topic Nat Query - ASA 8.4(3) in Network Security

Nat Query - ASA 8.4(3)

Anukalp S — Tue, 12 Mar 2019 01:02:15 GMT

Hello,

I have currently upgraded 8.4(3) version on my ASA and want to configure NAT. I have some internal networks 192.168.85.0/24, 192.168.81.0/24 & 192.168.91.0/24. I want these networks to be natted with single ip 172.25.16.10 for destination 10.110.30.0/24 & 10.110.31.0/24. Could anyone share command config.

Re: Nat Query - ASA 8.4(3)

Jouni Forss — Mon, 18 Feb 2013 19:08:28 GMT

Hi,

The configuration should be something like this

object-group network SOURCE-NETWORKS

network-object 192.168.85.0 255.255.255.0

network-object 192.168.81.0 255.255.255.0

network-object 192.168.91.0 255.255.255.0

object-group network DESTINATION-NETWORKS

network-object 10.110.30.0 255.255.255.0

network-object 10.110.31.0 255.255.255.0

object network PAT-IP-ADDRESS

host 172.25.16.10

nat (inside,outside) source dynamic SOURCE-NETWORKS PAT-IP-ADDRESS destination static DESTINATION-NETWORKS DESTINATION-NETWORKS

Where

SOURCE-NETWORKS = Is the object-group defining the source addresses for the NAT configuration
DESTINATION-NETWORKS = Is the object-group defining the destination networks for which the NAT translation will be done
PAT-IP-ADDRESS = is the object that defines the PAT IP address to be used for translation
nat = Specifies the NAT configuration using the previously configured object-groups and object
"inside" and "outside" = Define the source and destination interfaces of the NAT (can be anything else ofcourse)

Names of the "object-group" or "object network" can be anything you see fit.

Hopefully the information was helpfull

- Jouni

Nat Query - ASA 8.4(3)

Anukalp S — Mon, 18 Feb 2013 19:18:22 GMT

Thanks lot, Jouni..could you help me on other query that is not related to it.

I have below config of ASA 8.2(5) .As i am running 8.4(3) so want below conifg of 8.2(5) into 8.4(3). That would really be appreciated.

access-list www extended permit tcp host 10.110.120.20 any eq www

access-list www extended permit tcp host 10.110.120.20 any eq https

access-list www extended permit tcp host 10.110.120.32 any eq www

access-list www extended permit tcp host 10.110.120.32 any eq https

nat (inside) 2 access-list www

global (outside) 2 141.15.114.93 netmask 255.255.255.255

Nat Query - ASA 8.4(3)

Jouni Forss — Mon, 18 Feb 2013 19:41:51 GMT

Hi,

Configuration for that should be

object-group network SOURCE-HOSTS

network-object host 10.110.120.20

network-object host 10.110.120.32

object service SERVICE-WWW

service tcp destination eq www

object service SERVICE-HTTPS

service tcp destination eq https

object network PAT-ADDRESS

host 141.15.114.93

nat (inside,outside) source dynamic SOURCE-HOSTS PAT-ADDRESS service SERVICE-WWW SERVICE-WWW

nat (inside,outside) source dynamic SOURCE-HOSTS PAT-ADDRESS service SERVICE-HTTPS SERVICE-HTTPS

Where

SOURCE-HOSTS = Is the object-group that defines the source hosts for which this NAT configuration will be applied
PAT-ADDRESS = Is the object that defines the PAT address used for the translation
SERVICE-WWW and SERVICE-HTTPS = Are the objects that define the destination services for which this PAT translation will be done
nat = Is the actual NAT configuration that translates the SOURCE-HOSTS to PAT-ADDRESS when the destination IP address is anything (though behind "outside" interface) and the service is either TCP/80 or TCP/443

I tested this on my home ASA (with different public IP addresses ofcourse) but it seemed to work just fine.

Please remember to rate all helpfull answers and mark the question as answered if it answered your question

Or ask more if needed.

- Jouni

Nat Query - ASA 8.4(3)

Anukalp S — Tue, 19 Feb 2013 11:24:46 GMT

Thanks Jouni...

have a question about destination. As per your config, Source address getting PAT but there is no config for destination "any". Is it automatic assume destination any if we dont mention.

Nat Query - ASA 8.4(3)

Jouni Forss — Tue, 19 Feb 2013 11:33:15 GMT

Hi,

To my understanding this is the case.

Notice though that we use the interface "outside" as the destination interface in the start of the NAT configuration. This in its part limits the destination networks.

ASA softwares all the way from 8.3(1) to 8.4(5) have gone through changes to how the NAT handles these things. I always seem to forget these things and need to refresh information.

- Jouni

Nat Query - ASA 8.4(3)

Anukalp S — Tue, 19 Feb 2013 11:44:52 GMT

Thanks Jouni, it really appreciated.