Sunday, March 14, 2010

Destination NAT (Outside NAT) on Cisco and xlate flags

The task was extremely simple. The packet with: SRC:, DST:, needs to be translated to: SRC:, DST: Having extensive amount of all kinds of NAT done on Checkpoint (you can do that with 3 clicks on Checkpoint), I thought this will be piece of cake. It took me 4-6 hours, going through many Cisco FWSM examples and I had to write to IPexpert CCIE Security mailing list for help.

I started to look for a way to use static (outside, inside) I as thought the first interface is the interface which will hit the packet. It turn out that I'm totally wrong, and it doesn't matter the order in the static statement as long the first statement match the real interface and the second interface match the mapped interface.

At the end the config was:

static (inside,outside)

We can use: show xlate debug to verify the NAT:

NAT from inside: to outside: flags si idle 0:00:33 timeout 0:01:00 connections 0

Note the "si" flag above. The list of all flags:

Flags: D - DNS, d - dump, I - identity, i - inside, n - no random,
       o - outside, r - portmap, s - static

For explanation for each flag, check the table named: Translation Flags in the command refference for the version of the FWSM/ASA.

Also few days ago, Cisco announced that they will do changes also on NAT in ASA version 8.3.

No comments: