ASA Pre-8.3 to 8.3 NAT configuration examples - Page 4

Magnus Mortensen · ‎05-12-2010

Static NAT/PAT

Pre-8.3 NAT

8.3 NAT

Regular Static NAT

static (inside,outside) 192.168.100.100 10.1.1.6 netmask 255.255.255.255

 object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100

Regular Static PAT

static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask 255.255.255.255

 object network obj-10.1.1.16
   host 10.1.1.16
   nat (inside,outside) static 192.168.100.100 service tcp 8080 www

Static Policy NAT

access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224

static (inside,outside) 192.168.100.100 access-list NET1

object network obj-10.1.2.27

   host 10.1.2.27
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-10.76.5.0
   subnet 10.76.5.0 255.255.255.224
 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 
                      destination static obj-10.76.5.0 obj-10.76.5.0

Pre-8.3 NAT	8.3 NAT
Regular Dynamic PAT nat (inside) 1 192.168.1.0 255.255.255.0 nat (dmz) 1 10.1.1.0 255.255.255.0 global (outside) 1 192.168.100.100	object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic 192.168.100.100 object network obj-10.1.1.0 subnet 10.1.1.0 255.255.255.0 nat (dmz,outside) dynamic 192.168.100.100
Regular Dynamic PAT nat (inside) 1 10.1.2.0 255.255.255.0 global (outside) 1 192.168.100.100 global (dmz) 1 192.168.1.1	object network obj-10.1.2.0 subnet 10.1.2.0 255.255.255.0 nat (inside,outside) dynamic 192.168.100.100 object network obj-10.1.2.0-01 subnet 10.1.2.0 255.255.255.0 nat (inside,dmz) dynamic 192.168.1.1
Regular Dynamic PAT-3 nat (inside) 1 0 0 global (outside) 1 interface	object network obj_any subnet 0.0.0.0 0.0.0.0 nat (inside,outside) dynamic interface
Dynamic Policy NAT object-group network og-net-src network-object 192.168.1.0 255.255.255.0 network-object 192.168.2.0 255.255.255.0 object-group network og-net-dst network-object 192.168.200.0 255.255.255.0 object-group service og-ser-src service-object tcp gt 2000 service-object tcp eq 1500 access-list NET6 extended permit object-group og-ser-src object-group og-net-src object-group og-net-dst nat (inside) 10 access-list NET6 global (outside) 10 192.168.100.100	object network obj-192.168.100.100 host 192.168.100.100 object service obj-tcp-range-2001-65535 service tcp destination range 2001 65535 object service obj-tcp-eq-1500 service tcp destination eq 1500 nat (inside,outside) source dynamic og-net-src obj-192.168.100.100 destination static og-net-dst og-net-dst service obj-tcp-range-2001-65535 obj-tcp-range-2001-65535 nat (inside,outside) source dynamic og-net-src obj-192.168.100.100 destination static og-net-dst og-net-dst service obj-tcp-eq-1500 obj-tcp-eq-1500
Policy Dynamic NAT (with multiple ACEs) access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.1.0 255.255.255.0 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.2.0 255.255.255.0 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.3.0 255.255.255.0 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.4.0 255.255.255.0 nat (inside) 1 access-list ACL_NAT global (outside) 1 192.168.100.100	object network obj-172.29.0.0 subnet 172.29.0.0 255.255.0.0 object network obj-192.168.100.100 host 192.168.100.100 object network obj-192.168.1.0 subnet 192.168.1.0 255.255.255.0 object network obj-192.168.2.0 subnet 192.168.2.0 255.255.255.0 object network obj-192.168.3.0 subnet 192.168.3.0 255.255.255.0 object network obj-192.168.4.0 subnet 192.168.4.0 255.255.255.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.1.0 obj-192.168.1.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.2.0 obj-192.168.2.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.3.0 obj-192.168.3.0 nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.4.0 obj-192.168.4.0
Outside NAT global (inside) 1 10.1.2.30-1-10.1.2.40 nat (dmz) 1 10.1.1.0 255.255.255.0 outside static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255	object network obj-10.1.2.27 host 10.1.2.27 nat (inside,dmz) static 10.1.1.5 object network obj-10.1.1.0 subnet 10.1.1.0 255.255.255.0 nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40 object network obj-10.1.2.30-10.1.2.40 range 10.1.2.30 10.1.2.40
NAT & Interface PAT together nat (inside) 1 10.1.2.0 255.255.255.0 global (outside) 1 interface global (outside) 1 192.168.100.100-192.168.100.200	object network obj-192.168.100.100_192.168.100.200 range 192.168.100.100 192.168.100.200 object network obj-10.1.2.0 subnet 10.1.2.0 255.255.255.0 nat (inside,outside) dynamic obj-192.168.100.100_192.168.100.200 interface
NAT & Interface PAT with additional PAT together nat (inside) 1 10.0.0.0 255.0.0.0 global (outside) 1 192.168.100.1-192.168.100.200 global (outside) 1 interface global (outside) 1 192.168.100.210	object network obj-192.168.100.100_192.168.100.200 range 192.168.100.100 192.168.100.200 object network obj-10.0.0.0 subnet 10.0.0.0 255.0.0.0 object network second-pat host 192.168.100.210 object-group network dynamic-nat-pat network-object object obj-192.168.100.100_192.168.100.200 network-object object second-pat nat (inside,outside) dynamic dynamic-nat-pat interface
Twice NAT with both source IP, Dest IP and Source port, Dest port change. On the inside: Source IP: 10.30.97.129 Dest IP: 10.30.97.200 Source port: 5300 Dest port: any port On the outside: Source IP: Interface IP Dest IP: 172.16.1.10 Source port: 5300 Dest port: 1022	object network source-real host 10.30.97.129 object network dest-mapped host 10.30.97.200 object network dest-real host 172.16.1.10 object service inside-src-dest-port service tcp source eq 5300 destination range 0 65535 object service outside-src-dest-port service tcp source eq 5300 destination eq 1022 nat (inside,outside) after source static source-real interface destination static dest-mapped dest-real service inside-src-dest-port outside-src-dest-port
Static NAT for a Range of Ports Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT.	(in) (out) 10.1.1.1-------ASA----- --xlate-------> 10.2.2.2 Original Ports: 10000 - 10010 Translated ports: 20000 - 20010 object service ports service tcp source range 10000 10010 object service ports-xlate service tcp source range 20000 20010 object network server host 10.1.1.1 object network server-xlate host 10.2.2.2 nat (inside,outside) source static server server-xlate service ports ports-xlate

