cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2971
Views
0
Helpful
9
Replies

ASA5505 with software 8.3(1) NAT/PAT

Rodrigo Gurriti
Level 3
Level 3

Hello

I have the following scenario:

ASA5505 connected to a DSL modem, and behind this ASA i have a Linux machine that people need to access via SSH. I have it mapped to my outside interface doing PAT

static (inside,outside) tcp interface ssh linux ssh

I had running on 8.2(2) with no problems but I had to mess with fire and I installed the 8.3(1).

Here is my config for PAT on 8.3(1)

object service linux-ports
service tcp source eq ssh


nat (inside,outside) source static linux interface service linux-ports linux-ports

1st question does anyone know a way to read this nat command above ?

The old one was easy ... use the outside interface IP and port ssh to map the linux IP port ssh inside

2nd I understand that now we only going to use object statments to do NAT.

Should my  object service be destination not source ? Think about ..  I want to map a destination port on my interface not the source ... I've tried doing source doesn't work

3rd  Why cisco doesnt have documentation ready ? Cisco docs' have different comands for instance:

nat (inside,outside) source static linux interface service linux-ports linux-ports ---> command on my ASA

nat (inside,outside)  static linux interface service linux-ports linux-ports ---> Cisco docs'

4 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

1st - nat (inside,outside) source static  linux interface service linux-ports linux-ports

When the old static statement (8.2 and below version) is normally static (inside,outside) outside-address inside-address,

the new (8.3 version) static statement is to be read as follows: nat (inside,outside) inside outside

So from your example, it would be nat (inside,outside) linux-private-ip outside-interface-ip

2nd - you can know NAT both source and destination service. But as far as your nat statement is concern:

nat (inside,outside) source static  linux interface service linux-ports linux-ports

it has been correctly configured.

One thing that you would like to double check that could be the issue is the outside ACL. On the pre 8.3 version, on the outside ACL, you would need to specifcy the public (prior to NAT ip address), and after 8.3 version, the outside ACL needs to be configured with the private ip address.

Example:

Server ip is 10.1.1.1 --> NAT to 200.1.1.1

Version 8.2:

access-list outside-acl permit tcp any host 200.1.1.1 eq 22

access-group outside-acl in interface outside

Version 8.3:

access-list outside-acl permit tcp any host 10.1.1.1 eq 22

access-group outside-acl in interface outside

3rd - There are 2 different NAT statements that you can configure as per your example:

nat (inside,outside) source static linux interface  service linux-ports linux-ports ---> is called twice NAT/manual NAT

nat (inside,outside)  static linux interface service linux-ports  linux-ports ---> is called network object NAT/auto NAT

Here is the NAT order of operation in version 8.3 for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157

Hope the above explaination helps.

View solution in original post

For this: nat (inside,outside)  static

Here is how you would configure it:

object network obj-linux
   host linux
   nat (inside,outside) static interface service tcp 22 22

View solution in original post

No, with NAT exemption for VPN, you would need to use the NAT statement (Twice NAT).

Rule of thumb: anything basic NAT, you can configure using the object NAT (auto NAT), anything slightly more specific, ie: ACL (NAT exemption or policy NAT), you would need to use the NAT statement (Twice NAT).

Here is an example for you for NAT exemption (in VPN scenario):

Local LAN: 10.1.1.0/24

Remote LAN: 192.168.1.0/24

object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0


object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0


nat (inside,outside) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-192.168.1.0 obj-192.168.1.0

Unfortunately there are more steps to be configured compared to the NAT 0 with ACL on the previous version. However, it provides more flexibility in a more complicated scenario which sometimes is not supported in the old version.

View solution in original post

With this statement:

nat (inside,outside) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-192.168.1.0 obj-192.168.1.0

First obj-10.1.1.0 means pre-NAT

Second obj-10.1.1.0 means post-NAT (what you would like to NAT it to), and in this case, because you want NAT exemption, it will be the same object.

First obj-192.168.1.0 means pre-NAT for the destination subnet

Second obj-192.168.1.0 means post-NAT for the destination subnet, and since you also don't want to NAT the destination subnet, it will be the same object.

Say for example you would like to NAT 10.1.1.0/24 subnet to 172.16.1.0/24 subnet when traffic is destined to 192.168.1.0/24:

object network obj-10.1.1.0
   subnet 10.1.1.0  255.255.255.0

object network obj-172.16.1.0
   subnet 172.16.1.0  255.255.255.0


object  network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0


nat  (inside,outside) source static obj-10.1.1.0 obj-172.16.1.0 destination  static obj-192.168.1.0 obj-192.168.1.0

Hopefully it makes a bit more sense now.

View solution in original post

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

1st - nat (inside,outside) source static  linux interface service linux-ports linux-ports

When the old static statement (8.2 and below version) is normally static (inside,outside) outside-address inside-address,

the new (8.3 version) static statement is to be read as follows: nat (inside,outside) inside outside

So from your example, it would be nat (inside,outside) linux-private-ip outside-interface-ip

2nd - you can know NAT both source and destination service. But as far as your nat statement is concern:

nat (inside,outside) source static  linux interface service linux-ports linux-ports

it has been correctly configured.

One thing that you would like to double check that could be the issue is the outside ACL. On the pre 8.3 version, on the outside ACL, you would need to specifcy the public (prior to NAT ip address), and after 8.3 version, the outside ACL needs to be configured with the private ip address.

Example:

Server ip is 10.1.1.1 --> NAT to 200.1.1.1

Version 8.2:

access-list outside-acl permit tcp any host 200.1.1.1 eq 22

access-group outside-acl in interface outside

Version 8.3:

access-list outside-acl permit tcp any host 10.1.1.1 eq 22

access-group outside-acl in interface outside

3rd - There are 2 different NAT statements that you can configure as per your example:

nat (inside,outside) source static linux interface  service linux-ports linux-ports ---> is called twice NAT/manual NAT

nat (inside,outside)  static linux interface service linux-ports  linux-ports ---> is called network object NAT/auto NAT

Here is the NAT order of operation in version 8.3 for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html#wp1118157

Hope the above explaination helps.

halijenn,

Thanks for your reply...

I dont know if its because its 5505 or what but i don't have the option:

nat (inside,outside)  static

I only have

nat (inside,outside)  source static

I'm reading the documentation you posted !

Thank you

For this: nat (inside,outside)  static

Here is how you would configure it:

object network obj-linux
   host linux
   nat (inside,outside) static interface service tcp 22 22

Hooo I see very good ... now it make sense

one more question ... lets say i need to do a NAT 0 because a VPN how does it work  ? Can I also do in object ?

Thank you !

No, with NAT exemption for VPN, you would need to use the NAT statement (Twice NAT).

Rule of thumb: anything basic NAT, you can configure using the object NAT (auto NAT), anything slightly more specific, ie: ACL (NAT exemption or policy NAT), you would need to use the NAT statement (Twice NAT).

Here is an example for you for NAT exemption (in VPN scenario):

Local LAN: 10.1.1.0/24

Remote LAN: 192.168.1.0/24

object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0


object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0


nat (inside,outside) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-192.168.1.0 obj-192.168.1.0

Unfortunately there are more steps to be configured compared to the NAT 0 with ACL on the previous version. However, it provides more flexibility in a more complicated scenario which sometimes is not supported in the old version.

That is what i think confuses:

nat (inside,outside) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-192.168.1.0 obj-192.168.1.0

It repeats itself, and the IOS ? doesn't explain how you need to configure. how do you read the above rule ?

An other think I saw is that you cannot do 2 NAT statment's on the same object

With this statement:

nat (inside,outside) source static obj-10.1.1.0 obj-10.1.1.0 destination static obj-192.168.1.0 obj-192.168.1.0

First obj-10.1.1.0 means pre-NAT

Second obj-10.1.1.0 means post-NAT (what you would like to NAT it to), and in this case, because you want NAT exemption, it will be the same object.

First obj-192.168.1.0 means pre-NAT for the destination subnet

Second obj-192.168.1.0 means post-NAT for the destination subnet, and since you also don't want to NAT the destination subnet, it will be the same object.

Say for example you would like to NAT 10.1.1.0/24 subnet to 172.16.1.0/24 subnet when traffic is destined to 192.168.1.0/24:

object network obj-10.1.1.0
   subnet 10.1.1.0  255.255.255.0

object network obj-172.16.1.0
   subnet 172.16.1.0  255.255.255.0


object  network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0


nat  (inside,outside) source static obj-10.1.1.0 obj-172.16.1.0 destination  static obj-192.168.1.0 obj-192.168.1.0

Hopefully it makes a bit more sense now.

Thanks ! you really helped me !

Glad to help, and thanks for the ratings.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: