cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

ASA Pre-8.3 to 8.3 NAT configuration examples

454335
Views
101
Helpful
52
Comments

Static NAT/PAT

Pre-8.3 NAT8.3 NAT
Regular Static NAT

static (inside,outside) 192.168.100.100 10.1.1.6 netmask  255.255.255.255

 object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100    
Regular Static PAT

static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255

 object network obj-10.1.1.16
   host 10.1.1.16
   nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Static Policy NAT

access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224

static (inside,outside) 192.168.100.100 access-list NET1

object network obj-10.1.2.27

   host 10.1.2.27
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-10.76.5.0
   subnet 10.76.5.0 255.255.255.224
 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 
                      destination static obj-10.76.5.0 obj-10.76.5.0

 

 

Pre-8.3 NAT8.3 NAT
Regular Dynamic PAT
 nat (inside) 1 192.168.1.0 255.255.255.0
 nat (dmz) 1 10.1.1.0 255.255.255.0
 global (outside) 1 
192.168.100.100
object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,outside) dynamic 192.168.100.100
Regular Dynamic PAT

 
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1



 
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.2.0-01
   subnet 10.1.2.0 255.255.255.0
   nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3

 

 nat (inside) 1 0 0 
 global (outside) 1 interface
 object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

Dynamic Policy NAT

 

 object-group network og-net-src
   network-object 192.168.1.0 255.255.255.0
   network-object 192.168.2.0 255.255.255.0
 object-group network og-net-dst
   network-object 192.168.200.0 255.255.255.0
 object-group service og-ser-src
   service-object tcp gt 2000
   service-object tcp eq 1500
 access-list NET6 extended permit object-group og-ser-src 
                  object-group og-net-src object-group og-net-dst
 nat (inside) 10 access-list NET6
 global (outside) 10 192.168.100.100
 object network obj-192.168.100.100
   host 192.168.100.100
 object service obj-tcp-range-2001-65535
   service tcp destination range 2001 65535
 object service obj-tcp-eq-1500
   service tcp destination eq 1500
 nat (inside,outside) source dynamic og-net-src 
             obj-192.168.100.100 destination 
             static og-net-dst og-net-dst
             service obj-tcp-range-2001-65535
             obj-tcp-range-2001-65535
 nat (inside,outside) source dynamic og-net-src 
             obj-192.168.100.100 destination 
             static og-net-dst og-net-dst 
             service obj-tcp-eq-1500 obj-tcp-eq-1500

Policy Dynamic NAT (with multiple ACEs)

 

 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.1.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.2.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.3.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.4.0 255.255.255.0
 nat (inside) 1 access-list ACL_NAT
 global (outside) 1 192.168.100.100
 object network obj-172.29.0.0
   subnet 172.29.0.0 255.255.0.0
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
   subnet 192.168.2.0 255.255.255.0
 
object network obj-192.168.3.0
   subnet 192.168.3.0 255.255.255.0
 object network obj-192.168.4.0
   subnet 192.168.4.0 255.255.255.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.4.0 obj-192.168.4.0

Outside NAT

 global (inside) 1 10.1.2.30-1-10.1.2.40
 nat (dmz) 1 10.1.1.0 255.255.255.0 outside
 static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255 
 object network obj-10.1.2.27
   host 10.1.2.27
   nat (inside,dmz) static 10.1.1.5
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
 object network obj-10.1.2.30-10.1.2.40
   range 10.1.2.30 10.1.2.40

NAT & Interface PAT together

 nat (inside) 1 10.1.2.0 255.255.255.0
 global (outside) 1 interface 
 global (outside) 1 192.168.100.100-192.168.100.200
 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 
            obj-192.168.100.100_192.168.100.200 interface

NAT & Interface PAT with additional PAT together

 nat (inside) 1 10.0.0.0 255.0.0.0

  global (outside) 1 192.168.100.1-192.168.100.200

  global (outside) 1 interface

  global (outside) 1 192.168.100.210

 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.0.0.0
   subnet 10.0.0.0 255.0.0.0
 object network second-pat
   host 192.168.100.210
 object-group network dynamic-nat-pat
   network-object object obj-192.168.100.100_192.168.100.200
   network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface

Twice NAT with both source IP, Dest IP and Source port, Dest port change.

