cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2408
Views
0
Helpful
2
Replies

How to define conditional NAT on ASA 9.0

peter.jevos
Level 1
Level 1

Hi ,

I have to migraste current IOS conditional NAT to our new ASA 5515x.

However the NAT misses the possibility to define it via access lists.

I've found something about the twice NAT, however i didn't find the way how to implement it.

Here is the current IOS conditional NAT:

# choose IP to NAT for certain address, do not NAT for the certain source and destination ( 10.1.9.0 )

access-list 102 deny   ip 10.0.0.0 0.255.255.255 10.1.9.0 0.0.0.255

access-list 102 permit ip host 10.1.1.34 any

access-list 102 permit ip host 10.11.1.41 any

ip nat inside source list 102 pool dynamic-pool2 overload

# public dynamic NAT according the ACL 102

ip nat pool dynamic-pool2 91.11.11.11 91.11.11.11 netmask 255.255.255.240

Can you please help me how should i define this conditional dynamic NAT on the ASA 9.0 ?

Many thanks

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

So essentially your moving a Dynamic NAT + PAT and NAT0 configurations from Cisco Router to Cisco ASA.

I dont know what your ASA interface names are so I will use the very usual ones. Also your pool doesnt seem to contain anything but 1 IP address though I assume that you have changed the actual IP addresses.

Dynamic NAT + PAT

object network NAT-POOL

range

nat (inside,outside) after-auto source dynamic any NAT-POOL interface

So what the above does is define the NAT Pool inside an object. We then use that object in the actual NAT/PAT configurations. The NAT configurations specifies that the NAT/PAT is done from "inside" to "outside" and "any" source address behind "inside" will do. It will use a NAT Pool and when it runs out it will start using Dynamic PAT with the "outside" interface IP address.

If you only want to specify the 2 source IP addresses instead of "any" then you can use this

object network NAT-POOL

range

object-group network NAT-PAT-SOURCE

network-object host 10.1.1.34

network-object host 10.11.1.41

nat (inside,outside) after-auto source dynamic NAT-PAT-SOURCE NAT-POOL interface

NAT0

object network LOCAL

subnet 10.0.0.0 255.0.0.0

object network REMOTE

subnet 10.1.9.0 255.255.255.0

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

In the above we first define the networks mentioned in your original NAT configuration ACL. Then we configure the actual NAT. It does NAT between "inside" and "outside". Though since the LOCAL network is specified as both the real and the mapped value and the REMOTE network is also specified both real and mapped value this means that NO NAT will be used.

Notice that the Dynamic NAT/PAT configuration had "after-auto" in it. That meant it will be set as lowest Section of NAT configurations (Section 3)

The above command does not use "after-auto". This essentially means that it will be at the highest Section of NAT configurations (Section 1)

So the NAT0 rule will be matched first for traffic between those networks. Dynamic PAT will catch everything else between "inside" and "outside"

Just as a reference, Section 2 holds only Auto NAT / Network NAT configurations while both of the above NAT configurations are Manual NAT types.

I dont know if I really explained everything clearly. If you have no expirience of NAT in the Cisco ASA (both older and this newer format) then the above explanation probably wont tell you enough.

Here is also a link to a NAT document I wrote here on CSC

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

View solution in original post

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

So essentially your moving a Dynamic NAT + PAT and NAT0 configurations from Cisco Router to Cisco ASA.

I dont know what your ASA interface names are so I will use the very usual ones. Also your pool doesnt seem to contain anything but 1 IP address though I assume that you have changed the actual IP addresses.

Dynamic NAT + PAT

object network NAT-POOL

range

nat (inside,outside) after-auto source dynamic any NAT-POOL interface

So what the above does is define the NAT Pool inside an object. We then use that object in the actual NAT/PAT configurations. The NAT configurations specifies that the NAT/PAT is done from "inside" to "outside" and "any" source address behind "inside" will do. It will use a NAT Pool and when it runs out it will start using Dynamic PAT with the "outside" interface IP address.

If you only want to specify the 2 source IP addresses instead of "any" then you can use this

object network NAT-POOL

range

object-group network NAT-PAT-SOURCE

network-object host 10.1.1.34

network-object host 10.11.1.41

nat (inside,outside) after-auto source dynamic NAT-PAT-SOURCE NAT-POOL interface

NAT0

object network LOCAL

subnet 10.0.0.0 255.0.0.0

object network REMOTE

subnet 10.1.9.0 255.255.255.0

nat (inside,outside) source static LOCAL LOCAL destination static REMOTE REMOTE

In the above we first define the networks mentioned in your original NAT configuration ACL. Then we configure the actual NAT. It does NAT between "inside" and "outside". Though since the LOCAL network is specified as both the real and the mapped value and the REMOTE network is also specified both real and mapped value this means that NO NAT will be used.

Notice that the Dynamic NAT/PAT configuration had "after-auto" in it. That meant it will be set as lowest Section of NAT configurations (Section 3)

The above command does not use "after-auto". This essentially means that it will be at the highest Section of NAT configurations (Section 1)

So the NAT0 rule will be matched first for traffic between those networks. Dynamic PAT will catch everything else between "inside" and "outside"

Just as a reference, Section 2 holds only Auto NAT / Network NAT configurations while both of the above NAT configurations are Manual NAT types.

I dont know if I really explained everything clearly. If you have no expirience of NAT in the Cisco ASA (both older and this newer format) then the above explanation probably wont tell you enough.

Here is also a link to a NAT document I wrote here on CSC

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Feel free to ask more if needed.

- Jouni

thank you for the full answer, and also for the great link to NAT issue :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: