want to use outside NAT exemption if you configure dynamic NAT for the outside interface and want to exempt other traffic.

Access list hit counts, as shown by the show access-list command, do not increment for NAT exemption access lists.

You can only apply one NAT exemption rule per interface. If you enter another rule for the same interface, the old rule is overwritten.

Configuring NAT Exemption

To configure NAT exemption, enter the following command:

Command
Purpose

nat (real_interface) 0 access-list acl_name [outside]

 
        
Example:
hostname(config)# nat (inside) 0 
access-list EXEMPT

Configures NAT exemption.

The real_interface argument specifies the name of the interface connected to the real IP address network.

For NAT exemption, use the NAT ID of 0.

The access-list key word identifies local addresses and destination addresses using an extended access list. Create the extended access list using the access-list extended command. (See the Chapter 11 "Adding an Extended Access List.") This access list can include both permit ACEs and deny ACEs. Do not specify the real and destination ports in the access list; NAT exemption does not consider the ports. NAT exemption considers the inactive and time-range keywords, but it does not support ACL with all inactive and time-range ACEs.

By default, this command exempts traffic from inside to outside. If you want traffic from outside to inside to bypass NAT, then add an additional nat command and enter outside to identify the NAT instance as outside NAT. You might want to use outside NAT exemption if you configure dynamic NAT for the outside interface and want to exempt other traffic.

Enter outside if this interface is on a lower security level than the interface you identify by the matching global statement.

(For additional information about command options, see the nat command in the Command Reference.)


Monitoring NAT Exemption

To monitor NAT bypass, enter the following command:

Command
Purpose
show running-config nat

Displays a pool of global IP addresses that are associated with the network.


Configuration Examples for NAT Exemption

The following examples show how to configure NAT exemption.

To exempt an inside network when accessing any destination address, enter the following command:

hostname(config)# access-list EXEMPT permit ip 10.1.2.0 255.255.255.0 any
hostname(config)# nat (inside) 0 access-list EXEMPT
 
   

To use dynamic outside NAT for a DMZ network, and exempt another DMZ network, enter the following command:

hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45
hostname(config)# access-list EXEMPT permit ip 10.1.3.0 255.255.255.0 any
hostname(config)# nat (dmz) 0 access-list EXEMPT
 
   

To exempt an inside address when accessing two different destination addresses, enter the following commands:

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 
255.255.255.224
hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 
255.255.255.224
hostname(config)# nat (inside) 0 access-list NET1
 
   

Feature History for NAT Exemption

Table 31-5 lists the release history for this feature.

Table 31-5 Feature History for NAT Exemption

Feature Name
Releases
Feature Information

NAT exemption

7.0

NAT exemption exempts addresses from translation and allows both translated and remote hosts to initiate connections.

The following command was introduced: nat.

NAT for transparent mode

8.0(2)

NAT began support in transparent firewall mode.