cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1999
Views
0
Helpful
13
Replies

Static NAT....on Cisco ASA 8.3

The_guroo_2
Level 2
Level 2

Guys my head will explode an someone plz tell me the solution i want to do static NAT (one to one of course)

my real internal IP is for example 132.1.1.X i want to NAT it to 10.1.1.1/32 to a server coming from client (not internet) 10.25.1.1/32

Internal IP 132.1.1.X------> NAT to 10.1.1.1/32 (this subnet doesnt exsisit on any interface) -------> 10.25.1.1 extrernal IP

I have seen lot sof exampl eon cisco wesites but non xplain this way .....all explain that one to one like in my example 132.1.1.X will NAT to 10.25.1.1

Its easy i need the abpbe scenario

Thanks guys hope some Guru will help me

Thnaks

3 Accepted Solutions

Accepted Solutions

You don't have to worry about the NAT statement when it's static NAT because static NAT is bi-directional.

So you only need to configure nat (inside,outside), and traffic can be initiated from inside to outside, or from outside to inside.

Traffic that is initiated from outside will require access-list to allow inbound connection. Without the ACL, it will not be able to initiate inbound connection.

Traffic that is initiated from inside to outside, does not require any ACL by default, however, if you have implemented ACL to restrict outbound access, then you would need to explicitly allow those too.

View solution in original post

No, you are absolutely right on the money

You will only need 1 static NAT and it will allow multiple connections towards the server.

View solution in original post

The NAT (translation) itself is one to one, because you are only translating 1 ip address, ie: from

132.1.1.x to 10.1.1.1 and vice versa. However, how many client is trying to reach that static NAT translation does not matter because we are not translating the client. From your example above: we are not translating 192.168.1.1, or 1.2 or 1.3 or 1.4. IP Address that we translate is just 1, ie: from 132.1.1.x to 10.1.1.1.

View solution in original post

13 Replies 13

Jennifer Halim
Cisco Employee
Cisco Employee

Here we go:

object network obj-132.1.1.x

     host 132.1.1.x

object network obj-10.1.1.1

     host 10.1.1.1

object network obj-10.25.1.1

     host 10.25.1.1

nat (inside,outside) source static obj-132.1.1.x obj-10.1.1.1 destination static obj-10.25.1.1 obj-10.25.1.1

So an internal host with ip address of 132.1.1.x when trying to access 10.25.1.1 will be NATed to 10.1.1.1.

Thanks you very much for your help as someone is out there with good knowledge :-) I am still confuse

so what will this do .....

hostname(config)# object network obj-132.1.1.x_DNS

hostname(config-network-object)# host 132.1.1..x
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1

access-group outsidein in interface outside

access-list outsdein extended permit tcp host 10.237.64.1 host 132.1.1.X  (real IP)

I have read this from cisco i need some help as really struggling

hostname(config)# object network obj-132.1.1.x_DNS

#

hostname(config-network-object)# host 132.1.1..x
hostname(config-network-object)# nat (inside,outside) static 10.1.1.1

The above is just a simple NAT, ie: inside host with IP Address of 132.1.1.x gets NATed to 10.1.1.1, no matter where the destination is.

If you are familiar with the old NAT feature, it's the same as:

static (inside,outside) 10.1.1.1 132.1.1.x netmask 255.255.255.255

Thanks Jennifer

So the example which you gave was source static i just want to know the difference between the two as commands are really different

I want that when someone from client try to access my 132.1.1 address the address get NAT to 10.1.1.1 so i will tell the client that the addres sis  10.1.1.1 rather then the original address.......so in that scenario which NAT shd i use.......mine or yours and plz tell me the difference between mine and yours

Thanks heaps

There are 2 types of NAT on ASA version 8.3 and above:

1) Object NAT

2) Twice NAT

Network Object NAT - is a simple NAT

Twice NAT - policy NAT

With my example, you will only use that if you only need to NAT the source when going to a specific destination. That is why you can see that in my example, there is destination object as well.

If you just want to NAT the source host and doesn't matter what the destination is (ie: destination is anything), then you can use your NAT example.

If you need to be very specific in your NAT statement (ie: policy NAT), then you will use Twice NAT (ie: my example).

If you need a generic NAT statement, then you can use Network Object NAT (ie: your example).

Here are the configuration guide on both NAT for your reference:

Network Object NAT:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_objects.html

Twice NAT:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_rules.html

Hope it makes sense.

Thanks Jennifer for such a brief and excellent reply u deserver 10/10. My last question/confusion is that if we do the NAT yours or mine it for the client coming from ouside coming to access our server or this na follow is from when our original server initiate a conection to outside as i am thinking abt the access-list shd i put it

access-list outsidein in inetrafce outside

as i am confise in

NAT (inside,outside)

NAT(outside,inside)

actually i need both that if my server initiates or someone inititae from outsode to this

thanks heaps (i guess this will be solve my problem and i can implement straight away

just t let you that we have dynamic NAT enables

0.0.0.0 0.0.0.0 which dynamic translated to 10.30.0.0/24 to outside (but that is for users not servers)

Thanks again

You don't have to worry about the NAT statement when it's static NAT because static NAT is bi-directional.

So you only need to configure nat (inside,outside), and traffic can be initiated from inside to outside, or from outside to inside.

Traffic that is initiated from outside will require access-list to allow inbound connection. Without the ACL, it will not be able to initiate inbound connection.

Traffic that is initiated from inside to outside, does not require any ACL by default, however, if you have implemented ACL to restrict outbound access, then you would need to explicitly allow those too.

Hi Jennifer

The best explanation i have ever recieved thanksyou so much for your time.....u r the best

Thanks for that

Hi Jennifer thanks again i will adding these rules tonight

second thing is that if multiple servers from client will be accessing this server for FTP

so if i create the follwoing

hostname(config)# object network obj-132.1.1.1

hostname(config-network-object)# host 132.1.1.1

hostname(config-network-object)# nat (inside,outside) static 10.1.1.1

hostname(config-network-object)#Object_group networok client_server

network object A (will create three for client)

network object B

network object C

access-list outsidein in outside permit tcp object_group client_server host 132.1.1.1 eq ftp

will that work as static NAT is one to one so just wondering if three servers will conect it simintaniously will that work

or for every server static nat would be different

:-) sorry i am bit dumb

thanks heaps

No, you are absolutely right on the money

You will only need 1 static NAT and it will allow multiple connections towards the server.

Thanks again.....but then its not static NAT as static is one to one right??? is it one to many then ??? This NAT is not letting me sleep properly :-)

In my above config four servers of customer

eg

192.168.1.1   will initiates connection FTP--------> 10.1.1.1 (NAT on my firewall)---------->132.1.1.1 real IP

192.168.1.2

192.168.1.3

192.168.1.4

so still it will be called static NAT how firewall will keep track of four system using one IP (ie NAT) as in PAT there are port numbers

Thanks again Jen

The NAT (translation) itself is one to one, because you are only translating 1 ip address, ie: from

132.1.1.x to 10.1.1.1 and vice versa. However, how many client is trying to reach that static NAT translation does not matter because we are not translating the client. From your example above: we are not translating 192.168.1.1, or 1.2 or 1.3 or 1.4. IP Address that we translate is just 1, ie: from 132.1.1.x to 10.1.1.1.

Review Cisco Networking for a $25 gift card