nat


Associate a network with a pool of global IP addresses.


      [no] nat [(if_name)] nat_id local_ip 
          [netmask [max_conns [em_limit]]] 
          [norandomseq]

      [no] nat [(if_name)] 0  access-list acl_id 

      nat [(if_name)] 0 local_ip [netmask [max_conns [em_limit]]] 
          [norandomseq]

show nat

clear nat


Syntax

if_name The internal network interface name, i.e., (internal).

If the interface is associated with an access list, then the if_name is the higher security level interface name.

nat_id All nat command statements with the same nat_id are in the same nat group. Use the nat_id from the global command; for example:
nat (perimeter) 1 0 0
global (outside) 1 209.165.201.1-209.165.201.30 netmask 255.255.224

The nat_id is an arbitrary positive number between 0 and two billion. This number can be the same as the ID used with the outbound and apply commands.

Specify 0 with IP addresses and netmasks to identify internal networks that desire only outbound identity address translation. Specify 0 with the access-list option to specify traffic that should be exempted from NAT.

access-list Associate with an access-list using the nat 0 command.
local_ip Internal network IP address to be translated. You can use 0.0.0.0 to allow all hosts to start outbound connections. The 0.0.0.0 local_ip can be abbreviated as 0.
netmask Network mask for local_ip. You can use 0.0.0.0 to allow all outbound connections to translate with IP addresses from the global pool.
max_conns The maximum TCP connections permitted from the interface you specify.
clear Removes nat command statements from the configuration.
em_limit The embryonic connection limit. The default is 0, which means unlimited connections. Set it lower for slower systems, higher for faster systems.
norandomseq Do not randomize the TCP packet's sequence number. Only use this option if another inline firewall is also randomizing sequence numbers and the result is scrambling the data. Use of this option opens a security hole in the firewall.


nat

Enable or disable address translation for one or more internal addresses.

Address translation means that when a host starts an outbound connection, the IP addresses in the internal network are translated into global addresses. Network Address Translation (NAT) allows the network to have any IP addressing scheme and the firewall protects these addresses from visibility on the external network.

NAT works by substituting, or translating, host addresses on an internal interface with a global address associated with an outside interface. This protects internal host addresses from being exposed on other network interface. To understand whether you want to use NAT, decide if you want to expose internal addresses on other network interfaces connected to the firewall. If you choose to protect internal host addresses using NAT, identify the pool of addresses youw ant to use for translation.

If the addresses that you want to protect access only other networks within the organization, you can use any set of private addresses for the pool of translation addresses.

To exempt traffic that is matched by an access-list run:

nat (if_name) 0 access-list acl_id

Adaptive Security will remain in effect. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access.

The access list specified with the nat 0 access-list command will not work with an access-list command statement that contains a port. The following sample command statements will not work.

access-list acl_id permit tcp host xx.xx.xx.xx host yy.yy.yy.yy
nat (inside) 0 access-list aci_id

After changing or removing a nat command statement, use the clear xlate command.

The connection limit allows you to set the maximum number of outbound connections that can be started with the IP address criteria you specify. The embryonic connection limit allows you to prevent a type of attack where processes are started without being completed. An embryonic connection is a connection that someone attempted but has not completed and has not yet seen data. Every connection is embryonic until it sets up.

You can use the no nat command to remove a nat command statement and you can use the show nat command to view nat command statements in the current configuration.

The following table helps you decide when to use the nat or static commands for access between the various interfaces in the firewall. For this table, assume that the security levels are 40 for dmz1 and 60 for dmz2.

(Configuration mode.)


Interface Access Commands by Interface

From This Interface To This Interface Use This Command From This Interface To This Interface Use This Command
inside outside nat dmz2 outside nat
inside dmz1 nat dmz2 dmz1 nat
inside dmz2 nat dmz2 inside static
dmz1 outside nat outside dmz1 static
dmz1 dmz2 static outside dmz2 static
dmz1 inside static outside inside static

The rule of thumb is that for access from a higher security level interface to a lower security level interface, use the nat command. From lower security level interface to a higher security level interface, use the static command.

You can enable identity address translation with the nat 0 command. Use this command when you have IP addresses that are the same as those used on more than one interface. Adaptive Security remains in effect with the nat 0 command. The extent to which the inside hosts are accessible from the outside depends on the access-list command statements that permit inbound access.

Addresses on each interface must be on a different subnet.

The nat 0 10.2.3.0 command means let those IP addresses in the 10.2.3.0 net appear on the outside without translation. All other hosts are translated depending on how their nat command statements appear in the configuration.

The nat 1 0 0 command means that all outbound connections can pass through the firewall with address translation. If you use the nat (inside) 1 0 0 command, users can start connections on any interface with a lower security level, on the both perimeter interfaces and the outside interface. With NAT in effect, also use the global> statement to provide a pool of addresses through which translated connections pass. In effect, you use the nat command statement to specify from which interface connections can originate and you use the global> statement to determine at which interface connections can occur. The NAT ID must be the same on the nat and global command statements.

The nat 1 10.2.3.0 command means that only outbound connections originating from the inside host 10.2.3.0 can pass through the firewall to go to their destinations with address translation.


Examples

The following example specifies with nat command statements that all the hosts on the 10.0.0.0 and 3.3.3.0 inside networks can start outbound connections. The global command statements create a pool of global addresses:

nat (inside) 1 10.0.0.0 255.0.0.0
global (outside) 1 209.165.201.25-209.165.201.27 netmask255.255.224
global (outside) 1 209.165.201.30
nat (inside) 3 10.3.3.0 255.255.255.0
global (outside) 3 209.165.201.10-209.165.201.25 netmask255.255.224

When using the nat 0 command, if you want the addresses to be visible from the outside network, use static and access-list command statements:


nat (inside) 0 209.165.201.0 255.255.255.224
static (inside, outside) 209.165.201.0 209.165.201.0 netmask255.255.224
access-list acl_out permit host 10.0.0.1 209.165.201.0 255.255.255.224 eq ftp
access-group acl_out in interface outside
nat (inside) 0 209.165.202.128 255.255.255.224
static (inside, outside) 209.165.202.128 209.165.202.128 netmask255.255.224
access-list acl_out permit tcp host 10.0.0.1 209.165.202.128 255.255.255.224 eq ftp
access-group acl_out in interface outside

The following example shows use of the nat 0 access-list command to permit internal host 10.1.1.15, accessible through the inside interface, "inside," to bypass NAT when connecting to outside host 10.2.1.3.


access-list no-nat permit ip host 10.1.1.15 host 10.2.1.3
nat (inside) 0 access-list no-nat

The following commands will disable all NAT on a firewall with three interfaces:


access-list all-ip-packet permit ip 0 0 0 0
nat ( dmz) 0 access-list all-ip-packet
nat (inside) 0 access-list all-ip-packet