Solved: Question about configuration of NAT on ASA

mahesh18 · ‎10-22-2012

Hi all,

I have ASA config with DHCP and its providing IP to users.

ASA is connected to 3550 switch it has direct connection or say default static route

From 3550 switch connection goes to Router and it does the NAT and has connection to outside world.

My question is do i need to configure the NAT inside and global (outside ) on the ASA or not?

As per my understanding NAT is done by router which has connection to ISP.

Thanks

Mahesh

Jennifer Halim · ‎10-22-2012

If you don't want or don't need to NAT it on the ASA, you don't have to.

However, the router needs to have static route for the private IP that the ASA assigns to the internal host pointing towards the ASA outside interface that connects to the router if the ASA doesn't perform NAT.

You would also need to configure static NAT to itself on the ASA, or if you are not configuring any NATing at all on the ASA and runs version 8.2 or below, you can disable nat-control (no nat-control).

View solution in original post

Julio Carvajal · ‎10-22-2012

Hello Mahesh,

As you are doing the NAT on an external router then you do not need to perform NAT on the ASA, so just disable NAT-control. Then packets will be able to go through the box with no need of a NAT rule.

Also just to let you know as soon as you set a NAT rule on an interface, traffic comming from that particular interface will need to get natted even if you have nat control off

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jennifer Halim · ‎10-22-2012

The answer is yes, it is NATing to the ASA outside interface address which is 192.168.11.2.

From the output, here is the statement that says the translation:

match ip inside 192.168.1.0 255.255.255.0 outside any

dynamic translation to pool 1 (192.168.11.2 [Interface PAT])

translate_hits = 9916, untranslate_hits = 264

View solution in original post

Jennifer Halim · ‎10-22-2012

If you have a look at the interface, you can check the interface direction that it has been configured:

- First statement,

match ip inside 192.168.1.0 255.255.255.0 inside any

--> traffic from inside to inside, and there is no translation.

- Second statement:

match ip inside 192.168.1.0 255.255.255.0 outside any

--> traffic from inside to outside, and there is translation

- Third statement:

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

--> traffic from inside to loopback address

hope that helps

View solution in original post

Jennifer Halim · ‎10-22-2012

If you don't want or don't need to NAT it on the ASA, you don't have to.

However, the router needs to have static route for the private IP that the ASA assigns to the internal host pointing towards the ASA outside interface that connects to the router if the ASA doesn't perform NAT.

You would also need to configure static NAT to itself on the ASA, or if you are not configuring any NATing at all on the ASA and runs version 8.2 or below, you can disable nat-control (no nat-control).

mahesh18 · ‎10-22-2012

Hi Jennifer,

Thanks for replied.

I tested like this config the NAT on ASA

then as per your reply run the command no nat-control as ASA ver is 8.4

But nat config is still there in ASA.

I did sh xlate it shows

ciscoasa# sh xlate

27 in use, 371 most used

PAT Global 192.168.11.2(33396) Local 192.168.1.5(57177)

PAT Global 192.168.11.2(61657) Local 192.168.1.5(57176)

PAT Global 192.168.11.2(52259) Local 192.168.1.5(57175)

PAT Global 192.168.11.2(30453) Local 192.168.1.5(57174)

I did clear xlate still there is output from the sh xlate

My question is how we test that ASA is nating or not ?

Which commands can tell us that ASA is doing NAT ?

Thanks

MAhesh

Jennifer Halim · ‎10-22-2012

Ah, if you are running version 8.4, then the command: nat-control doesn't exist anymore. It's only available from version 8.2 or below.

Pls run the following command:

sh nat

can you can see whether it's NATing or not.

mahesh18 · ‎10-22-2012

Hi Jennifer,

Here is info

ciscoasa# sh nat

NAT policies on Interface inside:

match ip inside 192.168.1.0 255.255.255.0 inside any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

match ip inside 192.168.1.0 255.255.255.0 outside any

dynamic translation to pool 1 (192.168.11.2 [Interface PAT])

translate_hits = 9916, untranslate_hits = 264

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

dynamic translation to pool 1 (No matching global)

translate_hits = 0, untranslate_hits = 0

ciscoasa#

How can we tell from here if ASA is natting ?

thanks

Mahesh

Jennifer Halim · ‎10-22-2012

The answer is yes, it is NATing to the ASA outside interface address which is 192.168.11.2.

From the output, here is the statement that says the translation:

match ip inside 192.168.1.0 255.255.255.0 outside any

dynamic translation to pool 1 (192.168.11.2 [Interface PAT])

translate_hits = 9916, untranslate_hits = 264

mahesh18 · ‎10-22-2012

Hi Jennifer,

When we do sh nat output shows 3 match statements if you please tell me what is purpose of 3 statements.

Thanks

Mahesh

Jennifer Halim · ‎10-22-2012

If you have a look at the interface, you can check the interface direction that it has been configured:

- First statement,

match ip inside 192.168.1.0 255.255.255.0 inside any

--> traffic from inside to inside, and there is no translation.

- Second statement:

match ip inside 192.168.1.0 255.255.255.0 outside any

--> traffic from inside to outside, and there is translation

- Third statement:

match ip inside 192.168.1.0 255.255.255.0 _internal_loopback any

--> traffic from inside to loopback address

hope that helps

mahesh18 · ‎10-22-2012

Hi Jennifer,

Many thanks for all the answers on ASA NAT.

Its always good to learn about new Technologies if Someone like you can answer the questions.

Regards

MAhesh

Jennifer Halim · ‎10-22-2012

You are welcome, Mahesh.

Appreciate all the ratings.

Julio Carvajal · ‎10-22-2012

Hello Mahesh,

As you are doing the NAT on an external router then you do not need to perform NAT on the ASA, so just disable NAT-control. Then packets will be able to go through the box with no need of a NAT rule.

Also just to let you know as soon as you set a NAT rule on an interface, traffic comming from that particular interface will need to get natted even if you have nat control off

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎10-22-2012

Hi Julio,

Thanks again now.

Seems i am good for today now.

Regards

MAhesh