cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
496327
Views
111
Helpful
52
Comments
Magnus Mortensen
Cisco Employee
Cisco Employee

Static NAT/PAT

Pre-8.3 NAT8.3 NAT
Regular Static NAT

static (inside,outside) 192.168.100.100 10.1.1.6 netmask  255.255.255.255

 object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100    
Regular Static PAT

static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255

 object network obj-10.1.1.16
   host 10.1.1.16
   nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Static Policy NAT

access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224

static (inside,outside) 192.168.100.100 access-list NET1

object network obj-10.1.2.27

   host 10.1.2.27
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-10.76.5.0
   subnet 10.76.5.0 255.255.255.224
 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 
                      destination static obj-10.76.5.0 obj-10.76.5.0

 

 

Pre-8.3 NAT8.3 NAT
Regular Dynamic PAT
 nat (inside) 1 192.168.1.0 255.255.255.0
 nat (dmz) 1 10.1.1.0 255.255.255.0
 global (outside) 1 
192.168.100.100
object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,outside) dynamic 192.168.100.100
Regular Dynamic PAT

 
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1



 
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.2.0-01
   subnet 10.1.2.0 255.255.255.0
   nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3

 

 nat (inside) 1 0 0 
 global (outside) 1 interface
 object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

Dynamic Policy NAT

 

 object-group network og-net-src
   network-object 192.168.1.0 255.255.255.0
   network-object 192.168.2.0 255.255.255.0
 object-group network og-net-dst
   network-object 192.168.200.0 255.255.255.0
 object-group service og-ser-src
   service-object tcp gt 2000
   service-object tcp eq 1500
 access-list NET6 extended permit object-group og-ser-src 
                  object-group og-net-src object-group og-net-dst
 nat (inside) 10 access-list NET6
 global (outside) 10 192.168.100.100
 object network obj-192.168.100.100
   host 192.168.100.100
 object service obj-tcp-range-2001-65535
   service tcp destination range 2001 65535
 object service obj-tcp-eq-1500
   service tcp destination eq 1500
 nat (inside,outside) source dynamic og-net-src 
             obj-192.168.100.100 destination 
             static og-net-dst og-net-dst
             service obj-tcp-range-2001-65535
             obj-tcp-range-2001-65535
 nat (inside,outside) source dynamic og-net-src 
             obj-192.168.100.100 destination 
             static og-net-dst og-net-dst 
             service obj-tcp-eq-1500 obj-tcp-eq-1500

Policy Dynamic NAT (with multiple ACEs)

 

 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.1.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.2.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.3.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.4.0 255.255.255.0
 nat (inside) 1 access-list ACL_NAT
 global (outside) 1 192.168.100.100
 object network obj-172.29.0.0
   subnet 172.29.0.0 255.255.0.0
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
   subnet 192.168.2.0 255.255.255.0
 
object network obj-192.168.3.0
   subnet 192.168.3.0 255.255.255.0
 object network obj-192.168.4.0
   subnet 192.168.4.0 255.255.255.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.4.0 obj-192.168.4.0

Outside NAT

 global (inside) 1 10.1.2.30-1-10.1.2.40
 nat (dmz) 1 10.1.1.0 255.255.255.0 outside
 static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255 
 object network obj-10.1.2.27
   host 10.1.2.27
   nat (inside,dmz) static 10.1.1.5
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
 object network obj-10.1.2.30-10.1.2.40
   range 10.1.2.30 10.1.2.40

NAT & Interface PAT together

 nat (inside) 1 10.1.2.0 255.255.255.0
 global (outside) 1 interface 
 global (outside) 1 192.168.100.100-192.168.100.200
 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 
            obj-192.168.100.100_192.168.100.200 interface

NAT & Interface PAT with additional PAT together

 nat (inside) 1 10.0.0.0 255.0.0.0

  global (outside) 1 192.168.100.1-192.168.100.200

  global (outside) 1 interface

  global (outside) 1 192.168.100.210

 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.0.0.0
   subnet 10.0.0.0 255.0.0.0
 object network second-pat
   host 192.168.100.210
 object-group network dynamic-nat-pat
   network-object object obj-192.168.100.100_192.168.100.200
   network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface

Twice NAT with both source IP, Dest IP and Source port, Dest port change.

On the inside:

 

Source IP: 10.30.97.129

Dest IP: 10.30.97.200

Source port: 5300

Dest port: any port

 


On the outside:

 

Source IP: Interface IP

Dest IP: 172.16.1.10

Source port: 5300

Dest port: 1022

object network source-real
  host 10.30.97.129
  
object network dest-mapped
  host 10.30.97.200

object network dest-real
  host 172.16.1.10

object service inside-src-dest-port
 service tcp source eq 5300 destination range 0 65535

object service outside-src-dest-port
 service tcp source eq 5300 destination eq 1022


nat (inside,outside) after source static source-real interface destination static dest-mapped dest-real service inside-src-dest-port outside-src-dest-port
 

Static NAT for a Range of Ports

 

Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT.


 

           (in)    (out)

10.1.1.1-------ASA-----

        --xlate-------> 10.2.2.2

Original Ports: 10000 - 10010

Translated ports: 20000 - 20010


object service ports

service tcp source range 10000 10010


object service ports-xlate

service tcp source range 20000 20010


object network server

host 10.1.1.1

 

object network server-xlate

host 10.2.2.2

nat (inside,outside) source static server server-xlate service ports ports-xlate
Comments
David White
Cisco Employee
Cisco Employee

Yes, that is correct. 

darshan288shah
Level 1
Level 1

Hi,

I am using ASA5505 with version a 8.3(2) and having problem with the nat configuration.

inside ip - 192.168.1.1/255.255.255.0

outside ip - 10.127.225.10/255.255.255.0

we have TCP10042 as service port thru' which we are passing data from inside network to outside network.

We have Client_server as 10.127.226.21/24

our DataServer as 192.168.1.3/ 24

we want to send the data from dataServer to Client server thru' port no. 10042.

We did following settings in the ASA thru' ASDM but facing problem that no any nating actually takes place.

Object network Client_Server

host 10.127.226.21

Object network DataServer

host 192.168.1.3

Object service TCP_10042

Service tcp source range 1 65535 destination eq 10042

Object network Firewall_Outside

host 10.127.225.10

object network DataServer(192.168.1.3)

nat (inside, outside) static interface service tcp 10042 10042

object network Firewall_outside (10.l27.225.10)

nat (outside, inside) static DataServer(192.168.1.3) service tcp 10042 10042

access-list inside_access_in extended permit ip any any

access-list inside_access_in extended permit tcp any any

access-list outside_access_in extended permit tcp any any

access-list outside_access_in extended permit ip any any

access-group inside_access_in in interface inside

access-group inside_access_out out interface inside

access-group outside_access_in in interface outside

access-group global_access global

but still we are getting problem for NAT rules.

Also when we tried with Packet Transfer check point and found that "Access List - denied due to “Implicit rule”

Please help how we have to transfer data thru' Firewall.

Jouni Forss
VIP Alumni
VIP Alumni

Hi Darshan Shah,

Please post this question on the Discussion area of the CSC and not in a document

You will find the Firewall section of the forums here

https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions

- Jouni

petr.hofmann
Level 1
Level 1

Hello guys,

I am trying to use your NAT conversion table, but I cant solve it... Can anyone please help me? My old config is following:

access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 192.168.0.0

access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply

access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 101 0.0.0.0 0.0.0.0

access-group 101 in interface outside

Jouni Forss
VIP Alumni
VIP Alumni

Hi Petr,

As in the previous reply above, I would suggest that you also post this question on the Discussions section rather than in this Document.

https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions

- Jouni

David White
Cisco Employee
Cisco Employee

Hi Petr,

You only have two NAT rules:

1) nat (inside) 0 access-list inside_nat0_outbound_1

  Which says:  Do not NAT traffic matching access-list inside_nat0_outbound_1 - which is:

      access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

This translates into the following NAT rule:

object network ServerReal

subnet 192.168.1.0 255.255.255.0

object network RemoteSite

subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source static ServerReal ServerReal destination static RemoteSite RemoteSite

2) global (outside) 101 interface
     nat (inside) 101 0.0.0.0 0.0.0.0

Which says, "PAT all inside traffic to the outside interface IP address"

This will be changed to the following:

  object network any

   subnet 0.0.0.0 0.0.0.0

   nat (inside,outside) dynamic interface

Hope this helps!

David.

Odys (CSC)
Level 1
Level 1

Could someone describe a static nat in PLAIN ENGLISH for me ?

for instance, allowong external access to internal web server (10.1.1.6)

object network obj-WEB-SVR
   host 10.1.1.6
   nat(inside,outside) static 192.168.100.100 

what does the statement say ?

THX

The statement says that there is a Web-Server at 10.1.1.6 on the "inside" and it is statically being translated to 192.168.100.100 on the "outside"

Odys (CSC)
Level 1
Level 1

In this case the outside user is supposed to initiate the request to the inside web-server, not vice versa.

Still that work ?

This is a bi-directional nat statement. So yes, outside user can initiate a connection request to 192.168.100.100 which will then get untranslated to 10.1.1.6 on the inside interface.

PS: We need to allow access to real ip address in the access-list on the outside interface i.e. "permit <protocol> any host 10.1.1.6")

Odys (CSC)
Level 1
Level 1

Obvious, thank you!

sandman42
Level 1
Level 1

One question:

I have a 8.2 nat that says:

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

This should translate in a 8.4.1:

object network OBJ_GENERIC_ALL

subnet 0.0.0.0 0.0.0.0

nat (inside,outside) dynamic OBJ_GENERIC_ALL

but this give me an error with the caret pointing to the "d" of "dynamic".

What's wrong??????

I see a problem with the statement:

nat (inside,outside) dynamic OBJ_GENERIC_ALL

an ip-address/network-based object should follow the 'dynamic' keyword.

In your case, i see the statement should have been:

object network OBJ_GENERIC_ALL

  nat (inside,outside) dynamic interface

sandman42
Level 1
Level 1

I've added a

nat (inside,outside) after-auto source dynamic any interface

and now it works.

Thanks anyway

Mahesh Deshpande

Well thank you Mr.

Poonguzhali Sankar

It has helped me a lot................

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: