FTD NAT Reflection

  • Post author:
  • Post category:Cisco / FTD

NAT Reflection on the FTD or ASA is a technique to allow communication of internal devices to access a server(s) located in either internal network or a DMZ, but by using the public IP address assigned to the outside interface. The diagram below represents the scenario described; a user on the internal network (192.168.10.100) attempts to connect to SERVER01 using the Public NAT Address (1.1.1.15), the firewall untranslates the public IP address to the real IP address and traffic egresses back out the same interface it came in on.

This type of NAT configuration is not often used, generally inside the network, the server’s name would be resolved by DNS to the private IP address instead of the public IP address.

Configuration

The configuration steps below describe how to configure NAT Reflection on an FTD using FDM, the same logic can be used to configure NAT Reflection using the FMC.

  • Login to FDM GUI
  • Navigate to Objects > Networks
  • Create an object for the real IP address of the server (SERVER01)
  • Create an object for the NAT IP address of the server (SERVER01-NAT)
  • Create an object to represent the Internal network (Internal-LAN)

  • Navigate to Policies
  • Click NAT
  • Click Add Rule
  • Name the rule appropriately
  • Select Manual NAT
  • Select Placement as Before Auto NAT Rules
  • Type as Static

Create the rule as per the table below.

Original Packet Translated Packet
Src Interface Src Address Dst Address Dst Interface Src Address Dst Address
INSIDE Internal-LAN SERVER01-NAT INSIDE Interface SERVER01

The screenshot below represents the actual GUI configuration of the NAT Reflection rule.

  • Navigate to Policies > Access Control
  • Click Add Rule

Create an Access Control rule permitting traffic from the “Internal-LAN” object to the “SERVER01” object. The SERVER01 object represents the real IP address of the server.

Configuration is complete, Deploy the policy to the FTD.

Testing/Verification

  • Login to the CLI of the FTD
  • Run the command system support diagnostics-cli to enter the Diagnostics CLI
  • Turn on ICMP debugs using the command debug icmp trace

Connect to the test computer (192.168.10.100) and ping the SERVER01’s public IP address (1.1.1.15).

From the screenshot below we can determine the ICMP echo request was received by the FTD, and traffic was translated/untranslated with a reply from the destination server.

Exit from the Diagnostics CLI

  • Run the command system support firewall-engine-debug
  • Specify the client IP address: as 192.168.10.100 (the test computer).
  • Repeat the ping test from the test computer

From the screenshot below we can determine that traffic matched the Access Control rule “Access SERVER01” (as previously defined) and the action was “allow”.

Running packet-tracer will confirm the traffic was allowed and which NAT rule and Access Control Rule was matched.

> packet-tracer input inside icmp 192.168.10.100 8 0 1.1.1.15

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,inside) after-auto source static Internal-LAN interface destination static SERVER01-NAT SERVER01

Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate 1.1.1.15/0 to 192.168.10.5/0

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435457 object Internal-LAN object SERVER01 rule-id 268435457 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435457: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435457: L5 RULE: Access SERVER01
object-group service |acSvcg-268435457
 service-object ip

Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,inside) after-auto source static Internal-LAN interface destination static SERVER01-NAT SERVER01

Additional Information:
Static translate 192.168.10.100/0 to 192.168.100.10/0

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
!
!
SNIP
!
!
Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: allow

Summary

A normal dynamic NAT rule used normally used for internet access will not suffice in this scenario, hence the requirement for a NAT Reflection rule. The same logic call also be used on an ASA, the output below is the ASA CLI command syntax.

nat (inside,inside) source static Internal-LAN interface destination static SERVER01-NAT SERVER01

 

Tags: , , ,