Port Address Translation (PAT) on Adaptive Security Appliance (ASA)

Port Address Translation (PAT) is a type of Network address translation (NAT) used when there is a shortage of public IP addresses .One of the public IP address of the same subnet or the interface address is used for translation.

Port Address Translation (PAT):
This is also known as NAT overload. In this, many local (private) IP addresses get translated to single public IP address .Sometimes, the private addresses are translated into the interface address (single). In this, Port numbers are used to distinguish the traffic i.e which traffic belongs to which IP address.

Procedure:
The procedure is almost same as done in Dynamic NAT but remember in PAT, more than one Private IP address is translated into a single public IP address.



  • Step-1: Configure the access-list
    Build the access-list stating the permit condition i.e who should be permit and what protocol should be permit.

  • Step-2: Apply the access-list to an interface
    The access-group command will be used to state the direction (out or in) in which the action (specified above) should be taken place.

  • Step-3: Create network group or network object
    Network group will state the subnet or different subnets on which PAT will be applied. While the network object states a single subnet which can be further used in the PAT process for translation. It can be said that network group contains more than one network object.

  • Step-4: PAT statement
    This step will specify the direction in which PAT should takes place and on what IP address (Public IP address) the private IP address should be translated.

Configuration:

Three routers namely Router1 (IP address – 10.1.1.1/24), Router2 (IP address – 11.1.1.1/24) and Router3 (IP address – 101.1.1.1) are connected to ASA (IP address- 10.1.1.2/24, name – INSIDE and security level – 100 on Gi0/0, IP address – 11.1.1.2/24, name – DMZ and security level – 50 on Gi0/1, IP address – 101.1.1.2/24, name-OUTSIDE and security level – 0 on Gi0/2) as shown in the above figure.

In this task, we will enable PAT for the traffic generating from INSIDE to OUTSIDE and for the traffic going from DMZ to OUTSIDE.

Configuring IP addresses on all routers and ASA.

Configure IP address on Router1:

Router1(config)#int fa0/0
Router1(config-if)#ip address 10.1.1.1 255.255.255.0
Router1(config-if)#no shut 

Configuring IP address on Router2:


Router2(config)#int fa0/0
Router2(config-if)#ip address 11.1.1.1 255.255.255.0
Router2(config-if)#no shut 

Configuring IP address on Router3:

Router3(config)#int fa0/0
Router3(config-if)#ip address 101.1.1.1 255.255.255.0
Router3(config-if)#no shut 

Configuring IP address, name and security level on the interface of ASA:

asa(config)#int Gi0/0
asa(config-if)#no shut
asa(config-if)#ip address 10.1.1.2 255.255.255.0
asa(config-if)#nameif INSIDE 
asa(config-if)#security level 100
asa(config-if)#exit
asa(config)#int Gi0/1
asa(config-if)#no shut
asa(config-if)#ip address 11.1.1.2 255.255.255.0
asa(config-if)#nameif DMZ
asa(config-if)#security level 50
asa(config-if)#exit
asa(config)#int Gi0/2
asa(config-if)#no shut
asa(config-if)#ip address 101.1.1.2 255.255.255.0
asa(config-if)#nameif OUTSIDE
asa(config-if)#security level 0

Now giving static routes to the routers. Configuring static route to Router1:

Router1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2 

Configuring static route to Router2:

Router2(config)#ip route 0.0.0.0 0.0.0.0 11.1.1.2 

Configuring static route to Router3:

Router3(config)#ip route 0.0.0.0 0.0.0.0 101.1.1.2 

At last configuring static route to ASA:

asa(config)#route INSIDE 10.1.1.0 255.255.255.0 10.1.1.1
asa(config)#route OUTSIDE 101.1.1.0 255.255.255.0 101.1.1.1
asa(config)#route DMZ 11.1.1.0 255.255.255.0 10.1.1.1

For ICMP, either inspect or use ACL to allow the ICMP echo reply from the lower security level to higher security level (This is to be done because by default, no traffic is allowed from lower security level to higher security level).

Configuring access-list:

asa(config)#access-list traffic_out permit icmp any any 
asa(config)#access-list traffic_dmz permit icmp any any 

Here, two access-list has been made.

First access-list name is traffic_out which will allow ICMP traffic from OUTSIDE to INSIDE (having any IP address any mask).
Second access-list has been made named as traffic_dmz which will allow ICMP traffic from OUTSIDE to DMZ (having any IP address any mask) .


Apply these access-list to the ASA interfaces:

asa(config)#access-group traffic_out in interface OUTSIDE 
asa(config)#access-group traffic_dmz in interface DMZ

First statement states that the access-list traffic_out is applied in the inwards direction to the OUTSIDE interface
Second statement states that the access-list traffic_dmz is applied in the inwards direction to the DMZ interface.
INSIDE devices will be able to ping OUTSIDE and DMZ devices.

The task is to enable PAT on ASA whenever the whole subnet (10.1.1.0/24) traffic goes out from INSIDE to OUTSIDE and traffic of network (11.1.1.0/24) from DMZ to OUTSIDE, it should get translated into OUTSIDE interface address.

asa(config)#object network inside_nat
asa(config-network-object)#subnet 10.1.1.0 255.255.255.0
asa(config-network-object)#exit

First, specify that which subnet should get translated.

Direction of NAT translation will be specified:

asa(config)#nat (INSIDE, OUTSIDE) source dynamic INSIDE interface

Applying NAT for traffic going out from DMZ to OUTSIDE:

asa(config)#object network dmz_nat
asa(config-network-object)#subnet 11.1.1.0 255.255.255.0
asa(config-network-object)#exit

Creating NAT pool for this traffic:

asa(config)#object network dmz_nat_pool
asa(config-network-object)#range 120.1.1.1 120.1.1.4
asa(config-network-object)#exit

Tirection for nat translation is specified.

asa(config)#nat (DMZ, OUTSIDE) source dynamic DMZ interface 

The above command specifies that the subnet in dmz_nat should get translated into the IP address of the DMZ interface using PAT. By this, the process of configuring PAT is almost similar to dynamic NAT. The main difference is that to configure the outside interface IP address instead of a NAT pool from which one of the IP address will get translated.

Advantages:
This is most frequently used as it is cost effective as thousands of users can be connected to the Internet by using only one real global (public) IP address.



My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.