Solved: Old NAT ASA Config Question

pinoybot · ‎03-23-2023

Hello Network Gurus,

Just trying to figure out what is this NAT config for?

global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 10.17.1.5 10.17.1.5 netmask 255.255.255.255

Saw this access list command as well:

access-group OUTSIDE_FILTER in interface outside
access-list OUTSIDE_FILTER extended permit tcp any host 10.17.1.5 eq www

I'll appreciate any input. Thank you!

MHM Cisco World · ‎03-25-2023

static (inside,outside) 10.17.1.5 10.17.1.5 netmask 255.255.255.255 <<- NO-NAT, also called identity NAT

NAT configuration is always something that draws a lot of attention. NAT can perform lots of different functions in many different configurations. That being said, it can be complex to understand at first. However, I think its probably more important to understand NAT than any other function on the ASA’s. If you don’t fully understand the concept you can get yourself in a lot of trouble real fast. So lets get right into it and look at a couple of scenarios and examples. In this post I’m going to talk about the most common NAT configurations. In upcoming posts we’ll talk about NAT DMZ configurations and policy NAT.

The standard 5505 overload
I call this the ‘standard’ because its pretty typical to see on a 5505 box. The client usually has 1 external IP and has a couple of services with a single subnet behind it. Nothing too special here.

ASA(config)# global (outside) 1 interface
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0

So, what does this mean? Lets break it down.
The Global Command
global – Indicates that we are defining a global address pool. This can either be a pool of addresses or a single IP that’s being overloaded through the use of PAT
(outside) – The item in the parenthesis is the interface we are defining the pool on. In this case, its the outside interface
1 – Specifies the ID of the pool, this will be matched up against the internal NAT pool
interface – The interface keyword specifies that PAT is being used with the IP defined on the interface. PAT (also referred to as overload) uses a single external IP address for all of the clients in the NAT pool. To make the distinction clear, NAT usually means that you are using a pool of IP’s and PAT usually means you are using one external IP.

The Nat command
nat – The NAT command is what you use to associate a network with a pool of global addresses
(inside) – The item in the parenthesis is the interface in which the NAT network exists. In this case its going to be on the inside interface
1 – This number is what is used to pair the global and NAT statements together. In other words, global pool 1 will be used with NAT network 1.
0.0.0.0 0.0.0.0 – Translates to mean all networks. If there is only a single internal subnet that requires translation this could just as easily read something like ‘192.168.127.0 255.255.255.0’.

View solution in original post

tvotna · ‎03-24-2023

Dynamic PAT is configured for all traffic going from inside to outside, except for 10.17.1.5 which is not NATed or PATed. ACL allows HTTP to this host from the outside.

pinoybot · ‎03-24-2023

Thanks tvotna, so is this not a form of a NAT - static (inside,outside) 10.17.1.5 10.17.1.5 netmask 255.255.255.255 ?

tvotna · ‎03-25-2023

This is called static identity NAT.

MHM Cisco World · ‎03-24-2023

please check below

MHM Cisco World · ‎03-25-2023

static (inside,outside) 10.17.1.5 10.17.1.5 netmask 255.255.255.255 <<- NO-NAT, also called identity NAT

NAT configuration is always something that draws a lot of attention. NAT can perform lots of different functions in many different configurations. That being said, it can be complex to understand at first. However, I think its probably more important to understand NAT than any other function on the ASA’s. If you don’t fully understand the concept you can get yourself in a lot of trouble real fast. So lets get right into it and look at a couple of scenarios and examples. In this post I’m going to talk about the most common NAT configurations. In upcoming posts we’ll talk about NAT DMZ configurations and policy NAT.

The standard 5505 overload
I call this the ‘standard’ because its pretty typical to see on a 5505 box. The client usually has 1 external IP and has a couple of services with a single subnet behind it. Nothing too special here.

ASA(config)# global (outside) 1 interface
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0

So, what does this mean? Lets break it down.
The Global Command
global – Indicates that we are defining a global address pool. This can either be a pool of addresses or a single IP that’s being overloaded through the use of PAT
(outside) – The item in the parenthesis is the interface we are defining the pool on. In this case, its the outside interface
1 – Specifies the ID of the pool, this will be matched up against the internal NAT pool
interface – The interface keyword specifies that PAT is being used with the IP defined on the interface. PAT (also referred to as overload) uses a single external IP address for all of the clients in the NAT pool. To make the distinction clear, NAT usually means that you are using a pool of IP’s and PAT usually means you are using one external IP.

The Nat command
nat – The NAT command is what you use to associate a network with a pool of global addresses
(inside) – The item in the parenthesis is the interface in which the NAT network exists. In this case its going to be on the inside interface
1 – This number is what is used to pair the global and NAT statements together. In other words, global pool 1 will be used with NAT network 1.
0.0.0.0 0.0.0.0 – Translates to mean all networks. If there is only a single internal subnet that requires translation this could just as easily read something like ‘192.168.127.0 255.255.255.0’.

pinoybot · ‎03-28-2023

Thank you so much for the elaborate explanation!