Identity NAT and NAT Bypass
Suppose our Secure Corp. absitively not to use clandestine IP addresses central the PIX,
and chose to use accessible IP addresses. Secure Corp. has been assigned a block of
public IP addresses from the American Registry for Internet Numbers (ARIN)
in the anatomy of three 24-bit networks.The association chooses, as apparent in
Figure 3.2, not to use clandestine acclamation aural its network.
Looking at Figure 3.2, you can see that anniversary of the three 24-bit subnets has
been allocated to anniversary building. Accessible addresses will be acclimated both central and
outside the PIX firewall, and no abode adaptation will be performed.There are
two means to achieve this task: application character NAT or application NAT bypass.
www.syngress.com
Figure 3.2 An Character Arrangement Abode Adaptation Example
Internet
.1.10
Inside Outside
10.1.3.0 10.1.3.0
10.1.2.0 10.1.2.0
10.1.1.0 10.1.1.0
10.1.1.0/24 10.1.2.0/24 10.1.3.0/24
98 Chapter 3 • Passing Traffic
Identity NAT does not use an associated all-around command to ascertain the global
address. Instead, the centralized abode is mapped to itself back translating.To configure
identity NAT, use the nat command with an id of 0. Do not ascertain an
associated all-around command.The commands to configure character NAT in Figure
3.2 would be as follows:
PIX1(config)# nat (inside) 0 10.1.1.0 255.255.255.0
nat 0 10.1.1.0 will be non-translated
PIX1(config)# nat (inside) 0 10.1.2.0 255.255.255.0
nat 0 10.1.2.0 will be non-translated
PIX1(config)# nat (inside) 0 10.1.3.0 255.255.255.0
nat 0 10.1.3.0 will be non-translated
PIX1(config)# exit
PIX1# bright xlate
To verify the configuration, use the appearance nat command to appearance the current
NAT configuration:
PIX1# appearance nat
nat (inside) 0 10.1.1.0 255.255.255.0 0 0
nat (inside) 0 10.1.2.0 255.255.255.0 0 0
nat (inside) 0 10.1.3.0 255.255.255.0 0 0
Let’s appraise the archetype in Figure 3.2.The applicant opens a affiliation to a
Web server on the Internet. The appearance xlate command should appearance a mapping
for this affiliation flagged with an I, or character flag.
www.syngress.com
Identifying “All” Arrangement Traffic
Instead of application specific networks to analyze the cartage to translate
using the nat command, you can use a antecedent abode of 0 or 0.0.0.0
and a netmask of 0 or 0.0.0.0 to specify all traffic.
Configuring & Implementing…
Passing Cartage • Chapter 3 99
PIX1# appearance xlate debug
1 in use, 1 best used
Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
o - outside, r - portmap, s - static
NAT from inside:10.1.1.10 to outside:10.1.1.10 flags iI abandoned 0:01:27
timeout 3:00:00
You can additionally bypass NAT altogether application nat 0 with an admission list. First,
define an admission account that identifies the cartage to be translated (access lists are discussed
in detail in the abutting section).Then, use the nat command with an id of 0
and the admission account name to bypass the NAT process.The syntax to configure this
is:
access-list
nat (
Using Figure 3.1 as an example, the commands to configure the PIX to
bypass NAT application an admission account would be as follows:
PIX1(config)# access-list inside_public admittance ip 10.1.1.0 255.255.255.0
any
PIX1(config)# access-list inside_public admittance ip 10.1.2.0 255.255.255.0
any
PIX1(config)# access-list inside_public admittance ip 10.1.3.0 255.255.255.0
any
PIX1(config)# nat (inside) 0 access-list inside_public
PIX1(config)# exit
PIX1# bright xlate
To verify the configuration, use the appearance nat and appearance access-list commands:
PIX1# appearance nat
nat (inside) 0 access-list inside_public
PIX1# appearance access-list
access-list inside_public; 3 elements
access-list inside_public admittance ip 10.1.1.0 255.255.255.0 any (hitcnt=0)
access-list inside_public admittance ip 10.1.2.0 255.255.255.0 any (hitcnt=0)
access-list inside_public admittance ip 10.1.3.0 255.255.255.0 any (hitcnt=0)
www.syngress.com
100 Chapter 3 • Passing Traffic
In Figure 3.2, back the applicant opens a affiliation to a Web server on the
Internet, the appearance xlate command should not appearance a adaptation for this connection
since it bypasses NAT.The appearance access-list command should appearance an incremented
hitcnt adverse on the adapted admission account entry.
PIX1# appearance xlate
0 in use, 1 best used
PIX1# appearance access-list inside_public
access-list inside_public; 3 elements
access-list inside_public admittance ip 10.1.1.0 255.255.255.0 any (hitcnt=10)
access-list inside_public admittance ip 10.1.2.0 255.255.255.0 any (hitcnt=0)
access-list inside_public admittance ip 10.1.3.0 255.255.255.0 any (hitcnt=0)
Although character NAT and NAT bypass accommodate agnate functionality, using
NAT bypass provides some advantages over character NAT.These advantages
include extenuative assets by bypassing the NAT action and greater flexibility
specifying destination addresses in the admission list.