Wednesday, April 25, 2012

Policy NAT



In the previous post I gave a brief description of NAT and PAT, which are basically ways of mapping different IP's, both public and private, in a multitude of ways.  Think of it as being somewhat similar to DNS, but on a different level.  Where I work, we have more recently began using what is known as policy NAT, which has proven to be beneficial for several different reasons.

Policy NAT is a method by which you can control when and how you will NAT your subnets.  The basic concept is that you specify certain conditions that tell your router/firewall when and how to translate specific IP address and/or subnets.

For example, if user A wants to access their corporate email account, which is hosted internally, you can tell the NATing device to let them use their private IP address, since a public one is not necessary.  At the same time, user B wants to access www.google.com.  This time we will tell the NATing device to translate their private IP to a randomly chosen public IP in the specified address pool.  When user B closes their connection to www.google.com, the NATing device will remove that entry from the NATing table, and return the public IP address to the pool.

What this does for us is let us see the individual users when they are accessing internal resources.  This can help us identify problems with individual PC's, instead of having to go inside of the network to troubleshoot.  This also gives us some anonymity for the user when they go to the internet, since the public IP is only used temporarily and helps to prevent devices on the internet from being able to connect to a user's PC from the outside.

From there, we can continue to get even more granular, based on the rules you set on the NATing device that tell it when and how to NAT, or even PAT.  You can say that a certain host, or hosts, be mapped to a specific IP, while the rest are dynamic, i.e. use a temporary, random public IP from the address pool.  You can also say that some people can not use public addresses, or even specify that some hosts use a specific PAT address.

Here is an example config from a Cisco ASA firewall running 8.4(3) code:


object-group network INSIDE-NETWORK
 network-object 192.168.0.0 255.255.255.0
!
object-group network LOCAL-NETWORKS
 network-object 192.168.0.0 255.255.0.0
 network-object 10.0.0.0 255.0.0.0
!
object-group network NAT-REQUIRED-NETWORKS
 network-object host 10.10.10.1
 network-object host 10.10.10.2
!
object network NAT-POOL
 range 1.1.1.3 1.1.1.243
!
nat (inside,outside) source static INSIDE-NETWORK NAT-POOL destination static NAT-REQUIRED-NETWORKS NAT-REQUIRED-NETWORKS
nat (inside,outside) source static INSIDE-NETWORK INSIDE-NETWORK destination static LOCAL-NETWORKS LOCAL-NETWORKS
nat (inside,outside) source dynamic INSIDE-NETWORK NAT-POOL

This may look complicated (which at first it is, especially if no examples are available on the internet!), but if you break it down it's quite simple.

First, keep in mind that the (inside,outside) part is simply saying that these rules apply to someone coming from the inside interface, go to a destination outside of the firewall through the outside interface.

The object groups should be straight forward.  The inside network are the private network inside of the firewall.  The local networks are the corporate intranet networks, the NAT required networks are devices that can't or won't accept connections from a private IP address, and the NAT pool is the range of public IP address that the firewall can use for translating.

So, in this setup, if someone on the inside wants to go to a host within the corporate network, they'll keep their private address.  If they want to go to 10.10.10.1 or 10.10.10.2, they will use a random public IP address.  If they want to go anywhere else, i.e. something on the internet, they will use a
random public IP address.

So there's the gist of it.  Once you can familiarize yourself with this method of address mapping, it ends up providing you with so many benefits, as compared to traditional PATing.  I hope someone finds this helpful.  I had to learn this myself, since this specific type of NATing hadn't been done much when I first started, and there were no examples of how to do it, like the example I have provided above.

Good luck, and have fun!

(Image courtesy of den4b.com)

No comments:

Post a Comment