Fulfilling Prerequisites
Before you add a NAT rule, ensure that you understand and fulfill the following items:
- Any associated interfaces that participate in a NAT configuration have to be in a regular firewall mode—routed or transparent. A threat defense does not support NAT on IPS-only interface types, such as inline, inline-tap, and passive. Figure 17-6 shows the available modes of a threat defense physical interface. Select None to enable the regular router interface mode, which supports NAT. Chapter 4, “Firewall Deployment in Routed Mode,” and Chapter 5, “Firewall Deployment in Transparent Mode,” describe the firewall deployment modes in detail.
Figure 17-6 Using the None Option to Turn an Interface into a Regular Firewall Interface
- If you used a threat defense in an IPS-only mode, make sure all the associated interfaces where you want to enable NAT are now configured with IP address and security zones. Figure 17-7 shows the allocation of IP addresses and security zones in a threat defense. The lab topology in this chapter uses three routed interfaces on a threat defense—GigabitEthernet0/0, GigabitEthernet0/1, and GigabitEthernet0/2.
Figure 17-7 Allocating IP Addresses and Security Zones on Threat Defense Routed Interfaces
- Before you begin the process of adding a NAT rule, define any network objects that may be invoked within a NAT rule. To add a network object, go to Objects > Object Management and select the Add NetworkFigure 17-8 shows the network objects that are used in the configuration examples in this chapter. You can add any additional objects needed for your own deployment.
Figure 17-8 Network Object Configuration Page
Configuring NAT
A threat defense enables you to accomplish translation in various ways. You can select any type (static versus dynamic) with any combination of NAT rule (Auto versus Manual). However, Cisco recommends that you use Auto NAT rule because it is easier to configure and simpler to troubleshoot. In the following sections, you learn how to configure Auto NAT to masquerade IP addresses in the following real-world deployment scenarios:
- Masquerading a source address when an internal host initiates a connection to an external server
- Allowing an external host to connect to an internal host when an external host uses a masqueraded destination address
Masquerading a Source Address (Source NAT for Outbound Connection)
When an internal host initiates a connection to the Internet, a threat defense can translate the internal IP address to a public IP address. In other words, the threat defense can masquerade the source addresses of outbound connections. This section describes various methods to select a public IP address for an outbound connection.
Note
This section assumes that you have already configured any necessary objects described in the “Fulfilling Prerequisites” section earlier in this chapter.
Figure 17-9 shows a scenario where an internal host connects to an external host through a threat defense. When an end user initiates a connection using the original source IP address, the threat defense translates (masquerades) the original source IP address into an address that is predefined in an address pool.
Figure 17-9 Lab Topology Demonstrating Dynamic NAT for Outbound Traffic
Leave a Reply