cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
727
Views
0
Helpful
11
Replies

Question about configuration of NAT on ASA

mahesh18
Level 6
Level 6

Hi all,

I have ASA config with DHCP and its providing IP to users.

ASA is connected to 3550 switch it has direct connection or say default static route

From 3550 switch  connection goes to Router and it does the NAT   and has connection to outside world.

My question is do i need to configure the NAT inside  and global (outside ) on the ASA  or not?

As per my understanding NAT is done by router which has connection to ISP.

Thanks

Mahesh

4 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

If you don't want or don't need to NAT it on the ASA, you don't have to.

However, the router needs to have static route for the private IP that the ASA assigns to the internal host pointing towards the ASA outside interface that connects to the router if the ASA doesn't perform NAT.

You would also need to configure static NAT to itself on the ASA, or if you are not configuring any NATing at all on the ASA and runs version 8.2 or below, you can disable nat-control (no nat-control).

View solution in original post

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mahesh,

As you are doing the NAT on an external router then you do not need to perform NAT on the ASA, so just disable NAT-control. Then packets will be able to go through the box with no need of a NAT rule.

Also just to let you know as soon as you set a NAT rule on an interface, traffic comming from that particular interface will need to get natted even if you have nat control off

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

The answer is yes, it is NATing to the ASA outside interface address which is 192.168.11.2.

From the output, here is the statement that says the translation:

match ip inside 192.168.1.0 255.255.255.0 outside any

    dynamic translation to pool 1 (192.168.11.2 [Interface PAT])

   translate_hits = 9916, untranslate_hits = 264

View solution in original post

If you have a look at the interface, you can check the interface direction that it has been configured:

- First statement,

match ip inside 192.168.1.0 255.255.255.0 inside any

--> traffic from inside to inside, and there is no translation.

- Second statement:

match ip inside 192.168.1.0 255.255.255.0 outside any

--> traffic from inside to outside, and there is translation

- Third statement:

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

--> traffic from inside to loopback address

hope that helps

View solution in original post

11 Replies 11

Jennifer Halim
Cisco Employee
Cisco Employee

If you don't want or don't need to NAT it on the ASA, you don't have to.

However, the router needs to have static route for the private IP that the ASA assigns to the internal host pointing towards the ASA outside interface that connects to the router if the ASA doesn't perform NAT.

You would also need to configure static NAT to itself on the ASA, or if you are not configuring any NATing at all on the ASA and runs version 8.2 or below, you can disable nat-control (no nat-control).

Hi Jennifer,

Thanks for replied.

I tested like this  config the NAT on ASA 

then as per your reply run the command no nat-control as ASA ver is 8.4

But nat config is still there in ASA.

I did sh xlate it shows

ciscoasa# sh xlate

27 in use, 371 most used

PAT Global 192.168.11.2(33396) Local 192.168.1.5(57177)

PAT Global 192.168.11.2(61657) Local 192.168.1.5(57176)

PAT Global 192.168.11.2(52259) Local 192.168.1.5(57175)

PAT Global 192.168.11.2(30453) Local 192.168.1.5(57174)

I did clear xlate still there is output from the sh xlate

My question is how we test that ASA is nating or not ?

Which commands can tell us that ASA is doing NAT ?

Thanks

MAhesh

Ah, if you are running version 8.4, then the command: nat-control doesn't exist anymore. It's only available from version 8.2 or below.

Pls run the following command:

sh nat

can you can see whether it's NATing or not.

Hi Jennifer,

Here is info

ciscoasa# sh nat

NAT policies on Interface inside:

  match ip inside 192.168.1.0 255.255.255.0 inside any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

  match ip inside 192.168.1.0 255.255.255.0 outside any

    dynamic translation to pool 1 (192.168.11.2 [Interface PAT])

    translate_hits = 9916, untranslate_hits = 264

  match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

    dynamic translation to pool 1 (No matching global)

    translate_hits = 0, untranslate_hits = 0

ciscoasa#

How can we tell from here if ASA is natting ?

thanks

Mahesh

The answer is yes, it is NATing to the ASA outside interface address which is 192.168.11.2.

From the output, here is the statement that says the translation:

match ip inside 192.168.1.0 255.255.255.0 outside any

    dynamic translation to pool 1 (192.168.11.2 [Interface PAT])

   translate_hits = 9916, untranslate_hits = 264

Hi Jennifer,

When we do sh nat  output shows 3 match statements if you please tell me what is purpose of 3 statements.

Thanks

Mahesh

If you have a look at the interface, you can check the interface direction that it has been configured:

- First statement,

match ip inside 192.168.1.0 255.255.255.0 inside any

--> traffic from inside to inside, and there is no translation.

- Second statement:

match ip inside 192.168.1.0 255.255.255.0 outside any

--> traffic from inside to outside, and there is translation

- Third statement:

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

--> traffic from inside to loopback address

hope that helps

Hi Jennifer,

Many thanks for all the answers on ASA  NAT.

Its always good to learn about new Technologies if Someone like you can answer the questions.

Regards

MAhesh

You are welcome, Mahesh.

Appreciate all the ratings.

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Mahesh,

As you are doing the NAT on an external router then you do not need to perform NAT on the ASA, so just disable NAT-control. Then packets will be able to go through the box with no need of a NAT rule.

Also just to let you know as soon as you set a NAT rule on an interface, traffic comming from that particular interface will need to get natted even if you have nat control off

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thanks again now.

Seems i am good for today now.

Regards

MAhesh

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: