NAT Configuration

Network address translation (NAT) is process of modifying IP address information in IPv4 headers while
the packets are transiting across the firewall or routing device. This process allows You to translate private
to public IP addresses. 

With CISCO ASA firewall, You can configure 2 types of NAT: 

- Dynamic NAT (including PAT or port address translation)
- Static NAT 

This is an example of Nat where outside Web server sends response to a client on internal network
which is mapped to public address. Private 10.1.2.27 address is translated to 209.165.201.10:

Dynamic NAT allows You to translate internal addresses to a predefined set or pool of public addresses You define. The "nat" command defines which internal hosts, and the "global" command defines public address range in which internal addresses will be translated. Number "1" in nat configuration defines NAT ID (number of NAT rule), and must match on "nat" and "global" command: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0 ASA1(config)#global (outside) 1 193.222.168.113-193.222.168.116 255.255.255.240

PAT translates a range of internal addresses to 1 public address by mapping them to a different ports: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0 ASA1(config)#global (outside) 1 193.222.168.113

Instead of ip address in a global command, it's possible to define word "interface". That way, the internal addresses will automatically be PAT-ed into the address of an outside inteface: 

ASA1(config)#nat (inside) 1 192.168.15.0 255.255.255.0 ASA1(config)#global (outside) 1 interface

 

Static NAT, allows You to permanently map public ip address and port to an inside address and port (port forwarding). Along with that, cisco allows 1:1 NAT, or "mirroring", which translates all internal ports of a private address to the same ports on a public address (bi-directional). Of course, to enable traffic flow from the "outsude" to the "inside" interface, traffic also must be allowed with the Access control list. 

Another aspect of NAT is Port frowarding. It is a technic of Port forwarding or port mapping of publicly available ports to an internal addresses and ports. This example shows Port forwarding:

After configuring NAT, to enable traffic flow from outside to inside hosts, You must apply access-lists which will allow the traffic. Finally, to activate acl, bind it on a "outside" interface with the "access-group" command: 

ASA1(config)#static (inside,outside) tcp 209.165.201.3 http 10.2.2.28 http netmask 255.255.255.255 ASA1(config)#static (inside,outside) tcp 209.165.201.3 ftp 10.2.2.27 ftp netmask 255.255.255.255 ASA1(config)#static (inside,outside) tcp 209.165.201.3 smtp 10.2.2.29 smtp netmask 255.255.255.255 ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq http ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq ftp ASA1(config)#access-list outside_in_acl extended permit tcp any host 209.165.201.3 eq smtp ASA1(config)#access-group outside_in_acl in interface outside

Static 1:1 nat translate private to public address in a way that maps every public port to the same internal port on internal address. This is example of Static 1:1 NAT configuration of maping internal 10.2.2.45 address to public 209.165.201.4 IP address: 

ASA1(config)#static (inside,outside) 209.165.201.4 10.2.2.45 netmask 255.255.255.255

This way, all internal ports will be mapped and available on public network. To allow traffic flow from lower security interface "outside", to higher security interface "inside", access control list must be applied.