Официален блог на WebEKM EKM очаквайте сайта онлайн скоро.
Download Free Templates http://bigtheme.net/ free full Wordpress, Joomla, Mgento - premium themes.
NAT in conjuction with ACL – the order of processing on ASA and IOS router
NAT and ACL are one the first things that are being configured right after deployment of the new ASA or Router on the edge. They behave differently in both cases and knowing which feature is proceed first over the other in particular direction can save us a lot of time and nerves.
You may find a lot of articles about NAT and ACL on ASA and IOS router at itbundle.net so this time I will focus only on the ACL and NAT issue without explanation what are and how work both features.
Here is a diagram of the lab that I will be using :
Prerequisits:
My ASA has an image version 9.6 (after version 8.3 NAT and ACL work completely different), also on the asa I’ve set up interfaces INSIDE and OUTSIDE to security level 0, only for sake of simplicity and I run a command ” same-security-traffic permit inter-interface”. I used also on ASA and IOS router static routing. I didin’t apply and NAT yet. Now Host 1 should be able to ping Host 2 and vice versa. Also Host 3 should be able to ping Host 4 and vice versa. Are hosts pingable? Ok, now you may remove static routes on both INTERNET routers leads to 10.0.0.0 networks (this is LAN site) and apply NAT rules:
on R1
ip nat inside source static 10.0.0.1 1.1.1.100
int fa0/0
ip nat inside
int fa1/0
ip nat outside
on ASA
object network HOST_10.0.0.1
host 10.0.0.1
object network OUTSIDE_IP_1.1.1.100
host 1.1.1.100
nat (INSIDE,OUTSIDE) source static HOST_10.0.0.1 OUTSIDE_IP__1.1.1.100
Now when you ping 1.1.1.100 address you should get respond from host 10.0.0.1 on the router and ASA. Check it with commnand “show ip nat translations” on the router and “show xlate” on the ASA.
Our task in both cases will be blocking access between hosts in both direction on the OUTSIDE interface, that has applied NAT. So we will work each variant over.
Firstly we will focus on IOS router.
1. Blocking traffic in OUT direction from Host1 to Host2
int fa1/0
ip access-group 100 out
2. Blocking traffic in IN direction from Host 2 to Host 1
int fa1/0
ip access-group 100 out
As we see, in both directions we always use REAL IP address of the host, what means IOS firstly processes ACL next NAT.
Now let’s go over the ASA:
1. Blocking traffic in OUT direction from Host3 to Host4
access-group 100 out interface OUTSIDE
We may conclude from above, that firstly is processed ACL next NAT in case we want to block traffic in OUT direction, cause we use the REAL IP address of Host 3
2. Blocking traffic in IN direction from Host4 to Host3
access-group 100 in interface OUTSIDE
And there is a difference between ASA (v8.4 and later) and IOS, because ASA in IN direction firstly processed NAT and next ACL. We have to use natted IP adress of HOST 3 in ACL. Before version 8.4 ASA behaved exactly as IOS.