05-12-2010 09:06 AM - edited 03-08-2019 06:32 PM
Pre-8.3 NAT | 8.3 NAT |
---|---|
Regular Static NAT
static (inside,outside) 192.168.100.100 10.1.1.6 netmask 255.255.255.255 |
object network obj-10.1.1.6 host 10.1.1.6 nat (inside,outside) static 192.168.100.100 |
Regular Static PAT
static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask 255.255.255.255 |
object network obj-10.1.1.16 host 10.1.1.16 nat (inside,outside) static 192.168.100.100 service tcp 8080 www |
Static Policy NAT
access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224 static (inside,outside) 192.168.100.100 access-list NET1 | object network obj-10.1.2.27 host 10.1.2.27 object network obj-192.168.100.100 host 192.168.100.100 object network obj-10.76.5.0 subnet 10.76.5.0 255.255.255.224 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 destination static obj-10.76.5.0 obj-10.76.5.0 |
Pre-8.3 NAT | 8.3 NAT |
---|---|
Regular Dynamic PAT
nat (inside) 1 192.168.1.0 255.255.255.0 nat (dmz) 1 10.1.1.0 255.255.255.0 global (outside) 1 192.168.100.100 |
object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic 192.168.100.100 object network obj-10.1.1.0 subnet 10.1.1.0 255.255.255.0 nat (dmz,outside) dynamic 192.168.100.100 |
Regular Dynamic PAT
nat (inside) 1 10.1.2.0 255.255.255.0 global (outside) 1 192.168.100.100 global (dmz) 1 192.168.1.1 |
object network obj-10.1.2.0 subnet 10.1.2.0 255.255.255.0 nat (inside,outside) dynamic 192.168.100.100 object network obj-10.1.2.0-01 subnet 10.1.2.0 255.255.255.0 nat (inside,dmz) dynamic 192.168.1.1 |
Regular Dynamic PAT-3
nat (inside) 1 0 0 global (outside) 1 interface |
object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface |
Dynamic Policy NAT
object-group network og-net-src network-object 192.168.1.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group network og-net-dst network-object 192.168.200.0 255.255.255.0 object-group service og-ser-src service-object tcp gt 2000 service-object tcp eq 1500 access-list NET6 extended permit object-group og-ser-src object-group og-net-src object-group og-net-dst nat (inside) 10 access-list NET6 global (outside) 10 192.168.100.100 |
object network obj-192.168.100.100 host 192.168.100.100 object service obj-tcp-range-2001-65535 service tcp destination range 2001 65535 object service obj-tcp-eq-1500 service tcp destination eq 1500 nat (inside,outside) source dynamic og-net-src obj-192.168.100.100 destination static og-net-dst og-net-dst service obj-tcp-range-2001-65535 obj-tcp-range-2001-65535 nat (inside,outside) source dynamic og-net-src obj-192.168.100.100 destination static og-net-dst og-net-dst service obj-tcp-eq-1500 obj-tcp-eq-1500 |
Policy Dynamic NAT (with multiple ACEs)
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.1.0 255.255.255.0 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.3.0 255.255.255.0 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.4.0 255.255.255.0 nat (inside) 1 access-list ACL_NAT global (outside) 1 192.168.100.100 |
object network obj-172.29.0.0 subnet 172.29.0.0 255.255.0.0 object network obj-192.168.100.100 host 192.168.100.100 object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.3.0 subnet 192.168.3.0 255.255.255.0 object network obj-192.168.4.0 subnet 192.168.4.0 255.255.255.0nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.1.0 obj-192.168.1.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.2.0 obj-192.168.2.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.3.0 obj-192.168.3.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.4.0 obj-192.168.4.0 |
Outside NAT global (inside) 1 10.1.2.30-1-10.1.2.40 nat (dmz) 1 10.1.1.0 255.255.255.0 outside static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255 |
object network obj-10.1.2.27
host 10.1.2.27
nat (inside,dmz) static 10.1.1.5
object network obj-10.1.1.0
subnet 10.1.1.0 255.255.255.0
nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
object network obj-10.1.2.30-10.1.2.40
range 10.1.2.30 10.1.2.40
|