On the inside:

 

Source IP: 10.30.97.129

Dest IP: 10.30.97.200

Source port: 5300

Dest port: any port

 


On the outside:

 

Source IP: Interface IP

Dest IP: 172.16.1.10

Source port: 5300

Dest port: 1022

object network source-real
  host 10.30.97.129
  
object network dest-mapped
  host 10.30.97.200

object network dest-real
  host 172.16.1.10

object service inside-src-dest-port
 service tcp source eq 5300 destination range 0 65535

object service outside-src-dest-port
 service tcp source eq 5300 destination eq 1022


nat (inside,outside) after source static source-real interface destination static dest-mapped dest-real service inside-src-dest-port outside-src-dest-port
 

Static NAT for a Range of Ports

 

Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT.


 

           (in)    (out)

10.1.1.1-------ASA-----

        --xlate-------> 10.2.2.2

Original Ports: 10000 - 10010

Translated ports: 20000 - 20010


object service ports

service tcp source range 10000 10010


object service ports-xlate

service tcp source range 20000 20010


object network server

host 10.1.1.1

 

object network server-xlate

host 10.2.2.2

nat (inside,outside) source static server server-xlate service ports ports-xlate
Comments
Beginner
anyone? please help to fix for forwarding issue. thanks in advance.
Beginner
Anyone who can help to fix the above issue?
Beginner

Hi everybody,

that's a wonderful doc, thanks. I have just one question for the section NAT & Interface PAT with additional PAT together.

Before that, just a quick review of the pre-8.3 rules to be sure I understand them: in short any connection from the net 10.0.0.0/8 leaving the interface outside is first NAT'ed (source and dest port are kept) with an IP addr in the range 192.168.100.1-192.168.100.200 then the sorce address of the 201th connection will be NAT'ed using the interface IP address and the src port of course will be changed. Then when all the ports of the address of the outside interface will be taken src-port-translation will be done by using the IP address 192.168.100.210 (again the original src-port will be changed). I think the order of global statements is important and hence

global (outside) 1 192.168.100.1-192.168.100.200

global (outside) 1 192.168.100.210

global (outside) 1 interface

will do the same but the PAT will be done first by using 192.168.100.210 and then by using the outside's interface address.

 

Now my questions:

the object

object network obj-10.0.0.0
   subnet 10.0.0.0 255.0.0.0

is defined but not used anywhere in the subsequent statements of the same section for 8.3 version and later. In the 8.3 rules I'm missing how the address of the outside interface will be used to do PAT and how the NAT statement is restricted to the network 10.0.0.0/8.

Is it really necessary to define it or do any of the subsequent statements miss to use it? And if it not necessary how does the post-8.3 rules accomplish the nat goal of pre-8.3 written on the left column?


Could somebody help here please?
Thanks, Alex

Beginner

*

Community Member

Hi All

 

I have been reading about twice NAT but all its not clear to me.

Can someone please help me with examples like other configurations?

The below lines are not clear to me .

Twice NAT with both source IP, Dest IP and Source port, Dest port change.

On the inside:

 

Source IP: 10.30.97.129

Dest IP: 10.30.97.200

Source port: 5300

Dest port: any port

 


On the outside:

 

Source IP: Interface IP

Dest IP: 172.16.1.10

Source port: 5300

Dest port: 1022

 

Thanks in advice

Beginner

nat (inside) 192.168.10.0 0.0.0.255

global (outside) 1 interface

hello I would miss Add to this command line . I want to do if the service is wet work? I hope you can help me. regards

Beginner

Great summary table. 

 

Here is another good free resource on configuring everything NAT related on Cisco ASA 8.4+:

 

https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/