After presenting the correct way of adding ACL restrictions to a Cisco Zone-based firewall policy, it is time to examine how Network Address Translation (NAT) interacts with a Cisco ZFW deployment. Our particular environment (Figure 1) actually contains a combination of stateful inspection, an L3 rule (ACL) and NAT.
To facilitate understanding, we start by briefly describing our reference scenario:
- Inspection (controlled by class-map TOP-CLASS2) defines that only those application protocols carried over TCP are allowed from the OUTSIDE to the INSIDE zone.
- The ACL2 access-list limits the source hosts (subnet 172.18.2.0/24) that can initiate inbound connections to the server 10.5.5.5.
- The two previous conditions are united under the match-all class-map JOINT2.
- The server address 10.5.5.5 is seen on the global address space (after source NAT) as 172.18.2.5.
If you ever integrated Cisco IOS regular interface ACLs with NAT, you will notice that the ACL used by ZFW now refers to the real address of the destination host (instead of the mapped address). This is a critical change to be aware of.
Figure 2 provides further visibility for the topology under analysis, in the specific case of a telnet session initiated by the outside client (172.18.2.20) and bound to the translated address of the server (172.18.2.5):
- The first Syslog message shows how the address translation is created.
- The audit-trail log message highlights that the responder is 10.5.5.5 (real address), meaning that the ZFW process understands NAT.
- The show policy-firewall session command confirms that the inbound connection is established with the real address (from the ZFW standpoint).
** Topics for Study:
- Think about the integration of a classic IOS interface access-list with NAT. What is the advantage of referring to the real address (as done by ZFW) ?
- Revisit some other categories of IOS NAT (for instance, destination NAT and Port Address Translation). How can you display the active translations ? Can you have more than one interface configured with the ip nat outside command ?
- Consider the integration of CBAC with NAT and ACLs. Does CBAC refer to the real address ? Or to the mapped address ? (Why ?)
- Rebuild the ACL shown in this example using the concept of object-group.
** Related Posts:
- Zone Firewall Series: https://alexandremspmoraes.wordpress.com/tag/zone-firewall/
- ACL Series: https://alexandremspmoraes.wordpress.com/tag/identity/