NAT & Interface PAT together nat (inside) 1 10.1.2.0 255.255.255.0 global (outside) 1 interface global (outside) 1 192.168.100.100-192.168.100.200 |
object network obj-192.168.100.100_192.168.100.200 range 192.168.100.100 192.168.100.200 object network obj-10.1.2.0 subnet 10.1.2.0 255.255.255.0 nat (inside,outside) dynamic obj-192.168.100.100_192.168.100.200 interface |
NAT & Interface PAT with additional PAT together nat (inside) 1 10.0.0.0 255.0.0.0 global (outside) 1 192.168.100.1-192.168.100.200 global (outside) 1 interface global (outside) 1 192.168.100.210 |
object network obj-192.168.100.100_192.168.100.200 range 192.168.100.100 192.168.100.200 object network obj-10.0.0.0 subnet 10.0.0.0 255.0.0.0 object network second-pat host 192.168.100.210 object-group network dynamic-nat-pat network-object object obj-192.168.100.100_192.168.100.200 network-object object second-pat nat (inside,outside) dynamic dynamic-nat-pat interface |
Twice NAT with both source IP, Dest IP and Source port, Dest port change. On the inside:
Source IP: 10.30.97.129 Dest IP: 10.30.97.200 Source port: 5300 Dest port: any port
On the outside:
Source IP: Interface IP Dest IP: 172.16.1.10 Source port: 5300 Dest port: 1022 |
object network source-real host 10.30.97.129 object network dest-mapped host 10.30.97.200 object network dest-real host 172.16.1.10 object service inside-src-dest-port service tcp source eq 5300 destination range 0 65535 object service outside-src-dest-port service tcp source eq 5300 destination eq 1022 nat (inside,outside) after source static source-real interface destination static dest-mapped dest-real service inside-src-dest-port outside-src-dest-port |
Static NAT for a Range of Ports
Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT. |
(in) (out) 10.1.1.1-------ASA-------xlate-------> 10.2.2.2 Original Ports: 10000 - 10010Translated ports: 20000 - 20010 object service ports service tcp source range 10000 10010 object service ports-xlate service tcp source range 20000 20010 object network server host 10.1.1.1
object network server-xlate host 10.2.2.2nat (inside,outside) source static server server-xlate service ports ports-xlate |
I've been having thoughts about this for a while. We know that PAT uses TCP/UDP port numbers to distinguish between inside hosts via a mapping table for private IPs, internal/external ports and all that stuff, all happen so that the return packets from outside (despite having the same destination IP) will remap and reach the correct inside host.
Now how can ping/icmp replies route back to the inside while we know ICMP is not at the TCP/UDP level, so it does NOT use port numbers at all? Any idea? May be I'm missing some thing.
Practically, I'm behind PAT and I can always ping outside.
Hi Vijay,
The ICMP ID can be used to associate inside Requests with Responses across PAT translations.
Sincerely,
David.
The Ip address access from the outside on the dmz has to be a public address., isnt it ?
I have a question on 8.3 Static PAT;
I correctly Translated Destination as said in the tablecolum though it s not work, presume that we need say in object, protocol and service. If you endorse my point please correct the same in the tabular column.
ASA(config)# sh cap capin
2 packets captured
1: 11:32:02.950054 10.0.0.10.13493 > 1.1.1.2.2300: S 565689259:565689259(0) win 4128 <mss 536>
2: 11:32:02.973078 1.1.1.2.2300 > 10.0.0.10.13493: R 1813852826:1813852826(0) ack 565689260 win 0
2 packets shown
ASA(config)# sh cap capout
2 packets captured
1: 11:32:02.950252 10.0.0.10.13493 > 1.1.1.2.2300: S 1349629680:1349629680(0) win 4128 <mss 536>
2: 11:32:02.973002 1.1.1.2.2300 > 10.0.0.10.13493: R 0:0(0) ack 1349629681 win 0
2 packets shown
ASA(config)# sh nat
Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source static MYR1 192.168.1.100 service tcp 2300 telnet
translate_hits = 0, untranslate_hits = 0
Dear Magnus Mortensen,
I have original NAT configuration in Router as below (Part 1).
And I would like to migrate this NAT configuration to ASA (Part 2).
Could you please tell me if the below ASA commands are correct?
Million thanks.
