Cisco – How NAT Stitching Works

ciscofirewallnat;netflow

While reading about CISCO NetFlow Analysis I came up with a term named NAT Stitching.

I understand Flow Stitching which join same type of inbound and outbound connection.

But can't find anything discrete about NAT Stitching except the following,

NAT stitching: Unify the NAT information from inside the firewall with information from outside the firewall to pinpoint which IPs and users inside the network are responsible for a particular action

So how it work in detail? Is it a process/protocol or a specific type of NAT?

Best Answer

You must remember that a flow using NAT will look like two different flows: a flow pre-NAT, and a flow post-NAT. This is because NAT is changing one or more of the addresses in the packets. This can present a distorted view of your flows.

As Cisco explains it, NAT stitching will stitch the (apparently) separate flows to give you the single flow view:

Exporting NetFlow from the NAT devices will stitch both pre & post NAT flows together.

The Cisco Press book NetFlow for Cybersecurity goes into more detail:

Lancope’s StealthWatch solution supports a feature called network address translation (NAT) stitching. NAT stitching uses data from network devices to combine NAT information from inside a firewall (or a NAT device) with information from outside the firewall (or a NAT device) to identify which IP addresses and users are part of a specific flow. A great feature of the StealthWatch solution is its ability to perform “NetFlow deduplication.” This feature allows you to deploy several NetFlow collectors within your organization without worrying about double or triple counting the traffic.

Related Solutions

Routing – Does normal packet flow within a virtual router in a PA firewall require a rule

In simple case:

You need only one VR. Multiple VR are needed when you want separate routing tables for different groups of interfaces (i.e. for different clients).
If you can select destination for packet using only destination IP (and as I understand - you can), then you not need PBF. PBF is needed if you want to send packets with same destination IP to different next hops based on source IP/port and/or destination port.

And with your specific question:

Based on Palo Knowledge Base you can have asymmetric routing between zones if you use:
set deviceconfig setting session tcp-reject-non-syn no
set deviceconfig setting tcp asymmetric-path bypass
But maybe you should rethink merging ZONE1, ZONE2 and ZONE3 into one zone because another article suggest that these commands effectively disable higher level scanning for asymmetric traffic. You probably can bypass this with adding artificial VR and scanning traffic between VR (where it will be symmetric), but this in effect will be same as merging zones - just more complicated.

Nat – How does NAT work for large private networks

As a rule of thumb, I size my firewalls for 250 tcp sessions per user. That's on the high side right now, but as people start to use more and more cloud services (dropbox, Office365, etc, etc) the number of sessions per user is only going up in the near future, so I prefer to be on the safe side. This means a single public IP is enough to NAT for only 250 users.

If you have more users, you would need to use more public IP addresses for NAT. This is called a NAT Pool. Your firewall will use IPs from the pool to assign IP/port combinations as needed.

In Cisco IOS, you configure a NAT pool thus:

ip nat pool <name> <start-ip> <end-ip> 
 {netmask <netmask> | prefix-length <prefix-length>}
 [type {rotary}]

If you want to know everything about NAT, check out the Cisco documentation. It's an excellent read.

Best Answer

Related Solutions

Routing – Does normal packet flow within a virtual router in a PA firewall require a rule

Nat – How does NAT work for large private networks

Related Topic