haider.rizwan · ‎01-30-2016

anyone? please help to fix for forwarding issue. thanks in advance.

haider.rizwan · ‎01-30-2016

Anyone who can help to fix the above issue?

Alex Mac · ‎02-08-2016

Hi everybody,

that's a wonderful doc, thanks. I have just one question for the section NAT & Interface PAT with additional PAT together.

Before that, just a quick review of the pre-8.3 rules to be sure I understand them: in short any connection from the net 10.0.0.0/8 leaving the interface outside is first NAT'ed (source and dest port are kept) with an IP addr in the range 192.168.100.1-192.168.100.200 then the sorce address of the 201th connection will be NAT'ed using the interface IP address and the src port of course will be changed. Then when all the ports of the address of the outside interface will be taken src-port-translation will be done by using the IP address 192.168.100.210 (again the original src-port will be changed). I think the order of global statements is important and hence

global (outside) 1 192.168.100.1-192.168.100.200

global (outside) 1 192.168.100.210

global (outside) 1 interface

will do the same but the PAT will be done first by using 192.168.100.210 and then by using the outside's interface address.

Now my questions:

the object

object network obj-10.0.0.0
subnet 10.0.0.0 255.0.0.0

is defined but not used anywhere in the subsequent statements of the same section for 8.3 version and later. In the 8.3 rules I'm missing how the address of the outside interface will be used to do PAT and how the NAT statement is restricted to the network 10.0.0.0/8.

Is it really necessary to define it or do any of the subsequent statements miss to use it? And if it not necessary how does the post-8.3 rules accomplish the nat goal of pre-8.3 written on the left column?

Could somebody help here please?
Thanks, Alex

Alex Mac · ‎02-08-2016

*

Ntshobane · ‎07-09-2016

Hi All

I have been reading about twice NAT but all its not clear to me.

Can someone please help me with examples like other configurations?

The below lines are not clear to me .

Twice NAT with both source IP, Dest IP and Source port, Dest port change.

On the inside:

Source IP: 10.30.97.129

Dest IP: 10.30.97.200

Source port: 5300

Dest port: any port

On the outside:

Source IP: Interface IP

Dest IP: 172.16.1.10

Source port: 5300

Dest port: 1022

Thanks in advice

henrry9_15 · ‎08-29-2016

nat (inside) 192.168.10.0 0.0.0.255

global (outside) 1 interface

hello I would miss Add to this command line . I want to do if the service is wet work? I hope you can help me. regards

eddie.harmoush · ‎10-03-2018

Great summary table.

Here is another good free resource on configuring everything NAT related on Cisco ASA 8.4+:

https://www.practicalnetworking.net/stand-alone/cisco-asa-nat/