Part 1 - Router#
ip access-list extended NATUSERS
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 1.1.2.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 1.1.3.0 0.0.0.255 2.2.2.0 0.0.0.255
ip nat pool NATPool 3.3.3.1 3.3.3.254 netmask 255.255.255.0
ip nat inside source list NATUSERS pool NATPool overload
Part 2 – ASA (Version 8.3)#
object network Src-1
subnet 1.1.1.0 255.255.255.0
object network Src-2
subnet 1.1.2.0 255.255.255.0
object network Src-3
subnet 1.1.3.0 255.255.255.0
object network Src-Trans
range 3.3.3.1 3.3.3.254
object network Dest-2.2.2.0
subnet 2.2.2.0 255.255.255.0
object-group network Src-123
network-object object Src-1
network-object object Src-2
network-object object Src-3
nat (inside,outside) source dynamic Src-123 Src-Trans destination static Dest-2.2.2.0 Dest-2.2.2.0
Million thanks.
Regards,
Don
To scale the performance of firewalls and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic Director) White Paper.
ITD Provides CAPEX and OPEX Savings for Customers
ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus 5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.
I have a pre-8.3 NAT question. How would this config look like in ASA 9.1(6)?
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 lan 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 vpn 255.255.255.0
static (inside,outside) tcp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) tcp interface 55531 192.168.100.250 55531 netmask 255.255.255.255
static (inside,outside) tcp interface 55532 192.168.100.250 55532 netmask 255.255.255.255
static (inside,outside) tcp interface 55533 192.168.100.250 55533 netmask 255.255.255.255
static (inside,outside) tcp interface 55534 192.168.100.250 55534 netmask 255.255.255.255
static (inside,outside) tcp interface 55535 192.168.100.250 55535 netmask 255.255.255.255
static (inside,outside) udp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) udp interface 55531 192.168.100.250 55531 netmask 255.255.255.255
static (inside,outside) udp interface 55532 192.168.100.250 55532 netmask 255.255.255.255
static (inside,outside) udp interface 55533 192.168.100.250 55533 netmask 255.255.255.255
static (inside,outside) udp interface 55534 192.168.100.250 55534 netmask 255.255.255.255
static (inside,outside) udp interface 55535 192.168.100.250 55535 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.7 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.7 www netmask 255.255.255.255
static (inside,outside) tcp interface 987 192.168.100.7 987 netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.7 https netmask 255.255.255.255
Hi Thomas,
Would you be able to open a separate post for your query ?
Thanks and Regards,
Vibhor Amrodia
I have posted a unique discussion on Cisco Support Community with the tiltle "Pre-8.3 NAT to 8.3+ NAT configuration on ASA 5505".
Hi,
Many thanks for this post. Have question -
How to configure Twice NAT with both source IP, Dest IP and Source port, Dest port change - in pre 8.3 version. I have 8.2 ASA version.
Plz assist with same example as below. Many thanks for this post
Twice NAT with both source IP, Dest IP and Source port, Dest port change.
On the inside:
Source IP: 10.30.97.129
Dest IP: 10.30.97.200
Source port: 5300
Dest port: any port
On the outside:
Source IP: Interface IP
Dest IP: 172.16.1.10
Source port: 5300
Dest port: 1022
Hi,
I have Cisco ASA 5505 running 9.2(4).
how to setup UDP port forwarding ranging from 36,000 to 59,999 ?
please advise. thank you.
Hi Rizwan,
Try the below syntax.
object service udp-port
service udp source range 36000 59999
Object network realip
host 192.168.x.x
Object network mapip
Host 182.x.x.x
nat (inside,outside) source static realip mapip service udp-port udp-port
Also apply the acl to allow the traffic.
Hi Gaddu,
Thank you for the reply. can you please advise on ACL so i can test them all and will update you on this?
Bundle of thanks.
Real IP: 192.168.1.207
WAN IP: 182.152.34.98
I have tried above command but i used mapped IP as WAN IP and got following error. ( i have PPPoE with single WAN IP)
ERROR: Address 182.152.34.98 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
Hi Rizwan,
Try this nat statement because you are trying open ports on interface.
nat (inside,outside) source static realip interface service udp-port udp-port
Acl:
access-list ouside permit udp any host 192.168.1.207 range 36000 59999
Thanks
Guddu
Cisco Adaptive Security Appliance Software Version 8.4(3)
Configuration:
object service udp-port
service udp source range 36000 59999
object network expresswayLAN
host 192.168.1.207
access-list outside_in extended permit udp any host 192.168.1.207 range 36000 59999
nat (inside,outside) source static expresswayLAN interface service udp-port udp-port
access-group outside_in in interface outside
ASA# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static expresswayLAN interface service udp-port udp-port
translate_hits = 0, untranslate_hits = 61
Please help where i am missing to translate these ports?
thank you so much
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: