Monday, January 11, 2010

ASA Transparent mode NAT

The ASA transparent mode acts as a bump in the wire (Placed in the layer 2 path of the traffic). There is no interface IP addressing with transparent mode. The ASA can be assigned an IP address for remote management and testing. In the transparent mode, there are still access rules and inspection rules. There are a few exceptions though. For instance, ARP and BPDU is allowed from lower security level interfaces by default.

With the ASA 7.x code and lower, the ASA did not support address translation in transparent mode. In fact, the 'nat' and 'global' commands were disabled. The static command was available but the real and translated addresses must be the same. IMO, the command was enabled so that the static options can be used. An example would be the 'norandomseq' keyword that is used in BGP authentication.

With the ASA code 8.x code, there is now support for NAT in transparent mode.
The NAT implementation has a few caveats:
1. The alias command is NOT supported.
2. Since there is no interface address, interface PAT is not allowed.
3. Arp Inspection is not allowed
4. Since the inside and outside interfaces are on the same 'subnet', if any of the addresses (real or translated) is NOT on the subnet, then static routes have to be used to point to the address so that routing can take place. This is from the configuration guide:

"When the mapped addresses are not on the same network as the transparent firewall, then on the upstream router, you need to add a static route for the mapped addresses that points to the downstream router (through the security appliance)

If the real destination address is not directly-connected to the security appliance, then you also need to add a static route on the security appliance for the real destination address that points to the downstream router. Without NAT, traffic from the upstream router to the downstream router does not need any routes on the security appliance because it uses the MAC address table. NAT, however, causes the security appliance to use a route lookup instead of a MAC address lookup, so it needs a static route to the downstream router."

With the Routing fixed, NAT with the ASA transparent mode should not be too different from the regular routed mode NAT.

Further Reading:
ASA Configuration Guide: NAT in Transparent mode

No comments:

Post a Comment