cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA Pre-8.3 to 8.3 NAT configuration examples

447440
Views
101
Helpful
52
Comments

Static NAT/PAT

Pre-8.3 NAT8.3 NAT
Regular Static NAT

static (inside,outside) 192.168.100.100 10.1.1.6 netmask  255.255.255.255

 object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100    
Regular Static PAT

static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255

 object network obj-10.1.1.16
   host 10.1.1.16
   nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Static Policy NAT

access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224

static (inside,outside) 192.168.100.100 access-list NET1

object network obj-10.1.2.27

   host 10.1.2.27
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-10.76.5.0
   subnet 10.76.5.0 255.255.255.224
 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 
                      destination static obj-10.76.5.0 obj-10.76.5.0

 

 

Pre-8.3 NAT8.3 NAT
Regular Dynamic PAT
 nat (inside) 1 192.168.1.0 255.255.255.0
 nat (dmz) 1 10.1.1.0 255.255.255.0
 global (outside) 1 
192.168.100.100
object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,outside) dynamic 192.168.100.100
Regular Dynamic PAT

 
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1



 
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.2.0-01
   subnet 10.1.2.0 255.255.255.0
   nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3

 

 nat (inside) 1 0 0 
 global (outside) 1 interface
 object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

Dynamic Policy NAT

 

 object-group network og-net-src
   network-object 192.168.1.0 255.255.255.0
   network-object 192.168.2.0 255.255.255.0
 object-group network og-net-dst
   network-object 192.168.200.0 255.255.255.0
 object-group service og-ser-src
   service-object tcp gt 2000
   service-object tcp eq 1500
 access-list NET6 extended permit object-group og-ser-src 
                  object-group og-net-src object-group og-net-dst
 nat (inside) 10 access-list NET6
 global (outside) 10 192.168.100.100
 object network obj-192.168.100.100
   host 192.168.100.100
 object service obj-tcp-range-2001-65535
   service tcp destination range 2001 65535
 object service obj-tcp-eq-1500
   service tcp destination eq 1500
 nat (inside,outside) source dynamic og-net-src 
             obj-192.168.100.100 destination 
             static og-net-dst og-net-dst
             service obj-tcp-range-2001-65535
             obj-tcp-range-2001-65535
 nat (inside,outside) source dynamic og-net-src 
             obj-192.168.100.100 destination 
             static og-net-dst og-net-dst 
             service obj-tcp-eq-1500 obj-tcp-eq-1500

Policy Dynamic NAT (with multiple ACEs)

 

 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.1.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.2.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.3.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.4.0 255.255.255.0
 nat (inside) 1 access-list ACL_NAT
 global (outside) 1 192.168.100.100
 object network obj-172.29.0.0
   subnet 172.29.0.0 255.255.0.0
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
   subnet 192.168.2.0 255.255.255.0
 
object network obj-192.168.3.0
   subnet 192.168.3.0 255.255.255.0
 object network obj-192.168.4.0
   subnet 192.168.4.0 255.255.255.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.4.0 obj-192.168.4.0

Outside NAT

 global (inside) 1 10.1.2.30-1-10.1.2.40
 nat (dmz) 1 10.1.1.0 255.255.255.0 outside
 static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255 
 object network obj-10.1.2.27
   host 10.1.2.27
   nat (inside,dmz) static 10.1.1.5
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
 object network obj-10.1.2.30-10.1.2.40
   range 10.1.2.30 10.1.2.40

NAT & Interface PAT together

 nat (inside) 1 10.1.2.0 255.255.255.0
 global (outside) 1 interface 
 global (outside) 1 192.168.100.100-192.168.100.200
 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 
            obj-192.168.100.100_192.168.100.200 interface

NAT & Interface PAT with additional PAT together

 nat (inside) 1 10.0.0.0 255.0.0.0

  global (outside) 1 192.168.100.1-192.168.100.200

  global (outside) 1 interface

  global (outside) 1 192.168.100.210

 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.0.0.0
   subnet 10.0.0.0 255.0.0.0
 object network second-pat
   host 192.168.100.210
 object-group network dynamic-nat-pat
   network-object object obj-192.168.100.100_192.168.100.200
   network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface

Twice NAT with both source IP, Dest IP and Source port, Dest port change.

On the inside:

 

Source IP: 10.30.97.129

Dest IP: 10.30.97.200

Source port: 5300

Dest port: any port

 


On the outside:

 

Source IP: Interface IP

Dest IP: 172.16.1.10

Source port: 5300

Dest port: 1022

object network source-real
  host 10.30.97.129
  
object network dest-mapped
  host 10.30.97.200

object network dest-real
  host 172.16.1.10

object service inside-src-dest-port
 service tcp source eq 5300 destination range 0 65535

object service outside-src-dest-port
 service tcp source eq 5300 destination eq 1022


nat (inside,outside) after source static source-real interface destination static dest-mapped dest-real service inside-src-dest-port outside-src-dest-port
 

Static NAT for a Range of Ports

 

Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT.


 

           (in)    (out)

10.1.1.1-------ASA-----

        --xlate-------> 10.2.2.2

Original Ports: 10000 - 10010

Translated ports: 20000 - 20010


object service ports

service tcp source range 10000 10010


object service ports-xlate

service tcp source range 20000 20010


object network server

host 10.1.1.1

 

object network server-xlate

host 10.2.2.2

nat (inside,outside) source static server server-xlate service ports ports-xlate
Comments
Beginner

I've been having thoughts about this for a while. We know that PAT uses  TCP/UDP port numbers to distinguish between inside hosts via a mapping  table for private IPs, internal/external ports and all that stuff, all  happen so that the return packets from outside (despite having the same  destination IP) will remap and reach the correct inside host.

Now how can ping/icmp replies route back to the inside while we know  ICMP is not at the TCP/UDP level, so it does NOT use port numbers at  all? Any idea? May be I'm missing some thing.

Practically, I'm behind PAT and I can always ping outside.

Cisco Employee

Hi Vijay,

The ICMP ID can be used to associate inside Requests with Responses across PAT translations.

Sincerely,

David.

Community Member

The Ip address  access  from the outside on the dmz  has to be a public address., isnt it ?

Beginner

I have a question on 8.3 Static PAT;

 I correctly Translated Destination as said in the tablecolum though it s not work, presume that we need say in object, protocol and service. If you endorse my point please correct the same in  the tabular column.

ASA(config)# sh cap capin 

2 packets captured

   1: 11:32:02.950054 10.0.0.10.13493 > 1.1.1.2.2300: S 565689259:565689259(0) win 4128 <mss 536> 
   2: 11:32:02.973078 1.1.1.2.2300 > 10.0.0.10.13493: R 1813852826:1813852826(0) ack 565689260 win 0 
2 packets shown
ASA(config)# sh cap capout

2 packets captured

   1: 11:32:02.950252 10.0.0.10.13493 > 1.1.1.2.2300: S 1349629680:1349629680(0) win 4128 <mss 536> 
   2: 11:32:02.973002 1.1.1.2.2300 > 10.0.0.10.13493: R 0:0(0) ack 1349629681 win 0 
2 packets shown
ASA(config)# sh nat                                      

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source static MYR1 192.168.1.100   service tcp 2300 telnet 
    translate_hits = 0, untranslate_hits = 0

 

 

Community Member

Dear Magnus Mortensen,

 

I have original NAT configuration in Router as below (Part 1).

And I would like to migrate this NAT configuration to ASA (Part 2).

Could you please tell me if the below ASA commands are correct?

Million thanks.

 

Part 1 - Router#

ip access-list extended NATUSERS

permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255

permit ip 1.1.2.0 0.0.0.255 2.2.2.0 0.0.0.255

permit ip 1.1.3.0 0.0.0.255 2.2.2.0 0.0.0.255

 

ip nat pool NATPool 3.3.3.1 3.3.3.254 netmask 255.255.255.0

ip nat inside source list NATUSERS pool NATPool overload

 

 

Part 2 – ASA (Version 8.3)#

object network Src-1

                subnet 1.1.1.0 255.255.255.0

 

object network Src-2

                subnet 1.1.2.0 255.255.255.0

 

object network Src-3

                subnet 1.1.3.0 255.255.255.0

 

object network Src-Trans

                range 3.3.3.1 3.3.3.254

 

object network Dest-2.2.2.0

                subnet 2.2.2.0 255.255.255.0

 

object-group network Src-123

   network-object object Src-1

   network-object object Src-2

   network-object object Src-3

 

nat (inside,outside) source dynamic Src-123 Src-Trans destination static Dest-2.2.2.0 Dest-2.2.2.0

 

Million thanks.

 

Regards,

Don

To scale the performance of firewalls and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic Director) White Paper.

 

ITD Provides CAPEX and OPEX Savings for Customers

ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.

Beginner

I have a pre-8.3 NAT question. How would this config look like in ASA 9.1(6)?

global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 lan 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 vpn 255.255.255.0
static (inside,outside) tcp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) tcp interface 55531 192.168.100.250 55531 netmask 255.255.255.255
static (inside,outside) tcp interface 55532 192.168.100.250 55532 netmask 255.255.255.255
static (inside,outside) tcp interface 55533 192.168.100.250 55533 netmask 255.255.255.255
static (inside,outside) tcp interface 55534 192.168.100.250 55534 netmask 255.255.255.255
static (inside,outside) tcp interface 55535 192.168.100.250 55535 netmask 255.255.255.255
static (inside,outside) udp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) udp interface 55531 192.168.100.250 55531 netmask 255.255.255.255
static (inside,outside) udp interface 55532 192.168.100.250 55532 netmask 255.255.255.255
static (inside,outside) udp interface 55533 192.168.100.250 55533 netmask 255.255.255.255
static (inside,outside) udp interface 55534 192.168.100.250 55534 netmask 255.255.255.255
static (inside,outside) udp interface 55535 192.168.100.250 55535 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.7 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.7 www netmask 255.255.255.255
static (inside,outside) tcp interface 987 192.168.100.7 987 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.7 https netmask 255.255.255.255

Cisco Employee

Hi Thomas,

Would you be able to open a separate post for your query ?

Thanks and Regards,

Vibhor Amrodia

Beginner

I have posted a unique discussion on Cisco Support Community with the tiltle "Pre-8.3 NAT to 8.3+ NAT configuration on ASA 5505".

Community Member

Hi,

Many thanks for this post. Have question -

How to configure Twice NAT with both source IP, Dest IP and Source port, Dest port change - in pre 8.3 version. I have 8.2 ASA version.

Plz assist with same example as below. Many thanks for this post

Twice NAT with both source IP, Dest IP and Source port, Dest port change.

On the inside:

Source IP: 10.30.97.129

Dest IP: 10.30.97.200

Source port: 5300

Dest port: any port


On the outside:

Source IP: Interface IP

Dest IP: 172.16.1.10

Source port: 5300

Dest port: 1022

Beginner

Hi,

I have Cisco ASA 5505 running 9.2(4).

how to setup UDP port forwarding ranging from 36,000 to 59,999 ?

please advise. thank you. 

Cisco Employee

Hi Rizwan,

Try the below syntax.

object service udp-port
service udp source range 36000 59999

Object network realip
host 192.168.x.x
Object network mapip
Host 182.x.x.x

nat (inside,outside) source static realip mapip service udp-port udp-port

Also apply the acl to allow the traffic.

 

Beginner

Hi Gaddu,

Thank you for the reply. can you please advise on ACL so i can test them all and will update you on this?

Bundle of thanks.

Real IP: 192.168.1.207

WAN IP: 182.152.34.98

I have tried above command but i used mapped IP as WAN IP and got following error. ( i have PPPoE with single WAN IP)

ERROR: Address 182.152.34.98 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Cisco Employee

Hi Rizwan,

Try this nat statement because you are trying open ports on interface.

nat (inside,outside) source static realip interface service udp-port udp-port

Acl:

access-list ouside permit udp any host 192.168.1.207 range 36000 59999

Thanks 

Guddu 

Beginner

Cisco Adaptive Security Appliance Software Version 8.4(3) 

Configuration:

object service udp-port
service udp source range 36000 59999
object network expresswayLAN
host 192.168.1.207

access-list outside_in extended permit udp any host 192.168.1.207 range 36000 59999 

nat (inside,outside) source static expresswayLAN interface service udp-port udp-port

access-group outside_in in interface outside

ASA# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static expresswayLAN interface service udp-port udp-port
translate_hits = 0, untranslate_hits = 61

Please help where i am missing to translate these ports?

thank you so much