topic Re: nat (any,outside) static interface? in Network Security

nat (any,outside) static interface?

CiscoBrownBelt — Fri, 21 Feb 2020 17:13:17 GMT

I am trying to confirm that the following means nat the object source from any interface to OUTSIDE interface IP as I can't find this config in any docs.

object network natted_Subnet

subnet 10.10.10.0 255.255.255.0

nat (any,outside) static interface

Re: nat (any,outside) static interface?

Marvin Rhoads — Fri, 14 Jun 2019 02:57:55 GMT

That would not be a recommended configuration since you need to use dynamic (PAT) rather than static NAT when mapping many-to-one.

Re: nat (any,outside) static interface?

Edwin Portillo — Fri, 14 Jun 2019 04:34:59 GMT

My Friend,
You should use the NAT overload or PAT for the ease of dynamic handling of ports in the translation, see the following examples:
https://www.certificationkits.com/cisco-certification/ccna-articles/cisco-ccna-network-address-translation-nat/static-nat-dynamic-nat-nat-overload-pat-a-configurations/

Re: nat (any,outside) static interface?

CiscoBrownBelt — Sat, 15 Jun 2019 01:01:10 GMT

This would be correct then on an ASA for let's say internal servers that need to be access from the Outside right?

nat (insde,outside) dynamic (interface or mapped IP address) service tcp 3889 3889
access-list Outside-IN extended permit tcp any host (real IP) eq 3389

Re: nat (any,outside) static interface?

CiscoBrownBelt — Sat, 15 Jun 2019 01:02:31 GMT

This would be correct then on an ASA for let's say internal servers that need to be access from the Outside but just NATTING them to 1 IP or the Outside interface right?

nat (insde,outside) dynamic (interface or mapped IP address) service tcp 3889 3889
access-list Outside-IN extended permit tcp any host (real IP) eq 3389

Re: nat (any,outside) static interface?

Marvin Rhoads — Sat, 15 Jun 2019 03:07:54 GMT

Now that you've added the port 3389 (rdp) your use case changes. You want a static port forwarding NAT rule:

nat (inside,outside) static (interface or mapped IP address) service tcp 3889 3889

See https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc10

Re: nat (any,outside) static interface?

Sheraz.Salim — Sat, 15 Jun 2019 07:16:43 GMT

object network natted_Subnet

subnet 10.10.10.0 255.255.255.0

nat (any,outside) static interface

long ago i read in cisco documentation nat (any,outside) is not a best practice. would be better if you put tight control on the flow of traffic either from (inside,outside) or (dmz,outside) instead of any,outside.

you better do a dynamic PAT,

object network natted_Subnet

subnet 10.10.10.0 255.255.255.0

nat (any,outside) dynamic interface

Re: nat (any,outside) static interface?

CiscoBrownBelt — Sat, 15 Jun 2019 16:44:22 GMT

Having trouble knowing when would I really know to use "Static" vs "Dynamic"?

Re: nat (any,outside) static interface?

CiscoBrownBelt — Sat, 15 Jun 2019 16:43:45 GMT

When would I really know to use "Static" vs "Dynamic"?

Re: nat (any,outside) static interface?

Sheraz.Salim — Sat, 15 Jun 2019 18:28:42 GMT

have a read on this doc https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html will clear all your concepts

Re: nat (any,outside) static interface?

Edwin Portillo — Sun, 23 Jun 2019 03:55:51 GMT

Friend,

Static NAT is used to do a one-to-one mapping between an inside address and an outside address. Static NAT also allows connections from an outside host to an inside host. Usually, static NAT is used for servers inside your network. For example, you may have a web server with the inside IP address 192.168.0.10 and you want it to be accessible when a remote host makes a request to 209.165.200.10. For this to work, you must do a static NAT mapping between those to IPs. In this example, we will use the FastEthernet 0/1 as the inside NAT interface, the interface connecting to our network, and the Serial 0/0/0 interface as the outside NAT interface, the one connecting to our service provide.
Example:
Ip nat inside source static 192.168.0.10 209.165.200.10

Interface FastEthernet 0/1
ip nat inside
Interface Serial 0/0/0
ip nat outside

Dynamic NAT is used when you have a “pool” of public IP addresses that you want to assign to your internal hosts dynamically. Don’t use dynamic NAT for servers or other devices that need to be accessible from the Internet.
Example:
ip nat pool NAT-POOL 209.165.200.226 209.165.200.240 netmask 255.255.255.224

Access-list 1 permit 192.168.0.0 0.255.255.255

Ip nat inside source list 1 pool NAT-POOL

Interface FastEthernet 0/1
Ip nat inside
Interface Serial 0/0/0
ip nat outside