CCIE Security Advanced Technologies Class v3.5 - ASA Network Address Translation (NAT) Part 2

Transcript

1	Introduction	0h 37m
2	CCIE Security Preparation Resources	0h 50m
3	ASA Overview	0h 37m
4	Basic ASA Initialization	1h 02m
5	ASA Routing	0h 37m
6	ASA Reliable Static Routing	0h 20m
7	ASA Access Control Lists (ACLs)	0h 41m
8	ASA Modular Policy Framework (MPF) Overview	0h 53m
9	ASA Modular Policy Framework (MPF) Configuration	0h 51m
10	ASA Advanced TCP Inspection with MPF	0h 40m
11	ASA Advanced Application Inspection with MPF	0h 36m
12	ASA Quality of Service (QoS)	0h 30m
13	ASA Network Address Translation (NAT) Part 1	0h 50m
14	ASA Network Address Translation (NAT) Part 2	0h 30m
15	ASA Transparent Firewall Overview	0h 25m
16	ASA Transparent Firewall Configuration	0h 43m
17	ASA ARP Inspection with Transparent Firewall	0h 21m
18	ASA Multiple Context Mode Overview	0h 42m
19	ASA Multiple Context Mode Configuration	0h 59m
20	ASA Redundant Interfaces	0h 22m
21	ASA Failover Overview	0h 19m
22	ASA Active/Standby Failover Routed Firewall Configuration	0h 29m
23	ASA Active/Standby Failover Transparent Firewall Configuration	0h 17m
24	ASA Active/Active Failover Routed Firewall Configuration	0h 37m
25	ASA Multiple Context Transparent Firewall Configuration	0h 29m
26	ASA Active/Active Failover Transparent Firewall Configuration	0h 29m
27	IOS Access Control Lists (ACLs)	0h 23m
28	IOS Time Based ACLs	0h 13m
29	IOS Lock & Key Security with Dynamic ACLs	0h 24m
30	IOS Reflexive ACLs	0h 44m
31	IOS TCP Intercept and Content Based Access Control (CBAC)	0h 39m
32	Zone Based Policy Firewall Overview	0h 26m
33	Zone Based Policy Firewall Configuration	0h 44m
34	ZBPF Self Zone & ZBPF Exceptions	0h 48m
35	Port to Application Mapping (PAM)	0h 32m
36	ZBPF Parameter Tuning	0h 32m
37	ZBPF Application Inspection	0h 27m
38	IOS Transparent Firewall	0h 28m
39	IPsec Overview	0h 37m
40	IOS IPsec LAN-to-LAN Configuration	0h 58m
41	IPsec Troubleshooting	0h 42m
42	GRE over IPsec, IPsec Profiles, & VTIs	0h 51m
43	ASA IPsec Overview	0h 24m
44	ASA IPsec LAN-to-LAN Configuration	0h 20m
45	Certificate Authority (CA) Overview	0h 16m
46	IOS & ASA LAN-to-LAN IPsec with Certificates	0h 57m
47	Easy VPN Overview	0h 12m
48	IOS Easy VPN Server	1h 10m
49	IOS Easy VPN Client	0h 30m
50	IOS Easy VPN with Dynamic VTIs, ISAKMP Profiles	0h 49m
51	ASA Easy VPN Server	0h 51m
52	ASA Easy VPN Server & IOS Easy VPN Client	0h 17m
53	ASA Clientless & AnyConnect SSL VPN	1h 04m
54	DMVPN	1h 05m
55	IPS Overview, Promiscuous Mode & SPAN	0h 43m
56	IPS Promiscuous Mode & RSPAN	0h 28m
57	IPS Blocking Devices & Custom Signatures	0h 50m
58	IPS Inline Mode, VLAN Pairing	0h 15m
59	IPS Virtual Sensors and Signature Engines	0h 16m
60	AAA Overview, Local AAA, & Role Based CLI	0h 51m
61	RADIUS, TACACS+, & Cisco Secure ACS Configuration	0h 51m
62	RADIUS & TACACS+ Exec Authorization & Accounting	0h 39m
63	TACACS+ Command Accounting	0h 30m
64	RADIUS & TACACS+ Enable Authentication	0h 14m
65	IOS Authentication Proxy	0h 33m
Total Duration		39h 19m

Base Configs

Diagrams

Slides - Introduction

Slides - ASA

Slides - IOS Firewall

Slides - VPN

Slides - IPS

Slides - Identity Management

0:00:13	So continuing on here with our NAT example
0:00:17	again what I have configured is that
0:00:20	the ASA is doing an inside
0:00:22	to outside translation
0:00:24	for anything that comes in on this interface is being translated to the pool
0:00:29	200.0.100.0/24
0:00:35	Now we saw with that dynamic translation
0:00:38	that the traffic is allowed to move from the inside to out
0:00:41	but it cannot move from the outside in
0:00:44	unless the translation is arbitarily initiated from the inside
0:00:47	and thats the main difference between the static and the dynamic translation
0:00:51	but the static translation can be
0:00:53	having the traffic originated from the outside and then go in
0:00:58	Now there is a problem in this syntax that I have
0:01:01	on the ASA, where I was saying
0:01:04	NAT inside
0:01:07	rule number 1 says that
0:01:09	any traffic regardless of what the source is
0:01:13	is going to go to the NAT rule
0:01:15	this is means that when the traffic is moving from the inside to the DMZ
0:01:20	that it would also have to be translated
0:01:23	that either I would have to define a global pool that is being translated to
0:01:28	or run, whats known as a NAT exemption
0:01:31	to remove it from the NAT process
0:01:34	Now we will come back to this problem in
0:01:36	a minute when we talk about the identity map then the NAT exemptions
0:01:41	but first lets look at this static port forwarding
0:01:43	from the outside to the inside
0:01:46	so what I want to do is have host on the outside
0:01:49	hit the address that is
0:01:51	200.0.122.100
0:01:56	and want this to forward inside to the Windows Server
0:01:59	but specifically just at TCP port 80
0:02:02	this has with the running the
0:02:04	the web server process
0:02:08	So on the ASA
0:02:11	I need to create a static mapping
0:02:14	that is going to be from the DMZ interface to the outside
0:02:19	So we will say static
0:02:21	the traffic is coming from the DMZ, its going to the outside
0:02:26	and we are going to do this based on a port translation
0:02:30	or so a specific TCP port
0:02:32	the global address that we are translating to
0:02:36	is 200.0.122.100
0:02:41	using port number 80
0:02:44	when a traffic is going to the real
0:02:46	DMZ host 10.0.0.100 at that same port 80
0:02:53	So in this case we are doing essentially both the NAT statement and the global statement at the same time
0:02:59	where the source address thats been used
0:03:03	which is here the
0:03:05	10.0.0.100 at port 80
0:03:07	is going to be listen for on the outside interface
0:03:11	as 200.0.122.100 at port 80
0:03:16	so what this is means as an outside to DMZ flow
0:03:22	I would need to allow the traffic
0:03:24	that is coming in towards this address
0:03:28	as an access list exception
0:03:32	so if we were to go to the outside, lets go to router2
0:03:35	and from router2 I am going to telnet 200.0.122.100 at port 80
0:03:44	on the ASA if we turn logging on
0:03:48	and we will log to the console at level 7
0:03:52	what we should see
0:03:54	is that when
0:03:56	this traffic is send in to the ASA
0:03:59	it says its been denied
0:04:01	its being denied by the access-list we have applied outside in
0:04:05	which is normally what we would expect because we are moving from the low security interface to high
0:04:11	we are trying to move from 0 to 50
0:04:13	so I need to apply an exception in bound to this
0:04:17	but the key here is that it says the traffic that is getting dropped
0:04:21	is the traffic going to the 200.0.122.100 address
0:04:29	so when the ACL is classifying the traffic back in
0:04:33	we need to use the host NAT address
0:04:37	not the pre NAT address
0:04:39	so now when I say show run access-list
0:04:43	for access list outside in
0:04:47	I need to say permit TPC
0:04:50	any host
0:04:52	200.0.122.100
0:04:55	equal to port 80
0:04:57	so this would be that individual flow
0:05:01	Now when router2 tries to connect to that port
0:05:05	it should be forwarded towards them
0:05:08	Now you will see there are some examples in the
0:05:12	the volume or workbook on how to do this
0:05:14	if you knew the actual syntax for the http get
0:05:18	you can actually download the pages
0:05:21	so it would be the same as using like just a ??
0:05:24	a TCP session to the server
0:05:26	but at least we can tell based on this
0:05:28	the connection is occuring
0:05:31	and the translation has happened
0:05:33	on the ASA if we look at the show xlate
0:05:38	and specifically the show xlate detail
0:05:44	we will see that this translation
0:05:47	is a static TCP port address translation
0:05:52	which is our for port map
0:05:56	that if traffic goes on the outside to 200.0.122.100 at port 80
0:06:02	its actually being redirected to the DMZ at
0:06:05	10.0.0.100 at port 80
0:06:11	now from the inside network though
0:06:15	when we look at
0:06:16	router5 or router6 now trying to reach
0:06:20	the server on the DMZ
0:06:22	there is a problem with NAT classifier as the traffic comes in this interface
0:06:29	it has to do the fact that when I created the NAT rule
0:06:33	I was not specific
0:06:34	as to what exact traffic I want to be matched by the classifier
0:06:39	I said essentially for show run nat
0:06:42	I said any thing on the inside interface
0:06:46	So regardless of whether its going to the outside
0:06:48	regardless of whether its going to the DMZ
0:06:51	there should now be a corresponding global statement
0:06:55	then its matching the NAT rule for all of the outbound links
0:07:00	now from router5's perspective
0:07:03	if we were to do the same thing
0:07:07	we could see the connection is refused
0:07:09	but the reason why
0:07:11	is that there is a failure in the translation
0:07:15	which is going to lead us to the next type of NAT
0:07:19	which is
0:07:21	the identity NAT
0:07:23	and the NAT exemptions
0:07:26	and these two are used specifically for this type of scenario
0:07:30	where identity NAT
0:07:33	is used to translate an address to itself
0:07:37	or essentially its the same on the inside and the outside
0:07:42	Now typically you would only need identity NAT when NAT control is on
0:07:48	because otherwise there is no reason to do a translation
0:07:53	so if I wanted the host on the inside network here
0:07:57	which is the
0:07:58	10.0.125.0
0:08:01	If I want them to send the traffic out and it not be translated
0:08:05	the only thing I need to do is just not configure translation
0:08:08	because NAT control is off in this version by default
0:08:12	but the problem is now I did configure a NAT rule
0:08:16	so now its intercepting
0:08:18	all of the traffic that is going in that interface
0:08:24	so I could fix this with an identity NAT
0:08:27	but its actually more appropriate to fix this with whats known as a NAT exception
0:08:32	now a NAT exemption is similar to an identity NAT
0:08:36	but it allows
0:08:38	the traffic from the outside
0:08:40	to be initiated to the inside
0:08:43	so an indentity NAT would be considered a dynamic translation
0:08:47	or a NAT exemption would be considered a static translation
0:08:52	Now the reason that we would typically do this
0:08:55	is to remove
0:08:57	or exempt a particular traffic flow from the NAT process
0:09:02	and thats exactly what need to do in this case
0:09:04	I need to say that when traffic is moving from the inside interface to the DMZ
0:09:09	it should be exempt from the NAT process, I don't wanted to hit the classifier
0:09:15	Now typically you would normally use this with your IPSec configuration
0:09:19	where lets say that I had a tunnel
0:09:22	that was from ASA to
0:09:25	router3
0:09:27	and this is an IPSec
0:09:30	on IPSec LAN-to-LAN tunnel
0:09:33	and I am trying to encrypt traffic
0:09:35	between the 172.16.34.0 network
0:09:39	and the 10.0.125.0/24 network
0:09:45	So here I have the traffic routing over the tunnel
0:09:49	but additionally on the inside interface
0:09:53	I created a NAT process that says when I am going to the outside
0:09:57	I want to be translated to 200.0.100.0/24
0:10:03	because for public internet access I am going to need to have
0:10:07	the public addresses
0:10:09	but inside my VPN tunnel I don't need to do that
0:10:12	because its under my administration, I can route my own private addresses between my own internal sites
0:10:18	and this is exactly what the exemption is used for
0:10:21	Now typically the way you see this implemented
0:10:24	is that an access list is used
0:10:27	so we can match not only where the traffic is coming from
0:10:30	but where the traffic is going to
0:10:34	So with this example I would say
0:10:36	on the ASA2
0:10:38	I want to match
0:10:40	I will say, access-list 1
0:10:43	permit ip
0:10:46	from 10.0.125.0/24
0:10:50	to 172.16.34.0./24
0:10:56	so I have an access list matching traffic from VLAN 125
0:10:59	going to VLAN 34
0:11:02	then I am going to reference this from a NAT statement
0:11:05	but this is going to be the NAT 0
0:11:08	So NAT 0 was the NAT exemption
0:11:12	now in
0:11:13	outside of the IPSec design
0:11:15	whats going on specifically here
0:11:17	I need to exempt these packets
0:11:21	that are coming from the VLAN 125
0:11:24	I need to exempt them when they are moving to the DMZ
0:11:28	So, I will create an access-list
0:11:31	access-list that says - I don't really care about the sources
0:11:34	but I want to know is the destination
0:11:37	10.0.0.0/24
0:11:40	if that is true
0:11:41	do not go through the NAT classifier
0:11:44	So you are not going to change your addresses, you can just route the traffic directly between them
0:11:49	and thats why I am getting an error here that it says
0:11:52	that we don't know how to do the translation
0:11:55	because the
0:11:57	inside NAT's statement here
0:12:00	this says that the traffic should be translated
0:12:03	but there is no corressponding global that says, what you are actually going to translate it to
0:12:11	Now to do this again, first thing I am going to do is
0:12:15	configure an access-list
0:12:17	so we will say access-list
0:12:19	NAT exemption
0:12:21	is going to permit traffic, thats coming from anywhere, I don't care where it came from
0:12:26	but as long as it is going through 10.0.0.0/24
0:12:32	thats really what I care about
0:12:34	So I know its going towards the DMZ
0:12:37	Now we will have a NAT statement for the packets coming in the inside
0:12:42	they are going to be exempt from that
0:12:44	so NAT 0
0:12:46	if they match this access-list
0:12:49	NAT exemption
0:12:53	So now I should be able to see that from router5
0:12:57	if I were to ping this address
0:13:01	that the traffic is not going to be translated between them
0:13:04	and if we looked at the ASA, and looked at the show connections
0:13:09	we see there is a connection from router5
0:13:12	thats going through the AAA server at port 80
0:13:16	but if we look at the show xlate
0:13:19	there is not a translation between them
0:13:22	so there is a translation from the outside in
0:13:27	this is our static path translation
0:13:30	but there is not a translation when we are going from inside to the DMZ
0:13:36	So, it can be kind of a confusing here when you have more than two interfaces that is part of a NAT process
0:13:42	because if I only have inside and outside its obvious where the traffic flows are going
0:13:46	its coming from inside and its going to outside
0:13:48	whats coming from outside and going to inside
0:13:51	but anytime you have three or more
0:13:54	you essentially need to think about what are all the possible traffic flows
0:13:58	that I could go inside out, outside in
0:14:01	inside DMZ, DMZ in, outside DMZ, DMZ out
0:14:06	So from the NAT process perspective
0:14:08	there are six potential classifiers that I will need to do with
0:14:12	and whether we are doing a dynamic versus a static translation
0:14:17	is then going to control
0:14:18	which links can you move between
0:14:21	now I am doing here
0:14:24	a dynamic
0:14:27	translation from inside to out
0:14:30	this implicitly then means
0:14:33	I cannot move the traffic
0:14:35	from outside to in
0:14:38	becuase its required that the inside hosts first initiates the session
0:14:43	before the dynamic entry can be used
0:14:46	however for the outside to DMZ static translation
0:14:54	since this entry is always in the table
0:14:56	I can initiate the traffic from the outside in

Now Viewing

CCIE Security Advanced Technologies Class v3.5
Title:	CCIE Security Advanced Technologies Class v3.5
Duration:	39h 19m
The CCIE Security Advanced Technologies Class is the first step in understanding CCIE level technologies and is a companion to the Advanced Technologies Lab Workbook. Each technology you need to know for the CCIE Security lab will be described in detail using an instructor led hands on demonstration. The class consists of over 40 hours of in depth explanations and examples.
Get instant access to our entire library!
	Sign Up
Download this Course
$299.00	Add to Cart

ASA Network Address Translation (NAT) Part 2

Create Bookmark