Skip to main content

New Cisco NAT Configuration (on 8.3.x and newer Software)


As already explained, Network address translation or NAT allows You to translate private to public addresses. 

This tutorial explaines how to configure Nat on software 8.3 and newer. As many Cisco admins probably already know, newer Asa's have some changes and new possibilities, but configuration command syntax did not preserve older configuration style. One of those changes is NAT configuration. 


Now it's possible to define objects, example network object type. This kind of objects can be used to define a host or subnet in the network, and then can act as a container to which we can apply all the NAT configurations for that host or object and share this mapped object across different dynamic NAT rules, if desired. 



    Dynamic NAT
Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. When the host accesses the destination network, Asa assigns an IP address from the mapped pool to the host. Here we'll configure translation of internal network to address of an outside interface: 

ASA(config)# object network internal_network ASA(config-network-object)# subnet 192.168.30.0 255.255.255.240 ASA(config)# object network internal_network ASA(config-network-object)# nat (inside,outside) dynamic interface
(This configuration is actually PAT, port address translation) 

We can also hide internal network behind a range of outside addresses, example 193.221.20.1 through 193.221.20.15:

ASA(config)# object network my-outside-range ASA(config-network-object)# range 193.221.20.1 193.221.20.14 ASA(config)# object network internal_network ASA(config-network-object)# subnet 192.168.30.0 255.255.255.240 ASA(config)# object network internal_network ASA(config-network-object)# nat (inside,outside) dynamic my-outside-range


The following example shows configuration for dynamic NAT with PAT as a backup solution. Internal addresses are translated to "my-nat-range" pool (193.221.20.1-193.221.20.14). Once all addresses in the "my-nat-range" are allocated, dynamic PAT is performed using the "my-pat-address" 193.221.20.15. In hardly imaginable case where all PAT translations are also used up, dynamic PAT will perform using the address of outside interface. 

ASA(config)# ASA(config)# object network my-nat-range ASA(config-network-object)# range 193.221.20.1 193.221.20.14 ASA(config-network-object)# object network my-pat-address ASA(config-network-object)# host 193.221.20.15 ASA(config-network-object)# object-group network nat-and-pat-group ASA(config-network-object)# network-object object my-nat-range ASA(config-network-object)# network-object object my-pat-address ASA(config-network-object)# object network my_net_object10 ASA(config-network-object)# subnet 192.168.40.0 255.255.255.0 ASA(config-network-object)# nat (inside,outside) dynamic nat-and-pat-group interface


Static NAT
Static NAT also provides a way to translate a real address to a mapped address, but because the mapped address is the same for each consecutive connection, it allows bidirectional connection initiation, both to and from the host (if this connection is allowed with access-list). 

This example shows 1:1 NAT where internal 192.168.40.15 address translates to 193.221.20.15: 

ASA(config)# object network my-mapped-address-obj ASA(config-network-object)# host 193.221.20.15 ASA(config-network-object)# object network my-dmzhost-obj ASA(config-network-object)# host 192.168.40.15 ASA(config-network-object)# nat (inside,outside) static my-mapped-address-obj


We can also configure static NAT with port translation. For example address 192.168.40.100:21 TCP port 21 translates to the address of an outside interface at port 2121. 

ASA(config)# object network my-ftp-server ASA(config-network-object)# host 192.168.40.100 ASA(config-network-object)# nat (inside,outside) static interface service tcp 21 2121


    Identity NAT
Identity NAT is simply translating an IP address to itself. In other words, it's a technique when we want to exclude a network from NAT. It is necessary for remote access and site-to-site VPN's, where you need to exempt the client traffic from NAT. 

Identity Nat example (addresses are translated to itself):













To configure site-to-site VPN, in configuration we can include identity nat which avoids NAT translations from internal 192.168.40.0/24 network. This way packets that are originating from specified internal subnet will not be NAT translated. First we can define identity NAT object, after which we'll define internal network and assign identity NAT rule to it: 

ASA(config)# object network identity-nat-obj ASA(config-network-object)# subnet 192.168.40.0 255.255.255.0 ASA(config-network-object)# object network internal-network-obj ASA(config-network-object)# subnet 192.168.40.0 255.255.255.0 ASA(config-network-object)# nat (inside,outside) static identity-nat-obj

Comments

Popular posts from this blog

Cisco three-layer hierarchical model

Because networks can be extremely complicated, with multiple protocols and diverse technologies, Cisco has developed a layered hierarchical model for designing a reliable network infrastructure. This three-layer model helps you design, implement, and maintain a scalable

Access Control Lists (extended)

Access Control List  or  ACL  is a technic of controling network traffic. It is a list of rules with which traffic flow can be manipulated - permitted or denied. By default, traffic flow from the interface with the higher security level (for example "inside" interface) to interface with the lower security level (example "outside" interface) is allowed by default, but the flow of traffic from "outside" to the "inside" interface must be explicitly permited. 

Classes of IP addresses

TCP/IP defines five classes of IP addresses: class A, B, C, D, and E. Each class has a range of valid IP addresses. The value of the first octet determines the class. IP addresses