Table Of Contents
NAT Services
ISC NAT Features
NAT Provisioning Setup
Marking Interfaces for NAT
Adding IP Address Ranges for NAT
Creating NAT Service Requests
Primary Address Translations
Alternate Address Translations
Device Peer IP Address Ranges
Adding Templates To Service Requests (Optional)
NAT Services
This chapter contains the following sections:
•
ISC NAT Features
•NAT Provisioning Setup
•Creating NAT Service Requests
•Adding Templates To Service Requests (Optional)
Note Before creating an ISC security policy or service request, it is necessary to populate the ISC repository with the target devices in your network, collect the initial device configuration files, designate customers and customer sites, and define each target device as a CPE device.
CPE devices are the devices at each end of the VPN tunnel. Creating CPE devices includes assigning each target device to a specific customer and customer site and marking the device interfaces. Specifically for security management, you must define at least one outside and one inside interface on each device.
For how-to information on populating your ISC repository and setting up CPE devices, refer to the Cisco IP Solution Center Infrastructure Guide, 3.0.
ISC NAT Features
The NAT features supported by ISC deliver static and dynamic address translation on Cisco IOS and Cisco PIX Firewall devices. The following features are supported:
•Host-based, port-based, and network-based static translations.
•Dynamic translations based on either an address pool or an interface name for Internet-bound traffic.
•No-NAT for site-to-site traffic. (No-NAT designates traffic to which NAT is not applied.)
•NAT for both Internet-bound and site-to-site traffic. This enables you to manage sites with overlapping IP addresses by using NAT to shield the overlapping addresses from each other.
•For Cisco IOS devices with overlapping IP addresses, ISC also supports alternative IP address pools for site-to-site traffic, so that the Internet-bound traffic and site-to-site traffic can use different address pools.
NAT Provisioning Setup
Before you can begin NAT provisioning, your ISC device inventory must be populated. Please refer to the Cisco IP Solution Center: Infrastructure Reference, 3.0 for how to populate your device inventory and use ISC Inventory Manager.
Marking Interfaces for NAT
Either through the ISC Inventory Manager, or when assigning the CPE device to a customer in CPE Devices, CPE device interfaces need to be assigned their roles and attributes. As appropriate, interfaces are assigned Inside or Outside based on how the NAT service should be deployed. NAT interfaces must be marked during CPE creation for a Cisco IOS device. There is no need to mark NAT interfaces for the PIX Firewall because we select the PIX Firewall interface at the time of configuration.
Step 1 To mark CPE interfaces for Cisco IOS devices, click Service Inventory > Inventory and Connection Manager. Click CPE Devices in the TOC column on the left of the page. The CPE Devices page appears as shown in Figure 5-1.
Figure 5-1 CPE Devices Page
Step 2 Check the box next a CPE device that you want to use in your NAT service request and click Edit. The Edit CPE Device page appears as shown in Figure 5-2. (To create a new CPE device, refer to the Cisco IP Solution Center: Infrastructure Reference, 3.0.)
Figure 5-2 The Edit CPE Device Page
Step 3 Mark each device interface in the NAT column as either Inside, Outside, or None. Select Inside for the inward-facing NAT interface, Outside for the outward-facing NAT interface, and None for interfaces on the device that are not being used for NAT.
Adding IP Address Ranges for NAT
NAT services require that you define IP address ranges for all CPE devices used for NAT.
Step 1 Click Service Design > Service and Inventory Manager > CPE Device > Edit. The Edit CPE Device page appears as shown in Figure 5-3.
Figure 5-3 The Edit CPE Device Page with CPE Selected
Step 2 To check or define the IP Address Ranges, click Edit next to IP Address Ranges. The Edit CPE IP Address Ranges page appears as shown in Figure 5-4.
Figure 5-4 The Edit CPE IP Address Ranges Page
Step 3 Check that all IP address ranges for the device are defined.
Step 4 If you need to add an IP address range, click Create. The Address Range dialog box appears as shown in Figure 5-5.
Figure 5-5 Address Range Dialog Box
Step 5 Enter the summarized IP address and subnet mask in the Summarized IP and Subnet Address text box.
Step 6 Check Inclusion to include the device in No NAT, or check Exclusion to exclude the device from No NAT.
Step 7 Click OK when done to return to the Edit CPE IP Address Ranges page.
Step 8 Click OK to return to the Edit CPE Device page.
Creating NAT Service Requests
Unlike the other security services ISC, you do not need to create a policy for NAT. NAT services are defined and deployed using service requests.
To create a NAT service request, you add CPE devices to the NAT service request and edit the NAT parameters for each device individually.
Note By default, if you add multiple devices into one service request, it is assumed that traffic between the IP address ranges defined among the devices is to be designated as No-NAT. You can change the default behavior for individual devices within the NAT service request.
To create a NAT service request perform the following steps:
Step 1 Click Home > Service Inventory > Inventory and Connection Manager > Service Requests. The Service Requests page appears.
Figure 5-6 The Service Requests Page
Step 2 Click Create > NAT. The NAT Service Editor page appears as shown in Figure 5-7.
Figure 5-7 The NAT Service Editor Page
Step 3 Click Select next to Customer field. The Customer for NAT SR dialog box appears as shown in Figure 5-8.
Figure 5-8 Customer for NAT SR Dialog Box
Step 4 Click the button next to the customer to which the NAT service belongs and click Select. This returns you to the NAT Service Editor page.
Figure 5-9 The NAT Service Editor Page with Customer Added
Step 5 Click Select on the lower right of the NAT Service Editor page (directly above the Edit and Remove buttons). The CPEs Associated with NAT SR dialog box appears, as shown in Figure 5-10.
Figure 5-10 CPEs Associated with NAT SR Dialog Box
Step 6 Check the box next to the CPE device you want to use for NAT and click Select. The NAT Service Editor page appears as shown in Figure 5-11.
Figure 5-11 The NAT Service Editor Page with CPE Device Added
Step 7 Next, locate Peer IP address Ranges. The purpose of the Peer IP address Ranges option is to be able to share the IP address ranges among multiple devices in the same service request. For example, if you have a hub-spoke topology, many of the spoke devices share the same peer IP address ranges. You can define the peer IP address range once and point all the spoke devices to it by using the Peer IP Address Ranges option.
Step 8 Click Edit in the Peer IP Address Ranges row to add or modify peer IP addresses. The Peer IP Address Ranges dialog box appears as shown in Figure 5-12.
Figure 5-12 Peer IP Address Ranges Dialog Box
Step 9 Enter the IP Address Ranges of the CPE device peers. Check Is Exclusion to exclude the host or network from No NAT.
Step 10 Click OK to return to the NAT Service Editor page. The NAT Service Editor page appears as shown in Figure 5-13.
Figure 5-13 The NAT Service Editor Page with Peer IP Addresses Added
Step 11 Enter a description of the NAT service in the Description text box. The NAT Service Editor page appears as shown in Figure 5-14.
Figure 5-14 The NAT Service Editor Page with Description Added
Step 12 Next, fill in the fields in the lower portion of the NAT Service Editor page, as shown in Figure 5-15.
Figure 5-15 The Lower Portion of the NAT Service Editor Page
Step 13 Follow the instructions in Table 5-1 for the fields in the lower portion of NAT Service Editor page.
Table 5-1 NAT Service Editor Fields
Field Name
|
Type
|
Instructions
|
Device Name
|
non-editable field
|
The name of the CPE device(s) you selected for NAT.
|
Device Type
|
non-editable field
|
Displays the CPE device type.
|
Addr Overlapping
|
checkbox
|
Check this box if the device has overlapping IP addresses with any other networks. When checked, all the IP address ranges behind this device are translated.
Note Traffic between your IP address ranges and the peer IP address ranges is not NATed unless the Addr Overlapping option is used.
•If a Cisco IOS device has Addr Overlapping checked, when you edit the device you have the option to define alternative IP address pools for the traffic to the peer IP address ranges.
In this way, traffic can be translated with primary translations using the primary IP address pool or with alternative translations using an alternate IP address pool. For example, traffic going to the Internet can be translated using the primary IP address pool (primary translations) while traffic going to the peer IP address ranges can be translated using another IP address pool (alternative translations).
To configure alternative IP address pools, go to the Alternate section in the NAT Configuration Details page as shown in Figure 5-16.
•If a PIX Firewall device is marked Addr Overlapping, traffic to any destination is translated using only the primary IP address pool because the PIX Firewall does not support alternative translations.
|
Auto Translation
|
checkbox
|
Check if you want to translate all IP address ranges behind the device to one IP address on the outside interface using port address translation (PAT). (This is commonly used for a SOHO router.)
Note You can still define additional static translations in the NAT Configuration Details page.
|
IP Addr Range Option
|
drop-down list
|
This option creates the access control list (ACL) that determines which traffic should or should not undergo NAT. The translation defined takes effect unless the traffic is matched.
Select one of the following options to define the IP address ranges to use as the peer IP address range:
•Computed - This option generates the peer IP address range from the sum of all device IP address ranges in the service request. This is easiest approach, but depending on the number of devices in the service request, it may result in large No-NAT ACL.
•Service Request Peer IP Address Range - This option uses the IP address range previously defined in the Service Request Editor page.
•Device Peer IP Address Range - This option uses the device peer IP address range to define the peer IP address range for the current device. For example, the peer IP address ranges for a hub device can be summarized and defined using the Device Peer IP Address Range option since this IP address range is only used by the hub device.
If you select this option, refer to the "Device Peer IP Address Ranges" section to define the device peer IP address range.
Note Each CPE device must have its IP address ranges defined in the ISC repository.
|
Add Templates
|
link
|
Refer to the "Adding Templates To Service Requests (Optional)" section for information on how to use templates.
|
Step 14 After you have selected the NAT service options, check the box next to the Device Name on which you want to set up NAT and click Edit. You can only select one device at a time, otherwise Edit will be disabled.
The NAT Configuration Details page appears as shown in Figure 5-16.
Note If you checked Addr Overlapping for this device, the Primary and Alternate IP address sections display on the NAT Configuration Details page. If Addr Overlapping is off, or the device is not a Cisco IOS device, the Alternate section does not display.
Figure 5-16 The NAT Configuration Details Page
Step 15 Look at the TOC on the left of the page, as shown in Figure 5-17.
Figure 5-17 TOC for NAT Configurations Details Page
Step 16 The TOC entries listed under Primary are for translations using the primary IP address pools, and the TOC entries listed under Alternate are for translations using alternate IP Address pools. Continue to "Primary Address Translations" section for Cisco IOS and PIX Firewall Devices.
Primary Address Translations
In this section, you define the primary NAT address pool, dynamic translations, and static translations.
Step 1 Click NAT Address Pool under the Primary section of the NAT Configuration Details page TOC as shown in Figure 5-17.
Figure 5-18 The NAT Configuration Details Page TOC with Primary NAT Address Pools Highlighted
Step 2 The Primary NAT Address Pools page appears as shown in Figure 5-19.
Figure 5-19 The NAT Address Pools Page
Step 3 Click Add. The Address Pools dialog box appears as shown in Figure 5-20.
Figure 5-20 Address Pools Dialog Box
Step 4 Click Add in the Address Pools dialog box.
Figure 5-21 Address Pools Dialog Box After Clicking Add
Table 5-2 Address Pool Fields
Field Name
|
Type
|
Instructions
|
Pool Name
|
text box
|
Type in a name for the address pool.
|
Allow Overloading
|
checkbox
|
Check Allow Overloading if you want to do Port Address Translation (PAT).
|
Network Mask
|
text box
|
Enter the network mask.
|
Entry Type
|
drop-down list
|
Select one of the following options:
•IP Address - Select IP Address from the Entry Type drop-down list. The dialog updates and displays the Start IP Address and Stop IP Address text boxes as shown in Figure 5-21.
•Interface - Select Interface from the Entry Type drop-down list to use the IP address of the interface for PAT. The dialog updates and displays as shown in Figure 5-22. Click the ... box and the Interfaces for Device Pool Entry Interface Selection dialog box appears as shown in Figure 5-23. Click the button next to the interface you want to use and click Select. This returns you to the main Address Pools dialog box, as shown in Figure 5-24.
|
Figure 5-22
Address Pools Dialog Box with Interface Selected
Figure 5-23 Interfaces for Device Pool Entry Interface Selection Dialog Box
Figure 5-24 Address Pools Dialog Box with Interface Name Displayed
Step 5 Click OK to return to the NAT Configuration Details page.
Step 6 Click Dynamic Translation in TOC section of NAT Configuration Details page as shown in Figure 5-25.
Figure 5-25 The NAT Configuration Details Page TOC with Primary Dynamic Translation Highlighted
Step 7 The Primary Dynamic Translation page appears as shown in Figure 5-26. To add a translation, click Add.
Figure 5-26 The Primary Dynamic Translations Page
Table 5-3 Dynamic Translation Fields
Field Name
|
Type
|
Instructions
|
From IP Address Ranges
|
combo box
|
Click the ... box to enter the IP address ranges that need to be translated. The IP Address dialog box appears as shown in Figure 5-27. Enter the IP address and netmask. Click Add to add multiple entries. Click OK when done.
|
From Interface
|
combo box
|
(Not shown.) Displays for PIX Firewall devices only. Select the From interface name.
|
To Interface
|
combo box
|
(Not shown.) For PIX Firewall only. Select the To interface name.
|
To Pool
|
drop-down list
|
Select the list of pools defined in previous steps.
|
Figure 5-27 IP Addresses Dialog Box
Step 8 Click OK to return to the NAT Configuration Details page.
Step 9 Click Static Translation in TOC section of NAT Configuration Details page as shown in Figure 5-28.
Figure 5-28 The NAT Configuration Details Page TOC with Primary Static Translation Highlighted
Step 10 The Primary Static Translations page appears as shown in Figure 5-29.
Figure 5-29 The Primary Static Translations Page With a Host-Based Translation
Step 11 Click Add to create a new static translation. The Static Translations dialog box appears as shown in Figure 5-30. Follow the instructions in Table 5-4 to enter values in the static translation fields.
Figure 5-30 Static Translations Dialog Box
Table 5-4 Static Translation Fields
Field Name
|
Type
|
Instructions
|
Translation Type
|
drop-down list
|
Select one of the following as shown in Figure 5-30:
•Host Based - Select for host-based static translations. (The network mask field does not appear for this selection.) This option translates the host IP address to another IP address.
•Port Based - Select for port-based static translations. This option translates traffic destined to one port on a host to another port on another host. Choose the protocol (TCP/UDP) and input the port number to be translated.
•Network Based - Select to enter network-based static translations. This option translates IP addresses for an entire network of hosts to IP addresses on another network. Add the network mask and the prefixes to be translated.
|
From
|
section heading
|
Non-editable.
|
IP Address
|
text box
|
Enter the IP address for the static translation.
|
Interface
|
combo box
|
(Not shown.) Displays for PIX Firewall devices only. Select the From interface name.
|
Port
|
drop-down list
|
(Not shown.) For port-based static translations only. Enter the From port number.
|
To
|
section heading
|
Non-editable.
|
Dest Addr Type
|
drop-down list
|
Select one of the following options:
•IP Address
•Interface
|
IP or Interface
|
text box
|
Enter the IP address or interface name.
|
Interface
|
combo box
|
(Not shown.) For PIX Firewall only. Select the To interface name.
|
Port
|
drop-down list
|
(Not shown.) For port-based static translations only. Enter the To port number.
|
Step 12 Click OK when done to return to the Primary Static Translations page.
Step 13 Click OK when done with the static translations to return to the NAT Configuration Details page.
Step 14 Continue to "Alternate Address Translations" section for Cisco IOS devices using the Addr Overlapping option, or click Add Template and continue to the "Adding Templates To Service Requests (Optional)" section.
Step 15 Click Done on NAT Configuration Details page when you finish the all NAT configuration for a device. The NAT Service Editor appears as shown in Figure 5-31.
Figure 5-31 The NAT Service Editor Page with Configuration Details Added
Step 16 Click Save. The Service Request page appears with the status of the service request displayed in the lower left corner of the page as shown in Figure 5-32.
Figure 5-32 The Service Request Page with Status Message Displayed
Step 17 To deploy the service request, refer to the"Deploying Service Requests" section.
