Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
796
Views
0
Helpful
3
Replies

NAT configuration on Cisco ASA

Go to solution
Dipesh Patel
Level 2
Level 2

‎11-24-2016 12:23 AM - edited ‎03-12-2019 01:35 AM

Hi All,

Can you guys help in understanding the NAT configuration as shown below?

global (outside) 1 interface


nat (dmz) 1 0.0.0.0 0.0.0.0
nat (inside) 1 172.16.0.0 255.255.0.0

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

Regards

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cofee
Level 5
Level 5

‎11-24-2016 04:28 AM

Hi Dipesh,

This is how it's configured:

The key to note here is the number after the parenthesis which is number 1 for global, nat (dmz)  and  nat (Inside). That number binds global nat with dmz and inside nat rules.

global (outside) 1 interface (Used for PATing )


nat (dmz) 1 0.0.0.0 0.0.0.0   (Any address sourcing from DMZ and if the destination is outside (usually global internet) it will be NATed/PATed to the outside interface IP address)


nat (inside) 1 172.16.0.0 255.255.0.0   ( any address from the block specified 172.16.0.0 and if the destination is outside will be NAted/PATed to outside interface address

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.255.0  ( This NAT rule is called identity nat, meaning when the source address is from 172.16.0.0 block and destination is DMZ source address will be nated to it's own address (NAT exemption)

Please let me know if that answers your question.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
cofee
Level 5
Level 5

‎11-24-2016 04:28 AM

Hi Dipesh,

This is how it's configured:

The key to note here is the number after the parenthesis which is number 1 for global, nat (dmz)  and  nat (Inside). That number binds global nat with dmz and inside nat rules.

global (outside) 1 interface (Used for PATing )


nat (dmz) 1 0.0.0.0 0.0.0.0   (Any address sourcing from DMZ and if the destination is outside (usually global internet) it will be NATed/PATed to the outside interface IP address)


nat (inside) 1 172.16.0.0 255.255.0.0   ( any address from the block specified 172.16.0.0 and if the destination is outside will be NAted/PATed to outside interface address

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.255.0  ( This NAT rule is called identity nat, meaning when the source address is from 172.16.0.0 block and destination is DMZ source address will be nated to it's own address (NAT exemption)

Please let me know if that answers your question.

0 Helpful

Go to solution
Dipesh Patel
Level 2
Level 2
In response to cofee

‎11-24-2016 07:17 AM

Thanks cofee !!!

So the identity NAT is generally used for specifically which purpose? Is it the secured way?

Regards

0 Helpful

Go to solution
cofee
Level 5
Level 5
In response to Dipesh Patel

‎11-25-2016 04:41 PM

Dipesh - I am giving more information than you requested, but it's necessary to explain in order to answer your question.

NAT- Control is the feature on the ASA that states the following:

* For a device to go from a higher security leval to a lower security level a NAT translation must be in place for the inside user's ip address. * Interfaces with the same security level do not require a NAT translation for traffic to traverse the ASA.

NAT-control and ASA versions:

*Any version lower than 6.3 NAT control is a requirement

* 7.0 and higher NAT-control is disable by default but you enable it if required

* 8.3 and higher NAT control is disabled by default and cannot be configured

 

I am not sure what ASA version you are running on the firewall where you got this configuration from. Lets assume you are running version prior to 8.3 and NAT-control is disabled meaning no nat is needed when traffic initiates from a higher security to a lower security interface. When your inside users need to access internet (172.16.x.x) even though it's not a requirement to NAT that traffic as NAT-Control is disabled but it's a private network block and therefore not routable in the outside world (global internet) so we have to PAT this traffic with a valid/registered ip address.

 

But what's the reason for NATing inside to dmz traffic:

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

 

Whether NAT control is disabled or enabled we don’t need to NAT the traffic that’s going from a lower security to a higher security interface like I mentioned before. So, let’s say traffic is initiated from a DMZ host to an inside host. We will need an ACL to allow that traffic, and after that DMZ host should be able to reach the inside host but returning traffic from inside to dmz will be dropped because ASA will match a nat statement that you have configured nat (inside) 1 172.16.0.0 255.255.0.0.

The traffic will match that NAT and the ASA will know it needs to send it to the DMZ interface, afterwards will look for the Global command for the DMZ interface and because there is none the packet will be dropped.

 

So we fix this issue with this identity NAT:

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.255.0

Now I am not saying that you really have to use identity NAT to fix this issue. You can also translate your inside hosts to DMZ block but it will be complexed and you will be unnecessarily wasting IP addresses in the DMZ block.

 

Please let me know if this answers your question.

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card