cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

412
Views
0
Helpful
3
Replies
Highlighted

ASA_NAT

Hi Experts,

 

I had given an task to implement the route in  Cisco ASA-55x0 device as below

 

static (Data-DFS,inside) 10.176.92.66 10.176.25.218 netmask 255.255.255.255

route Data-DFS 10.176.92.66 255.255.255.255 10.248.161.1 1

 

In this when I given question mark after parenthesis it showed as the global or mapped address and followed by the real host (10.176.25.218).

 

1. I assume it is similar to the static NAT which we perform in the router. (10.176.92.66- Inside global address, 10.176.25.218- Inside local address)

2. Below there is an route pointing towards the next hop 10.248.161.1. I need to find where the host is located. In cisco router or L3 switch I use command sh ip route to find the connected subnet.

In firewall what is an alternative method to locate the IP?

 

Regards,

Sathish

3 REPLIES 3
Highlighted
Hall of Fame Guru

Re: ASA_NAT

Are you running ASA code version <8.3? If so you use an older nat command syntax.

To see routes on ASA, simply use "show route".

Highlighted

Re: ASA_NAT

Hi Marvin.

yes we are using Software Version 8.2(5)59. Can u please guide in the NAT statement which is the private address and which is the public address in old syntax.

Regards,
Sathish
Highlighted
Hall of Fame Guru

Re: ASA_NAT

In the old syntax, the mapped IP (public address) comes first, followed by the real IP (private address).

To configure regular static NAT, enter the following command:

 
Command
Purpose

static (real_interface,mapped_interface) {mapped_ip | interface} real_ip [netmask mask][dns] [norandomseq] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns]

 

Example:

hostname(config)# static (inside,outside) 
209.165.201.12 10.1.1.3 netmask 
255.255.255.255

 

Configures a persistent one-to-one address translation rule by mapping a real IP address to a mapped IP address.

The real_ifc argument specifies the name of the interface connected to the real IP address network.

The mapped_ifc argument specifies the name of the interface connected to the mapped IP address network.

The mapped_ip argument specifies the address to which the real address is translated.

The interface keyword uses the interface IP address as the mapped address. Use this keyword if you want to use the interface address, but the address is dynamically assigned using DHCP.

The real_ip specifies the real address that you want to translate.

The netmask mask specifies the subnet mask for the real and mapped addresses. For single hosts, use 255.255.255.255. If you do not enter a mask, then the default mask for the IP address class is used, with one exception. If a host-bit is non-zero after masking, a host mask of 255.255.255.255 is used. If you use the access-list keyword instead of the real_ip, then the subnet mask used in the access list is also used for the mapped_ip.

The dns option rewrites the A record, or address record, in DNS replies that match this static. For DNS replies traversing from a mapped interface to any other interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from any interface to a mapped interface, the A record is rewritten from the real value to the mapped value.

The norandomseq disables TCP ISN randomization protection.

The tcp tcp_max_cons option specifies the maximum number of simultaneous TCP connections allowed to the local-host. (See the local-host command). (Idle connections are closed after the idle timeout specified by the timeout conn command.)

The emb_limit is the maximum number of embryonic connections per host.

Note An embryonic limit applied using static NAT is applied to all connections to or from the real IP address, and not just connections between the specified interfaces. To apply limits to specific flows, see the "Configuring Connection Limits and Timeouts" section.

The udp tcp_max_cons option specifies the maximum number of simultaneous UDP connections allowed to the local-host. (See the local-host command.) (Idle connections are closed after the idle timeout specified by the timeout conn command.)

 

Reference:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_static.html#wp1080043