Cisco PIX and ASA NAT merge examples
For more information about how FortiConverter handles NAT merges, see NAT merge options
|
For ASA, these examples are valid only for source configurations created using software versions 8.2.x and earlier. |
Identity NAT
Dynamic NAT with ID 0 is the identity NAT and specifies that the address doesn't need to be translated. For example:
nat (inside) 0 172.17.3.68 255.255.255.255
Currently, because FortiConverter doesn't merge this kind of NAT, it ignores the settings when it converts the configuration.
Static identity NAT
In the following settings, in the two static NAT settings, the real address and the mapped address are the same.
static (inside,outside) 200.251.129.33 200.251.129.33 netmask 255.255.255.255
static (inside,outside) 172.17.3.69 access-list inside_nat0_static
access-list inside_nat0_static extended permit ip host 172.17.3.69 object-group Group0
FortiConverter doesn't support this kind of static NAT and it ignores the settings when it converts the configuration.
Dynamic NAT with NAT IP
A source configuration has the following dynamic NAT settings:
global (outside) 1 172.31.242.69 netmask 255.255.255.255
nat (inside) 1 172.17.3.120 255.255.255.255
It also has the following firewall rule:
access-list acl_inside extended permit tcp host 172.17.3.120 object-group Group_Destination eq http
access-group acl_inside in interface inside
FortiConverter generates the following IP pool and NAT policy from the source configuration:
edit "ippool-172.31.242.69"
set endip 172.31.242.69
set startip 172.31.242.69
set type one-to-one
next
edit 10001
set srcintf "port1" (corresponds to the interface "inside")
set dstintf "port2" (corresponds to the interface "outside")
set srcaddr "h_172.17.3.120"
set dstaddr "Group_Destination"
set service "HTTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-172.31.242.69"
next
The interface and address of the dynamic NAT matches the firewall rule, so FortiConverter inserts the IP pool into policy 10001.
Dynamic NAT with mapped IP is "interface"
A source configuration has the following dynamic NAT settings:
global (outside) 2 interface
nat (inside) 2 172.17.40.73 255.255.255.255
It also has the following firewall rule:
access-list acl_inside extended permit tcp host 172.17.40.73 object-group Group_Destination eq http
access-group acl_inside in interface inside
FortiConverter generates the following NAT policy from the source configuration:
edit 10002
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.17.40.73"
set dstaddr "Group_Destination"
set service "HTTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
next
The interface and address of the dynamic NAT matches the firewall rule. NAT is enabled for policy 10002, but because there is no IP pool specified, the source address uses the interface IP address to perform NAT.
Dynamic policy NAT
A source configuration has the following dynamic NAT settings, which define NAT using an access list:
nat (inside) 1 access-list inside_nat_outboundaccess-list inside_nat_outbound extended permit tcp host 172.17.40.70 host 200.185.36.43 eq httpglobal (outside) 1 172.31.242.69 netmask 255.255.255.255
It also has the following firewall rule, which matches the NAT settings:
access-list acl_inside extended permit tcp host 172.17.40.70 host 200.185.36.43 eq http
access-group acl_inside in interface inside
FortiConverter generates the following IP pool and NAT policy from the source configuration:
edit "ippool-172.31.242.69"
set endip 172.31.242.69
set startip 172.31.242.69
set type one-to-one
next
edit 10003
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.17.40.70"
set dstaddr "h-200.185.36.43"
set service "HTTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-172.31.242.69"
next
The converted configuration is similar to when the source configuration specifies dynamic NAT with a NAT IP address.
FortiConverter converts the IP pool based on the dynamic NAT.
Static NAT matches policy source address
A source configuration has the following static NAT settings:
static (inside,outside) 200.251.129.95 172.17.60.85 netmask 255.255.255.255
It also has the following firewall rule:
access-list acl_inside extended permit ip host 172.17.60.85 object-group Group_Destination
access-group acl_inside in interface inside
FortiConverter converts the static NAT rule to a VIP object and generates a NAT policy:
edit "vip-200.251.129.95"
set extip 200.251.129.95
set mappedip 172.17.60.85
set extintf port2
set nat-source-vip enable
next
edit 10004
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.17.60.85"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
next
The NAT-enabled policy tries to match the source address to a VIP object. If it finds a match, it performs static NAT as the VIP object specifies. Otherwise, it uses the interface IP for NAT.
Static NAT matches policy destination address
A source configuration has the following static NAT settings (which are the same as the example that matches by source address):
static (inside,outside) 200.251.129.95 172.17.60.85 netmask 255.255.255.255
It also has the following firewall rule:
access-list acl_outside extended permit ip any host 200.251.129.95
access-group acl_outside in interface outside
FortiConverter creates the same VIP object it does for the source address example, and the following NAT policy, which uses the VIP object as a destination address:
edit "vip-200.251.129.95"
set extip 200.251.129.95
set mappedip 172.17.60.85
set extintf port2
set nat-source-vip enable
next
edit 10005
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "vip-200.251.129.95"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
Static NAT that uses access list matches policy source address
A source configuration has the following settings, which define static NAT using an access list:
static (inside,outside) 172.31.242.69 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.100.128.97 object-group Group_Destination
It also has the following firewall rule:
access-list acl_inside extended permit ip host 10.100.128.97 object-group Group_Destination
access-group acl_inside in interface inside
FortiConverter converts the static NAT settings to the following VIP object and policies:
edit "vip-172.31.242.69_ip"
set extip 172.31.242.69
set mappedip 10.100.128.97
set extintf port2
set nat-source-vip enable
next
edit 10006
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-10.100.128.97"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
next
The NAT-enabled policy tries to match the source address to a VIP object. If it finds a match, it performs static NAT as the VIP object specifies. Otherwise, it uses the interface IP for NAT.
Static NAT specified by access list matches policy source address
The following source configuration settings define static NAT using an access list (they are the same as the example where static policy NAT matches the policy source address):
static (inside,outside) 172.31.242.69 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.100.128.97 object-group Group_Destination
It also has the following firewall rule, which matches the NAT in source address:
access-list acl_outside extended permit ip object-group Group_Destination host 172.31.242.69
access-group acl_outside in interface outside
FortiConverter creates the same VIP object it does for the source address example, and the following NAT policy, which uses the VIP object as a destination address:
edit "vip-172.31.242.69_ip"
set extip 172.31.242.69
set mappedip 10.100.128.97
set extintf port2
set nat-source-vip enable
next
edit 110007
set srcintf "por2"
set dstintf "port1"
set srcaddr "Group_Destination"
set dstaddr "vip-172.31.242.69_ip"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action acceptnext edit 10007
set srcintf "port2"
set dstintf "any"
set srcaddr "Group_Destination"
set dstaddr "h-172.31.242.69"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
NAT rule and policy addresses don't match exactly
When a NAT rule address doesn't match a policy address exactly, FortiConverter calculates where the addresses intersect (overlap) and uses the result as the address for the NAT policy it generates.
NAT rule address contains policy address
For example, a source configuration includes the following dynamic NAT configuration:
global (outside) 1 193.205.32.10 netmask 255.255.255.255
nat (inside) 1 10.1.2.0 255.255.255.0
It also contains the following firewall rule:
access-list acl_inside extended permit tcp host 10.1.2.1 host 193.205.23.66 eq smtp
access-group acl_inside in interface inside
The NAT rule address 10.1.2.0 255.255.255.0 contains the firewall rule source address 10.1.2.1.
FortiConverter converts the source NAT and firewall rules to the following IP pool and policies:
edit "ippool-193.205.32.0-193.205.32.255"
set endip 193.205.32.10
set startip 193.205.32.10
set type one-to-one
next
edit 10001
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-10.1.2.1"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-193.205.32.10"
next
The source address of rule 10001 is the intersection of the NAT rule and original rule, which is "h-10.1.2.1".
Policy address contains the NAT rule address
A source configuration includes the following NAT settings (which are the same as the example where the NAT rule address contains the policy address):
global (outside) 1 193.205.32.10 netmask 255.255.255.255
nat (inside) 1 10.1.2.0 255.255.255.0
It also contains the following firewall rule:
access-list acl_inside extended permit tcp 10.1.0.0 255.255.0.0 host 193.205.23.66 eq smtp
access-group acl_inside in interface inside
The firewall rule source address 10.1.0.0 255.255.0.0 contains the NAT rule address 10.1.2.0 255.255.255.0.
FortiConverter converts the source NAT and firewall rules to the following IP pool and policies:
edit "ippool-193.205.32.0-193.205.32.255"
set endip 193.205.32.10
set startip 193.205.32.10
set type one-to-one
next
edit 110002
set srcintf "port1"
set dstintf "port2"
set srcaddr "n-10.1.2.0_24"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-193.205.32.10"
next
edit 10002
set srcintf "port1"
set dstintf "any"
set srcaddr "n-10.1.2.0_16"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
The policy 00110002 source address "n-10.1.2.0_24" is the intersection of NAT rule and firewall rule 10002.
NAT rule matches address "all" in policy
A source configuration includes the following NAT settings (which are the same as the example where the NAT rule address contains the policy address):
global (outside) 1 193.205.32.10 netmask 255.255.255.255
nat (inside) 1 10.1.2.0 255.255.255.0
It also contains the following firewall rule:
access-list acl_inside extended permit tcp any host 193.205.23.66 eq smtp
access-group acl_inside in interface inside
The source address field is "any", which contains the NAT rule.
FortiConverter converts the source NAT and firewall rules to the following IP pool and policies:
edit 110003
set srcintf "port1"
set dstintf "port2"
set srcaddr "n-10.1.2.0_24"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-193.205.32.10"
next
edit 10003
set srcintf "port1"
set dstintf "any"
set srcaddr "all"
set dstaddr "h-193.205.23.66"
set service "SMTP"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
The policy 110003 source address "n-10.1.2.0_24" is the intersection of NAT and firewall rules.
Static NAT overlaps policy destination address
A source configuration has the following settings, which define static NAT using an access list:
static (inside,outside) 172.31.242.69 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.100.128.97 object-group Group_Destination
It also includes the following firewall rule:
access-list acl_outside extended permit ip object-group Group_Destination 172.31.242.0 255.255.255.0
access-group outside in interface outside
The firewall rule destination address 172.31.242.0 255.255.255.0 contains the static NAT mapped IP 172.31.242.69.
FortiConverter generates the following VIP object and policies that use the object as a destination:
edit "vip-172.31.242.69_ip"
set extip 172.31.242.69
set mappedip 10.100.128.97
set extintf port2
set nat-source-vip enable
next
edit 110004
set srcintf "port2"
set dstintf "port1"
set srcaddr "Group_Destination"
set dstaddr "vip-172.31.242.69_ip"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
edit 10004
set srcintf "port2"
set dstintf "any"
set srcaddr "Group_Destination"
set dstaddr "n-172.31.242.0_24"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
Static NAT overlaps address group object
A source configuration has the following settings, which define a static NAT using an access list:
static (inside,outside) 172.31.242.69 access-list inside_nat_static
access-list inside_nat_static extended permit ip host 10.100.128.97 object-group Group_Destination
The access list destination address Group_Destination contains two members:
object-group network Group_Destination
network-object 10.255.253.0 255.255.255.0
network-object 10.255.254.0 255.255.255.0
The source configuration also has a firewall rule that matches the static NAT rule and its destination is a member of the group Group_Destination.
access-list acl_inside extended permit ip host 10.100.128.97 10.255.253.0 255.255.255.0
access-group acl_inside in interface inside
FortiConverter generates the following NAT policy, which has the destination address 10.255.253.0 255.255.255.0.
edit 10009
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-10.100.128.97"
set dstaddr "n-10.255.253.0_24"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
next
NAT exemption
NAT exemption is a dynamic policy NAT with ID 0. In most cases, you use NAT exemption to do one of the following:
- Exempt from NAT an address that is located in a NAT rule address range.
- In environments that use NAT control to block traffic to which no NAT rule applies, to permit this type of traffic.
Exempt an address from a NAT rule
A source configuration has the following NAT exemption configuration:
nat (inside) 0 access-list inside_nat_exemption
access-list inside_nat_exemption extended permit ip host 172.13.100.88 object-group Group_Destination
It also has the following dynamic NAT rule:
nat (inside) 4 172.13.100.0 255.255.255.0
global (outside) 4 172.80.80.8 netmask 255.255.255.255
Both the NAT exemption and the dynamic NAT rule match the following firewall rule:
access-list acl_inside extended permit ip 172.13.100.0 255.255.255.0 object-group Group_Destination
access-group acl_inside in interface inside
FortiConverter generates the following policies:
edit 110001
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.13.100.88"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
edit 10001
set srcintf "port1"
set dstintf "port2"
set srcaddr "n-172.13.100.0_24"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
set nat enable
set ippool enable
set poolname "ippool-172.80.80.8"
next
The NAT exemption configuration generates policy 110001 with no NAT behavior. The dynamic NAT configuration generates policy 10001, which references an IP pool. Because 00110001 comes first in the configuration, it applies to address "h-172.13.100.88" before the policy used for address "n-172.13.100.0_24" (which applies dynamic NAT) is applied.
Allowing traffic without NAT when PIX enables NAT control
When NAT control is enabled in PIX, traffic from an interface with high-level security to an interface with low-level security isn't allowed if no NAT rule is configured. To allow traffic that doesn't require NAT, a NAT exemption is required.
The following NAT configuration is a source configuration, which includes NAT control and a NAT exemption:
nat-control
nat (inside) 0 access-list inside_nat_exemption
access-list inside_nat_exemption extended permit ip host 172.14.100.88 object-group Group_Destination
It also has the following firewall rule:
access-list acl_inside extended permit ip 172.14.100.0 255.255.255.0 object-group Group_Destination
access-group acl_inside in interface inside
The interface security level has the following configuration:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
FortiConverter generates the following policies:
edit 110002
set srcintf "port1"
set dstintf "port2"
set srcaddr "h-172.14.100.88"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status enable
set action accept
next
edit 10002
set srcintf "port1"
set dstintf "port2"
set srcaddr "n-172.14.100.0_24"
set dstaddr "Group_Destination"
set service "ALL"
set schedule "always"
set logtraffic disable
set status disable
set action accept
set comments "This policy is disabled as not allowed by NAT-Control."
next
The source interface of the firewall rule is "inside"(port1), which has security level 100. The destination interface of this firewall rule is calculated to be "outside"(port2), which has security level 0. Since "inside" has a higher security level than "outside", traffic from "n-172.14.100.0_24" to "Group_Destination" isn't allowed if NAT isn't configured (even if the firewall rule allows it). Only traffic from "h-172.14.100.88" to "Group_Destination" is allowed because a NAT exemption is configured for it. Since other traffic isn't allowed, FortiConverter disables policy 10002, and adds a comment to show the reason.
Unused VIP objects generate policy
In some cases, the final policy in an output configuration is one that FortiConverter generates from VIP objects that aren't used as a destination address in at least one policy. For example:
edit 001
set srcintf "port1"
set dstintf "any"
set srcaddr "all"
set dstaddr "vip- 172.21.84.24" " vip- 172.21.84.25" " vip- 172.21.84.26"
set service "ALL"
set schedule "always"
set logtraffic all
set status enable
set action deny
set comments "This policy is auto-generated by FortiConverter to activate static-NAT VIPs that aren't referenced in other policies."
next
This type of policy enables the source static NAT mapping by capturing all VIP objects that other policies don't reference.
In some conversions, FortiConverter generates more than one of this kind of policy – one for each external interface that is referenced by an unreferenced VIP object.