Solved: Re: nat (any,outside) static interface?

CiscoPurpleBelt · ‎06-13-2019

I am trying to confirm that the following means nat the object source from any interface to OUTSIDE interface IP as I can't find this config in any docs.

object network natted_Subnet

subnet 10.10.10.0 255.255.255.0

nat (any,outside) static interface

Marvin Rhoads · ‎06-13-2019

That would not be a recommended configuration since you need to use dynamic (PAT) rather than static NAT when mapping many-to-one.

View solution in original post

Edwin Portillo · ‎06-13-2019

My Friend,
You should use the NAT overload or PAT for the ease of dynamic handling of ports in the translation, see the following examples:
https://www.certificationkits.com/cisco-certification/ccna-articles/cisco-ccna-network-address-translation-nat/static-nat-dynamic-nat-nat-overload-pat-a-configurations/

View solution in original post

Marvin Rhoads · ‎06-14-2019

Now that you've added the port 3389 (rdp) your use case changes. You want a static port forwarding NAT rule:

nat (inside,outside) static (interface or mapped IP address) service tcp 3889 3889

See https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc10

View solution in original post

Sheraz.Salim · ‎06-15-2019

object network natted_Subnet

subnet 10.10.10.0 255.255.255.0

nat (any,outside) static interface

long ago i read in cisco documentation nat (any,outside) is not a best practice. would be better if you put tight control on the flow of traffic either from (inside,outside) or (dmz,outside) instead of any,outside.

you better do a dynamic PAT,

object network natted_Subnet

subnet 10.10.10.0 255.255.255.0

nat (any,outside) dynamic interface

please do not forget to rate.

View solution in original post

Edwin Portillo · ‎06-22-2019

Friend,

Static NAT is used to do a one-to-one mapping between an inside address and an outside address. Static NAT also allows connections from an outside host to an inside host. Usually, static NAT is used for servers inside your network. For example, you may have a web server with the inside IP address 192.168.0.10 and you want it to be accessible when a remote host makes a request to 209.165.200.10. For this to work, you must do a static NAT mapping between those to IPs. In this example, we will use the FastEthernet 0/1 as the inside NAT interface, the interface connecting to our network, and the Serial 0/0/0 interface as the outside NAT interface, the one connecting to our service provide.
Example:
Ip nat inside source static 192.168.0.10 209.165.200.10

Interface FastEthernet 0/1
ip nat inside
Interface Serial 0/0/0
ip nat outside

Dynamic NAT is used when you have a “pool” of public IP addresses that you want to assign to your internal hosts dynamically. Don’t use dynamic NAT for servers or other devices that need to be accessible from the Internet.
Example:
ip nat pool NAT-POOL 209.165.200.226 209.165.200.240 netmask 255.255.255.224

Access-list 1 permit 192.168.0.0 0.255.255.255

Ip nat inside source list 1 pool NAT-POOL

Interface FastEthernet 0/1
Ip nat inside
Interface Serial 0/0/0
ip nat outside

View solution in original post

Marvin Rhoads · ‎06-13-2019

That would not be a recommended configuration since you need to use dynamic (PAT) rather than static NAT when mapping many-to-one.

CiscoPurpleBelt · ‎06-14-2019

This would be correct then on an ASA for let's say internal servers that need to be access from the Outside right?

nat (insde,outside) dynamic (interface or mapped IP address) service tcp 3889 3889
access-list Outside-IN extended permit tcp any host (real IP) eq 3389

Edwin Portillo · ‎06-13-2019

My Friend,
You should use the NAT overload or PAT for the ease of dynamic handling of ports in the translation, see the following examples:
https://www.certificationkits.com/cisco-certification/ccna-articles/cisco-ccna-network-address-translation-nat/static-nat-dynamic-nat-nat-overload-pat-a-configurations/

CiscoPurpleBelt · ‎06-14-2019

This would be correct then on an ASA for let's say internal servers that need to be access from the Outside but just NATTING them to 1 IP or the Outside interface right?

nat (insde,outside) dynamic (interface or mapped IP address) service tcp 3889 3889
access-list Outside-IN extended permit tcp any host (real IP) eq 3389

Marvin Rhoads · ‎06-14-2019

Now that you've added the port 3389 (rdp) your use case changes. You want a static port forwarding NAT rule:

nat (inside,outside) static (interface or mapped IP address) service tcp 3889 3889

See https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/118996-config-asa-00.html#anc10

CiscoPurpleBelt · ‎06-15-2019

Having trouble knowing when would I really know to use "Static" vs "Dynamic"?

Sheraz.Salim · ‎06-15-2019

object network natted_Subnet

subnet 10.10.10.0 255.255.255.0

nat (any,outside) static interface

long ago i read in cisco documentation nat (any,outside) is not a best practice. would be better if you put tight control on the flow of traffic either from (inside,outside) or (dmz,outside) instead of any,outside.

you better do a dynamic PAT,

object network natted_Subnet

subnet 10.10.10.0 255.255.255.0

nat (any,outside) dynamic interface

please do not forget to rate.

CiscoPurpleBelt · ‎06-15-2019

When would I really know to use "Static" vs "Dynamic"?

Sheraz.Salim · ‎06-15-2019

have a read on this doc https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html will clear all your concepts

please do not forget to rate.

Edwin Portillo · ‎06-22-2019

Friend,

Static NAT is used to do a one-to-one mapping between an inside address and an outside address. Static NAT also allows connections from an outside host to an inside host. Usually, static NAT is used for servers inside your network. For example, you may have a web server with the inside IP address 192.168.0.10 and you want it to be accessible when a remote host makes a request to 209.165.200.10. For this to work, you must do a static NAT mapping between those to IPs. In this example, we will use the FastEthernet 0/1 as the inside NAT interface, the interface connecting to our network, and the Serial 0/0/0 interface as the outside NAT interface, the one connecting to our service provide.
Example:
Ip nat inside source static 192.168.0.10 209.165.200.10

Interface FastEthernet 0/1
ip nat inside
Interface Serial 0/0/0
ip nat outside

Dynamic NAT is used when you have a “pool” of public IP addresses that you want to assign to your internal hosts dynamically. Don’t use dynamic NAT for servers or other devices that need to be accessible from the Internet.
Example:
ip nat pool NAT-POOL 209.165.200.226 209.165.200.240 netmask 255.255.255.224

Access-list 1 permit 192.168.0.0 0.255.255.255

Ip nat inside source list 1 pool NAT-POOL

Interface FastEthernet 0/1
Ip nat inside
Interface Serial 0/0/0
ip nat outside