cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
491965
Views
111
Helpful
52
Comments
Magnus Mortensen
Cisco Employee
Cisco Employee

Static NAT/PAT

Pre-8.3 NAT8.3 NAT
Regular Static NAT

static (inside,outside) 192.168.100.100 10.1.1.6 netmask  255.255.255.255

 object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100    
Regular Static PAT

static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255

 object network obj-10.1.1.16
   host 10.1.1.16
   nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Static Policy NAT

access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224

static (inside,outside) 192.168.100.100 access-list NET1

object network obj-10.1.2.27

   host 10.1.2.27
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-10.76.5.0
   subnet 10.76.5.0 255.255.255.224
 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 
                      destination static obj-10.76.5.0 obj-10.76.5.0

 

 

Pre-8.3 NAT8.3 NAT
Regular Dynamic PAT
 nat (inside) 1 192.168.1.0 255.255.255.0
 nat (dmz) 1 10.1.1.0 255.255.255.0
 global (outside) 1 
192.168.100.100
object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,outside) dynamic 192.168.100.100
Regular Dynamic PAT

 
nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1



 
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.2.0-01
   subnet 10.1.2.0 255.255.255.0
   nat (inside,dmz) dynamic 192.168.1.1

Regular Dynamic PAT-3

 

 nat (inside) 1 0 0 
 global (outside) 1 interface
 object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface

Dynamic Policy NAT

 

 object-group network og-net-src
   network-object 192.168.1.0 255.255.255.0
   network-object 192.168.2.0 255.255.255.0
 object-group network og-net-dst
   network-object 192.168.200.0 255.255.255.0
 object-group service og-ser-src
   service-object tcp gt 2000
   service-object tcp eq 1500
 access-list NET6 extended permit object-group og-ser-src 
                  object-group og-net-src object-group og-net-dst
 nat (inside) 10 access-list NET6
 global (outside) 10 192.168.100.100
 object network obj-192.168.100.100
   host 192.168.100.100
 object service obj-tcp-range-2001-65535
   service tcp destination range 2001 65535
 object service obj-tcp-eq-1500
   service tcp destination eq 1500
 nat (inside,outside) source dynamic og-net-src 
             obj-192.168.100.100 destination 
             static og-net-dst og-net-dst
             service obj-tcp-range-2001-65535
             obj-tcp-range-2001-65535
 nat (inside,outside) source dynamic og-net-src 
             obj-192.168.100.100 destination 
             static og-net-dst og-net-dst 
             service obj-tcp-eq-1500 obj-tcp-eq-1500

Policy Dynamic NAT (with multiple ACEs)

 

 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.1.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.2.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.3.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 
                               192.168.4.0 255.255.255.0
 nat (inside) 1 access-list ACL_NAT
 global (outside) 1 192.168.100.100
 object network obj-172.29.0.0
   subnet 172.29.0.0 255.255.0.0
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
object network obj-192.168.2.0
   subnet 192.168.2.0 255.255.255.0
 
object network obj-192.168.3.0
   subnet 192.168.3.0 255.255.255.0
 object network obj-192.168.4.0
   subnet 192.168.4.0 255.255.255.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.4.0 obj-192.168.4.0

Outside NAT

 global (inside) 1 10.1.2.30-1-10.1.2.40
 nat (dmz) 1 10.1.1.0 255.255.255.0 outside
 static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255 
 object network obj-10.1.2.27
   host 10.1.2.27
   nat (inside,dmz) static 10.1.1.5
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
 object network obj-10.1.2.30-10.1.2.40
   range 10.1.2.30 10.1.2.40

NAT & Interface PAT together

 nat (inside) 1 10.1.2.0 255.255.255.0
 global (outside) 1 interface 
 global (outside) 1 192.168.100.100-192.168.100.200
 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 
            obj-192.168.100.100_192.168.100.200 interface

NAT & Interface PAT with additional PAT together

 nat (inside) 1 10.0.0.0 255.0.0.0

  global (outside) 1 192.168.100.1-192.168.100.200

  global (outside) 1 interface

  global (outside) 1 192.168.100.210

 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.0.0.0
   subnet 10.0.0.0 255.0.0.0
 object network second-pat
   host 192.168.100.210
 object-group network dynamic-nat-pat
   network-object object obj-192.168.100.100_192.168.100.200
   network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface

Twice NAT with both source IP, Dest IP and Source port, Dest port change.

On the inside:

 

Source IP: 10.30.97.129

Dest IP: 10.30.97.200

Source port: 5300

Dest port: any port

 


On the outside:

 

Source IP: Interface IP

Dest IP: 172.16.1.10

Source port: 5300

Dest port: 1022

object network source-real
  host 10.30.97.129
  
object network dest-mapped
  host 10.30.97.200

object network dest-real
  host 172.16.1.10

object service inside-src-dest-port
 service tcp source eq 5300 destination range 0 65535

object service outside-src-dest-port
 service tcp source eq 5300 destination eq 1022


nat (inside,outside) after source static source-real interface destination static dest-mapped dest-real service inside-src-dest-port outside-src-dest-port
 

Static NAT for a Range of Ports

 

Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT.


 

           (in)    (out)

10.1.1.1-------ASA-----

        --xlate-------> 10.2.2.2

Original Ports: 10000 - 10010

Translated ports: 20000 - 20010


object service ports

service tcp source range 10000 10010


object service ports-xlate

service tcp source range 20000 20010


object network server

host 10.1.1.1

 

object network server-xlate

host 10.2.2.2

nat (inside,outside) source static server server-xlate service ports ports-xlate
Comments
hdashnau
Cisco Employee
Cisco Employee

Very nice doc Magnus!

whanson
Level 2
Level 2

good stuff. confusing at best but does someone have an example nat (inside) 0   nonat?

thx

you might be looking for this:

https://supportforums.cisco.com/docs/DOC-11639

Vindemiatrix
Level 1
Level 1

I've tried following this guide but I'm still having trouble no-natting VPN clients per https://supportforums.cisco.com/message/3168125

gobito156
Community Member

Pretty please can you help before I totally loose it.

i have followed all the tutorial including the Video by Jay, I ended up with a one of my DMZ Servers working as expected and the second one has no access in or out. both dmzs are accessible from inside whoever the one that dont work can take as long as a 20 seconds for ssh connection prompt  Any ideas?

object network inside-net

subnet 192.168.1.0 255.255.255.0

object network dmz-fbsd-bart

host 192.168.2.2

object network dmz-fbsd-ithcy

host 192.168.2.4

access-list outside_in extended permit ip any host 192.168.2.4

access-list outside_in extended permit ip any host 192.168.2.2

pager lines 24

logging enable

logging asdm debugging

mtu inside 1500

mtu outside 1500

mtu dmz 1500

ip local pool vpn_pool 192.168.1.20-192.168.1.254 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

!

object network inside-net

nat (inside,outside) dynamic interface

object network dmz-fbsd-bart

nat (dmz,any) static XXX.XXX.XXX.71

object network dmz-fbsd-ithcy

nat (dmz,any) static XXX.XXX.XXX.73

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1


Thanks in advance,

Eren

tahequivoice
Level 2
Level 2

How would I convert an ACL based natting that takes the incoming packet and translates it to the inside IP of the ASA so the inside server will respond when it uses a different default route?

access-list Outside-Web-Nat permit icmp any host x.x.x.x

access-list Outside-Web-Nat permit tcp any host x.x.x.x eq 443

global (inside) 2 interface

nat (outside) 2 access-list Outside-Web-Nat outside

static (inside,outside) x.x.x.x 10.192.63.9 netmask 255.255.255.255

Hi There,

You will get a quicker response if you post it in Dicussions section fyi (

https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions)

As far as your query is concerned:

Access-list based NAT in pre-8.3 is now Double-nat in 8.3 and later. (Policy based NAT)

I would do the following:

object net any

  subnet 0.0.0.0 0.0.0.0

object net Web-Server-Trans

  host x.x.x.x

object net Web-Server-Orig

  host 10.192.63.9

nat (outside,inside) source dynamic any interface dest static Web-Server-Trans Web-Server-Orig

As far as allowing when to nat (tcp 443, icmp), put that in outside interface access-list

Let me know if this works fine for you.

Regards,

Praveen

jyotirmoy11
Level 1
Level 1

Hi All,

I have a issue with NAT in ASA 5580 firewal.

1. I have one web server on DMZ zone in ASA firewall with private ip  address. Web application is running on webserver, and I can access this  web application with private ip address from web server itself, But I am  not able to access web application with public NATed ip address(NATED  in ASA firewall) from web server itself.

2. From the outside of the firewall the web server application is accessible with public ip address.

I have configured static NAT in ASA firewall as below-

static (INSIDE,OUTSIDE) 169.1.123.28 10.179.124.24 netmask 255.255.255.255

access-list test2 extended permit ip host 10.179.126.138 any

static (INSIDE,OUTSIDE) 10.179.126.138  access-list test2

Can any body help me in this issue

Reg

Jyotirmoy

jbigrow
Level 1
Level 1

Hi Folks

I have a new asa5550 with 8.3 on it

I don't want to NAT at all. I want the inside IP's going out. They are globlly routable addresses

do I need to do anything to support this in routed mode on the asa?

thanks

No, by default nat-control os disabled.

-- Praveen

jbigrow
Level 1
Level 1

so it will just work as is with the ACL's for the global addreses on both sides of the firewall. I.E internet  to inside

inside to internet. since everything is a routable address? we used to use the static (inside, outside) in the older pixes

which just mapped the routable inside to the outside

thats great

thanks

Andrew Meyer
Level 1
Level 1

I'm a little confused still by the 8.4 configuration of things.  Here is how I have my network setup:

Inside = 10.150.1.0 / 255.255.255.0

External = dynamic

I have an email server that I want to open up port 25 from the outside to the inside. 

Here is what I have in my code so far:

object network Email

subnet 10.150.1.0 255.255.255.0

object network Mail_Server_WWW

host 10.150.1.60

object service SMTP

service tcp source eq smtp

object network smtp

host 10.150.1.60

access-list incoming extended permit tcp any object Mail_Server_WWW eq www

nat (inside,any) source static Subnet_ASM_Local Subnet_ASM_Local destination static VPN_Remote_Subnets VPN_Remote_Subnets

!

object network obj_any-01

nat (inside,outside) dynamic interface

object network Email

nat (inside,outside) static interface service tcp smtp smtp

object network Mail_Server_WWW

nat (inside,outside) static interface service tcp www www

object network smtp

nat (outside,inside) static Email service tcp smtp smtp

What am I missing??

CSCO11979396
Community Member

Thank you, very helpful

wangzhenzhen
Level 1
Level 1

Thanks for your nice doc!

WEERAKOO69BA
Level 1
Level 1

Hi It's nice,

That means this is the way we have to configure NAT for 8.3 and above???//Pre-8.3 commands will not accept for the same???Hope I am correct??

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: