Recently I was faced with an issue outside my normal expertise… those of you that know me realize I am anything but a security engineer. But in reality, you must always expand your horizons. One of the projects I’m working on involves migrating between two edge networks. Obviously, for a time there has to be traffic using both networks while you migrate services from one network to the other. This creates an issue from services that may be NAT’d from the inside of the network, where as the current (read: old) default route takes them out a different connection..
In order to solve this, you need to either change the default route, which may not be possible, or start NAT’ing the source address of your traffic. It took me a bit of time to get the details worked out, so I wanted to share what I found out.
Plain Jane Static NAT
Since 8.3, NAT has changed quite a bit. The most obvious change is the use of Object groups pretty much everywhere. In some ways, this simplifies the config. In others, not so much. Basic static NAT takes the form of a single object group that defines the inside host, and the static NAT statement.
object network SERVER host 10.72.14.29 nat (OUTSIDE,INSIDE) static 22.214.171.124
NAT + PAT
The biggest thing that kept giving me issues was that I was attempting to reuse the normal static NAT config, and build a separate PAT config for the source address. Once I realized I was being a tool, the solution came rather quickly. This NAT statement is configured in the same manner as Identity NAT, used to prevent address translations to certain destinations. First you define two object groups, one for the NAT address, and one for the real inside address of the server.
object network SERVER_NAT host 126.96.36.199 ! object network SERVER_INSIDE host 10.72.14.29 ! nat (OUTSIDE,INSIDE) source dynamic any interface destination static SERVER_NAT SERVER_INSIDE
Next comes this slighly confusing NAT statement…
nat (OUTSIDE,INSIDE) — this is familiar, should make sense to most of us.
source dynamic any interface — this states that our source address is using dynamic NAT/PAT, the traffic could originate from anywhere, and should be NAT’d to the interface it leaves the firewall on. This is the key to our source NAT/PAT configuration…
destination static SERVER_NAT SERVER_INSIDE — finally, this just states the our destination is a static NAT statement, translating our object group SERVER_NAT, to the address in the object group SERVER_INSIDE.
So, hopefully this makes sense… if not, please remember that RouterJockey.com provides no warranties or promises and that you’re just as hopelessly screwed as I am. Thanks for stopping by!