top of page
Search
Writer's pictureMukesh Chanderia
Jan 5, 20224 min read

PA NAT

Updated: Feb 20, 2022

IP Address


1. Private IPs --> RFC 1918 (Request for Comment)

Non-Routable over the internet. Locally Unique & Free to use.


Class A = 10.x.x.x

Class B = From 172.16.x.x to 172.31.x.x

Class C = 192.168.x.x

2. Public IPs --> Globally Unique Address & Routable over Internet


NAT


NAT is address re-write mechanism that is, it translates IP address [Layer 3 address] and Port Address [Layer 4 Address].


Overlapping NAT


When communication is required to be done between two companies with the same range of private Ip say 10.10.10.x/24.


So, Company A will tell his employee that users in company B are on subnet 10.10.11.x/24


Similar Company B will tell its employees that users in Company A are on subnet 10.10.12.x/24 but users in both companies are on same subnet i.e., 10.10.10.x/24.


It is configured with Manual Nat in Cisco ASA.


Lab Setup


Have a look at PA Network Adaptors.




Here Network Adaptor is for Management: It can be set on NAT (or Bridge).

By doing this it would take Ip from DHCP.




You won't see management interface in GUI under Network --> Interface


Now


Network Adaptor 2 (VMnet 9): Let it be Internal Interface.

Network Adaptor 3 (NMnet 10): Let it be DMZ Interface.

Network Adaptor 4 (Bridge Network): Let it be External Interface.


Why has External Interface been made Bridge?


My laptop is connected through Wifi & I want PA to be virtually connected to Wifi with its external interface.




Now the PA (external interface) also has ip in same range.




Here PA external interface also got DNS from ISP but this is of no use.


Let's now make it static ip (even if for lab purpose we don't require it do)




Let's configure Default Route pointing towards Gateway (got from DHCP)



Note: A Zone can contain multiple interfaces but interface can't have multiple zones i.e. can have only one zone.


So here is our Network Configuration





Let's put our system XP1 Box in internal network.




Now as of now we are focusing on NAT so create a simple security policy which allows all traffic from internal zone to external.





Types of NAT


1) Destination NAT (Incoming Traffic)


- Incoming Packet

- Translates Destination Address, and if also require port address.

- Static PAT


Practical:


Step 1: Let's take our XP2 and configure it as a web server.






Step 2: Create a security rule to allow any traffic coming from Outside to DMZ



Step 3: Create a NAT Rule







Step 4: Bring out any system which lies in external network (I used my own laptop)







2) Source NAT [Hide NAT]


A) Dynamic IP and Port (Outgoing Traffic) or PAT


Translates source Ip address & source port address.

Outbound direction.

Many to One Translation [PAT/Overloading]

Conserves Public IPs [Translates private ip to public]






B) Many-to-Many NAT (Outgoing Traffic)


Many to Many Translations

Pool of IPs are dynamically used to translate Private IPs [Pools of IPs]

No one to one mapping


e.g., Public IPs --> 6

Private IPS --> 254





It could be configured with PAT i.e. When all public IPs in pool get exhausted then it will start doing PAT.


Let's open Facebook on XP1













3) Static NAT [Incoming Traffic to provide Service & Outgoing (Bi- Directional) for Updates]


In GUI you need to configure traffic for outgoing i.e. from DMZ to Outside and specify DMZ server [10.10.11.10]


NAT Policy "PRE NAT-ZONE" is used.



Now define ip for Static Nat i.e. at one-to-one mapping for DMZ Server


10.10.11.10 --> 192.168.29.85


Also check "Bidirectional" for reverse traffic.


192.168.29.85 --> 10.10.11.10





One to One Static Mapping

IP address is translated

One to One Translation

Bi- Directional (DMZ server can do NAT to download updates & also host from internet can reach server)





So, PA creates one additional NAT policy so that DMZ servers can reach the internet.


Out2DMZ


Here Zone is DMZ but as user will hit Outside interface of Firewall so ip here used is 192.168.29.85


In both Security Policy and NAT Policy "Pre Nat-Address" is used.

Security Policy "POST NAT ZONE" is used.


DMZ2OUT



show run Nat


Destination NAT (Incoming Traffic) takes place before Routing, but Source NAT (Outgoing traffic) takes place after Routing.


Public Ip address used for NAT is not necessarily available on Firewall interface. Moreover, it can be of different subnets to configure on interface.


Proxy ARP feature will send mac address of outside interface to be used for all NAT IPs.


4) NAT on a VWire


Interfaces in a VWire do not have an IP address assigned, hence IP address must be assigned from pool.

All the NAT types are allowed: source NAT (Dynamic IP, Dynamic IP, and Port, static) and destination NAT.



As ISP would have static entry configured pointed towards CE router and advertising it in BGP so all traffic for NAT ips will reach firewall.


Sometimes an issue is noticed in checkpoint FW and to resolve that we need to configure static ARP entries of outside MAC for all NAT IPs.




Security Policy "POST NAT ZONE" is used whereas in NAT Policy "PRE NAT-ZONE" is used.

In both Security Policy and NAT Policy "Pre Nat-Address" is used.


Security Policy


Name: Outside_2_DMZ


Source Zone - OUTSIDE

Source Address - ANY


Destination: Dest Zone - DMZ

: Dest Address - 114.30.77.52

Application: Web-Browser

Action : Allow


NAT Policy


Name : Outside to Inside DNAT


Original NAT Section

: Source Zone --> OUTSIDE

: Source Add --> ANY

: Destination Zone --> OUTSIDE

: Destination Add --> 114.30.77.52


Translated Packet

: Source NAT Translation -->

: Dynamic IP & Port -->

: Dynamic NAT -->

: Static NAT -->

: Destination NAT ip address --> 192.168.1.1










40 views0 comments

Recent Posts

See All

PANORAMA

Hook Firewall & Panorama Step 1: Go to Firewall and add the IP address of Primary and secondary Panorama. Step 2: Go to Panorama and in...

0 comments

Comments

bottom of page