Alternate Address Translations
This section is only for Cisco IOS devices using the Addr Overlapping option. If you selected Addr Overlapping for a device, you must define the Alternate section options.
In the Alternate section of the NAT Configuration Details page TOC, you define the alternate NAT address pool, alternate dynamic translations, and alternate static translations using the same general steps as the Primary section.
Step 1 Locate the Alternate section of the NAT Configuration Details page TOC as shown Figure 5-33.
Figure 5-33 The Alternate Section of the NAT Configuration Details Page TOC
Step 2 Follow the same instructions as in the "Primary Address Translations" section, except be sure to always select from the Alternate section of the TOC.
Step 3 Click Done on the NAT Configuration Details page when you finish the all NAT configuration for a device.
Device Peer IP Address Ranges
Use this section is only if you selected the Device Peer IP Address Range option.
Step 1 If you selected the Device Peer IP Address Range option, you need to define the peer IP address range. To do this, click Peer IP Address Range in the TOC of the NAT Configuration Details page as shown in Figure 5-34.
Figure 5-34 The NAT Configuration Details Page for Device Peer IP Address Range Option
Step 2 The Peer IP Address Ranges page appears as shown in Figure 5-35.
Figure 5-35 The CPE Peer IP Address Ranges Page
Step 3 Click Add. The page updates as shown in Figure 5-36.
Figure 5-36 The CPE Peer IP Address Ranges Page Ready to Add Address Range
Step 4 Enter the IP address and mask in the IP Address/Mask text box.
Step 5 Check Is Exclusion to exclude the host or network from No NAT.
Step 6 Click OK to return to NAT Configuration Details page.
Step 7 Click Done to return to NAT Service Editor page.
Step 8 Click Add Template and continue to the "Adding Templates To Service Requests (Optional)" section, or click Save in the NAT Service Editor page to save the service request.
Step 9 To deploy the service request, refer to the"Deploying Service Requests" section.
Adding Templates To Service Requests (Optional)
You can add configuration commands to a service request from a template by performing the following steps:
Step 1 In the NAT Service Editor page, click Add Template for the device for which you want to add templates. The Add/Remove Templates dialog box appears as shown is in Figure 5-37.
Tip If you are not on the NAT Service Editor page and want to modify an existing NAT service request, click Service Inventory > Service Requests. Check the box next to the NAT service request you want to modify and click Edit.
Figure 5-37 Add/Remove Templates Dialog Box
Step 2 Click Add. The Template DataFile Chooser page appears as shown in Figure 5-38.
Figure 5-38 The Template DataFile Chooser Page
Step 3 Look at the folders on the left side of the page. These contain the templates.
Step 4 Click on a folder to expand it.
Step 5 Click on the template you want to use (when selected it appears highlighted). If there are options for that template, the Template DataFile Chooser dialog box updates and displays them. An example is shown in Figure 5-39.
Figure 5-39 The Template Datafile Chooser Page with Template Selected
Step 6 Select options as appropriate and click Accept to add the template. The Add/Remove Template dialog box appears with the selected Template as shown in Figure 5-40.
Figure 5-40 Add/Remove Templates Dialog Box with Template
Step 7 For each template, chose the appropriate fields as described in Table 5-5.
Table 5-5 Add/Remove Template Fields
Field Name
|
Type
|
Instructions
|
Action
|
drop-down list
|
Select one of the following options:
•APPEND - Appends the template to the configlet generated by the service request (adds it after the other service request configlets).
•PREPEND - Prepends the template to the configlet generated by the service request (adds it before the other service request configlets).
|
Active
|
checkbox
|
Unless you check the template Active, the template will not be instantiated. This allows you to temporarily disable the template for this device.
|
Step 8 Click OK to return to the NAT Service Request Editor page.
Step 9 Click Save to update the service request and return to the
Step 10 Repeat, starting from Step 1, to add templates to other service requests.
Step 11 Click Save in the NAT Service Editor page to save the service request. Notice the service request state is now REQUESTED as shown in Figure 5-41.
Figure 5-41 The Deployed NAT Service Request Page
Step 12 Refer to "Provisioning Services," for instructions on how to deploy the NAT service request.
