topic NAT on ASA 5520 in Network Security

NAT on ASA 5520

NES IT — Tue, 12 Mar 2019 00:53:07 GMT

Hi Everyone,

Im a NAT newbie so any help would be greatly appreciated, but Im looking to NAT an internal address to the outside world. So, I have a remote host that I wish to connect to an internal host, but on a pseudo address. So I need the firewall to accept connections to address x.x.x.x and translate them to y.y.y.y (real internal address). I do not want the remote host to see the real internal address.

Ive read the various papers on NAt but am not sure which method I need to use. Also, my access lists would need to reference the real or natted address? Im not sure.

Thanks in advance for any help.

Dan

NAT on ASA 5520

WSLH OIS NOC - OIS Infrastructure — Mon, 28 Jan 2013 15:49:56 GMT

You need a static NAT rule to allow inbound connections. The whole NAT infrastructure changed at firmware 8.3, so <=8.2 you use the mapped addresses in the rules, and >=8.3 you use the real addresses. Where real is what the inside host is sending and receiving on, and mapped is what the firewall is talking to the outside. If you can supply more details about which ASA software version you are implementing and whether you are forwarding all ports and protocols or just some few TCP ports, we can be more specific with our help.

-- Jim Leinweber

NAT on ASA 5520

NES IT — Mon, 28 Jan 2013 15:54:37 GMT

Thank you for your reply Jim.

Im using asa911-k8.bin as the OS and looking to only really translate http traffic. Thats the only traffic which should be coming in anyway.

Thanks again,

Dan

NAT on ASA 5520

NES IT — Tue, 29 Jan 2013 14:19:58 GMT

Was that enough info Jim?

Dan

Re: NAT on ASA 5520

WSLH OIS NOC - OIS Infrastructure — Tue, 29 Jan 2013 16:59:17 GMT

Almost enough information. It would help to know how many IPv4 addresses you have on the outside of the firewall, and how you plan to use them. For a scenario with:

* ASA software 9.1(1)

* 1 IPv4 address on the outside interface of the firewall, say 203.0.113.2

* inbound traffice to port 80 redirected to a particular server, say 172.16.1.8

The video referenced in this forum thread might be helpful:

https://supportforums.cisco.com/docs/DOC-12324

The relevent command line documentation is at:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_overview.html

The configuration you want in this case would be something like:

object network web-nat-8

host 172.16.1.8

nat (inside,outside) static 172.16.1.8 203.0.113.2 service tcp 80 80 no-proxy-arp

ACL's now use the "real" addresses, so 172.16.1.8 in your rules, e.g.

access-list OUTSIDE-INGRESS-01 permit tcp any4 172.16.1.8 port 80

access-group OUTSIDE-INGRESS-01 in interface outside

-- Jim Leinweber, WI state lab of Hygiene