Search This Blog

Sunday, December 8, 2013

Advance types of NAT

In a previous post (NAT order of operation on Cisco ASA firewall) we took a look how many NAT configuration types Cisco ASA supports and what the differences are. In  advance (firewall) configuration there can be other types of address and port translation that may obey more or less restrictive rules. Examples and a short listing of them can be found bellow (a full description can be found in reference section):
  • Symmetric NAT
Standard, very restrictive. Only the original source and destination hosts can communicate together.
  • Full-cone NAT
Any external host can use the NAT binding (the entry from the connection table about the NAT) and communicate with the internal server. Neither external IP or external port are checked when processing TCP/UDP packets.
  • Restricted-cone NAT 
Only the single remote host can use the NAT binding. The port is irrelevant.
  • Port-restricted-cone NAT
Upside down to the "Restricted-clone NAT". Every host can reuse the NAT binding as long as it is using the original destination port number that was used when the NAT binding was 
created and stored in the NAT table in the FW memory. Take a look at the "X" and "V" paths at the illustration bellow:


Despite a good theoretical explanation that you can find on Cisco I wasn't able to find a working example for ASA. Found only some spare documents for the wireless routes in the context of SIP protocol. Does ASA supports these NAT types?

References

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_7-3/anatomy.html
https://supportforums.cisco.com/thread/2178132

No comments:

Post a Comment