08-16-2013 05:13 AM - edited 03-11-2019 07:26 PM
I have an ASA running Site2Site VPN.
This works ok but I want a certain subnet behind my inside interface to have internet access through the ASA Outside interface Dynamic NAT.
I have setup a NAT Exemption list but not to sure how to configure NAT on pre 8.3, incorporating my ACL.
Solved! Go to Solution.
08-16-2013 06:26 AM
Hi,
You have not added the configuration required to perform Dynamic PAT
If your LAN network were from 10.44.0.0/16 then add the following
global (outside) 1 interface
nat (inside) 1 10.44.0.0 255.255.0.0
And try again
- Jouni
08-16-2013 05:18 AM
Hi,
The 8.2 , 8.0 , 7.x software follow the same logic in NAT0 configuration to my understanding.
You can have a single NAT0 configuration per interface.
Each of those configurations have an ACL attached. All the traffic that needs NAT Exemption is configured under them
So for example the below NAT0 configuration would perform NAT Exemption for the network 10.10.10.0/24 behind "inside" inteface when its connecting to the 192.168.10.0/24 network.
access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 192.168.10.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
Any future NAT0 / NAT Exempt configurations for networks behind "inside" interface would be added to the existing ACL.
You can check the "nat" configurations and their attached ACLs with the command
show run nat
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
08-16-2013 05:32 AM
Hey, Thanks for that.
Do I need to configure NAT Outside and Nat Inside under the interfaces like I do in a router?
08-16-2013 05:36 AM
Hi,
For NAT0 you only need the above configurations.
Naturally your interface names and network are what they are currently on your device/network.
Hmm, now that I read about the original post again. I guess you were asking for Dynamic PAT configurations also?
For those you can do
global (outside) 1 interface
nat (inside) 1
This will do Dynamic PAT using the "outside" interface IP address for the users in the network defined in the "nat" statement. If you want to add more source network to this Dynamic PAT then you simply add another line with other network.
Again interface names and networks you define using the ones used in your device/network.
- Jouni
08-16-2013 05:42 AM
Hi Jouni,
Still a little bit confused, probably because I haven't worked with ASA much. Only routers.
my example is -
I want to enable Dynamic PAT for network 10.44..x.x for internet access.
However for the following ACL - I dont not want NAT.
access-list Test extended permit ip 10.44.128.0 255.255.240.0 172.0.0.0 255.0.0.0
access-list Test extended permit ip 10.44.128.0 255.255.240.0 10.129.0.0 255.255.0.0
What do I need to configure? Still a bit confused about the outside 0, global etc..
08-16-2013 05:48 AM
Hi,
If I presume that the local network is 10.44.0.0/16 and the NAT0 is as you mentioned above
Then the configuration would be
Dynamic PAT
The below number "1" is a ID number for this Dynamic PAT rule. The ID 1 number is simply meant to match the "nat" and "global" commands together. The ID number might as well be 100 in this case if you wanted. It wouldnt affect the Dynamic PAT.
global (outside) 1 interface
nat (inside) 1 10.44.0.0 255.255.0.0
NAT0
access-list INSIDE-NAT0 remark NAT0 for interface INSIDE
access-list INSIDE-NAT0 permit ip 10.44.128.0 255.255.240.0 172.0.0.0 255.0.0.0
access-list INSIDE-NAT0 permit ip 10.44.128.0 255.255.240.0 10.129.0.0 255.255.0.0
nat (inside) 0 access-list INSIDE-NAT0
By the way, are you sure about the mask /8 there in the NAT0 rule?
Hope this helps
Please do remember to mark a reply as the correct answer if it answered your question.
- Jouni
08-16-2013 06:09 AM
Hi Jouni,
Ok,
I've added the following command in my asa
ciscoasa(config)# nat (inside) 0 access-list Test
Still not working. Do I need both Dynamic PAT commands and NAT0 commands?
08-16-2013 06:11 AM
Hi,
What is not working?
Would also need to see some device configurations to be able to find any problems in it.
- Jouni
08-16-2013 06:12 AM
Internet Access is not working on the servers which are on the 10.44.x.x range.
08-16-2013 06:14 AM
Hi,
What is your exact software level
Use the following command to view it
show version
- Jouni
08-16-2013 06:24 AM
Hi,
Show Version provides -
Cisco Adaptive Security Appliance Software Version 7.2(4).
Config below
ciscoasa# show run
: Saved
:
ASA Version 7.2(4)
!
hostname ciscoasa
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.44.10.5 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address yyyyy 255.255.255.0
!
ftp mode passive
dns domain-lookup management
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list Test extended permit ip 10.44.128.0 255.255.240.0 172.16.0.0 255.240.0.0
access-list Test extended permit ip 10.44.128.0 255.255.240.0 10.129.0.0 255.255.0.0
pager lines 24
logging enable
logging timestamp
logging buffer-size 1048576
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list Test
route outside 0.0.0.0 0.0.0.0 xxxxxxx
route outside xx
route inside xxx
route inside xxxx
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TSTEST esp-3des esp-md5-hmac
crypto map VPN 10 match address Test
crypto map VPN 10 set peer xxxxx
crypto map VPN 10 set transform-set TSTEST
crypto map VPN interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash md5
group 2
lifetime 3600
telnet timeout 5
ssh timeout 5
ssh version 2
console timeout 0
group-policy portalgp internal
group-policy portalgp attributes
vpn-tunnel-protocol webvpn
webvpn
url-list none
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
message-length maximum client auto
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
: end
ciscoasa#
08-16-2013 06:26 AM
Hi,
You have not added the configuration required to perform Dynamic PAT
If your LAN network were from 10.44.0.0/16 then add the following
global (outside) 1 interface
nat (inside) 1 10.44.0.0 255.255.0.0
And try again
- Jouni
08-16-2013 06:31 AM
Hey :-)
That's working now, super, thank you.
Can you break down the commands and let me know what each is doing? I'd rather understand it than being able to just do it.
Thanks again, appreciate it.
08-16-2013 08:06 AM
Hi,
Well basically when you are configuring a new Dynamic PAT or Dynamic NAT you will need "global" and "nat" command to achieve it. They are paired by the ID number that is used after the section which specifies the interface used.
The "nat" command line specifies the source interface on the firewall for which hosts/networks we want to do Dynamic PAT or Dynamic NAT.
The "global" command line specifies the actual PAT/NAT address(ess) used to which the source addresses are NATed to. (The source addresses specified with the above "nat" command)
As you can see also, NAT0 is one of the only "nat" configurations that use only the "nat" command to achieve the NAT (or rather the lack of translation) without the use of any "global" command.
So lets say we have three networks behind interface "inside" and want to do Dynamic PAT for all of them using "outside" interface IP address. Then we would configure
global (outside) 1 interface
nat (inside) 1 10.10.10.0 255.255.255.0
nat (inside) 1 10.10.20.0 255.255.255.0
nat (inside) 1 10.10.30.0 255.255.255.0
Now lets say we want to use some different public IP address for a few hosts for example and want to keep the previously configure Dynamic PAT working for all other hosts. Then we would configure/add
global (outside) 10 1.1.1.2
nat (inside) 10 10.10.10.2
nat (inside) 10 10.10.10.3
nat (inside) 10 10.10.10.4
Notice that we use now a separate IP address in the "global" command since we ARE NOT using the "outside" interface IP address which was used in the other Dynamic PAT configuration because of the use of "interface" parameter in the "global" command.
To be honest, even with the older software levels there is still a lot of things related to NAT that we could mention but the above ones are essentially the very basic PAT configurations that people use.
Hope this clarifies things
Naturally if you run into situation where you have a question about some other NAT related configuration you can always start a discussion on the forums.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide