Book Excerpt: Cisco Secure Internet Security Solutions, part 2 - Page 4
The nat command is used in conjunction with the global command. The nat command specifies from which interface connections can originate. The syntax for the nat command follows:
nat [( interface_name)] nat_id local_ip [ netmask [ max_connections [ em_limit]]] [norandomsequence]The nat_id number must be the same on the nat and global command statements. Although you might have multiple global commands associated with an interface, only a single nat command can be used. Use the no form of the nat command to remove the nat entry, or rewrite the nat command with the same nat_id to overwrite the existing nat command. After issuing a nat command, you should enter the clear xlate command. This command clears all present NAT and PAT connections, which are then reestablished with the new parameters. This section will deal with using the number 0 for the nat_id after you have seen the other parameters within the nat command and the discussion on using the nat command with access lists.
The local_ip parameter can be set to a single IP address or to a whole network by adjusting the netmask parameter. The local_ip parameter specifies the internal network address to be translated. Using 0.0.0.0 allows all hosts to start outbound connections. Instead of using 0.0.0.0, you can abbreviate by using simply 0.
Use the netmask parameter as you would use any subnet mask. The exception is when you use 0.0.0.0 as the netmask. Using 0.0.0.0 means that you want to allow all hosts on the local network through. This can be abbreviated as simply 0. When allowing all hosts through, you can use 0 for both the local_ip and the netmask. Within the PIX, 0 can be substituted for where the word any would be used on a Cisco router. The command line might look like any of the following lines, assuming that the local inside network is 10.1.1.0 with a Class C subnet mask:
nat (inside) 1 0 0 0 0 nat (inside) 1 10.1.1.0 255.255.255.0 0 0 nat (inside) 1 0 255.255.255.0 0 0 nat (inside) 1 10.1.1.0 0 0 0
The max connections parameter limits the number of concurrent TCP connections through an interface. Using 0 makes the number of connections limited only by the license agreement and software installed on the PIX Firewall.
Embryonic connections are half-open TCP connections. The default of 0 does not limit the number of embryonic connections. On slower systems, entering a number for em_limit ensures that the system does not become overwhelmed trying to deal with embryonic connections.
The norandomsequence keyword is used to disable the default random sequencing of TCP packet numbers. Although usually not added to the nat command, this can be useful for debugging and in certain other circumstances. For example, if traffic must travel through two PIX Firewalls, the dual randomization of sequence numbers might cause the application to fail. In this case, adding the norandomsequence keyword to one of the PIX Firewalls should resolve the problem.
There are some special considerations for using the nat and global commands with a nat_id of 0. The first consideration is when using an access list to prevent NAT from occurring. For example, the following lines allow the hosts at IP addresses 10.1.1.54 and 10.1.1.113 to traverse the PIX without changing their IP addresses. All other addresses on the inside network receive translation services. The access list associated with a nat 0 command merely prevents NAT; it does not limit accessibility to the outside.
access-list prevent_nat tcp host 10.1.1.54 access-list prevent_nat tcp host 10.1.1.113 nat (inside) 0 access-list prevent_natThe access list should not attempt to prevent specific ports, because this causes the addresses to become translated. The ASA remains in effect, watching packets and preventing unauthorized access. However, the addresses within the access list are available through the outer interface without translation.
The nat 0 command can also be used without an access list as any other nat_id could be used. However, using a nat_id of 0 without an access list causes all hosts on the network specified with the netmask to avoid being translated by the NAT functionality of the PIX. Previous versions of the PIX software experienced an issue when using 0 as the nat_id. This issue was that using 0 would cause the PIX to use proxy Address Resolution Protocol (ARP) for all inside addresses. PIX IOS versions 5.0 and above disable this behavior. If no addresses are to be translated, the global command is not necessary. The following example shows how all inside addresses can be prevented from being translated:
nat (inside) 0 0 0 0 0