Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
10
Helpful
4
Replies

ASA NAT

Go to solution
Waterbird
Level 1
Level 1

‎12-05-2018 09:21 AM - edited ‎02-21-2020 08:32 AM

Please explain this configuration.  What kind of NAT is it using and how can I learn how to configure it?

 

nat(any,outside) source static OBJECT-GROUP-1 OBJECT-GROUP-1 destination static OBJECT-GROUP-2 OBJECT-GROUP-2 no-proxy-arp route-lookup

nat(any,outside) after-auto source dynamic any interface

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mkazam001
Level 3
Level 3

‎12-05-2018 02:36 PM

the asa has 3 main categories of nat - manual nat, object nat (auto nat), and manual nat after auto

these are actually applied in sequential order like an acl

sh nat - will show the order of the rules

sh run nat - to see the actual nat config

this is using static nat - this entry is also known as nat exemption & is often used for vpn traffic

for traffic using any ingress interface & egressing the outside interface - this nat rule will apply

obj-grp 1 has a static mapping to itself only when the dest is obj-grp 2

cisco rec to use no-proxy-arp & route-lookup - so asa int wont send arp for next hop & will use route table for traffic

regards, mk

View solution in original post

4 Replies 4

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎12-05-2018 12:42 PM - edited ‎12-05-2018 12:43 PM

There is a good document to understand please refer below document :

 

https://www.netcraftsmen.com/nat-configuration-on-asa-8-4-part-2/

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html#wp1118157

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎12-05-2018 12:43 PM

When going out of the outside interface from OBJECT-GROUP-1 to OBJECT-GROUP-2, you don't do any NAT. For the rest of the traffic going out of interface outside you PAT (or hide-nat/masquerade) the source to the IP of the outside interface.

For learning more, Jounis intro is still a good read:

https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050

Go to solution
Waterbird
Level 1
Level 1
In response to Karsten Iwen

‎12-06-2018 07:10 AM - edited ‎12-06-2018 07:11 AM

This document you provided a link for was very helpful in providing an overview of the new NAT.  Exactly what I was searching for.

 

This configuration I provided is for a VPN tunnel, so it seems the first statement is identity NAT, which is a variation of Twice NAT / Manual NAT, in Section 1.  It's purpose appears to be to not do NAT for the traffic from the first object group to the second object group or backwards, i.e. "no NAT for either source or destination networks".  

 

The second NAT statement appears to be dynamic PAT, implemented using Twice NAT / Manual NAT, in Section 3, and must serve to NAT traffic that is not contained in the object groups.



0 Helpful

Go to solution
mkazam001
Level 3
Level 3

‎12-05-2018 02:36 PM

the asa has 3 main categories of nat - manual nat, object nat (auto nat), and manual nat after auto

these are actually applied in sequential order like an acl

sh nat - will show the order of the rules

sh run nat - to see the actual nat config

this is using static nat - this entry is also known as nat exemption & is often used for vpn traffic

for traffic using any ingress interface & egressing the outside interface - this nat rule will apply

obj-grp 1 has a static mapping to itself only when the dest is obj-grp 2

cisco rec to use no-proxy-arp & route-lookup - so asa int wont send arp for next hop & will use route table for traffic

regards, mk

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card