Assistance with nat

Richard Stanger · ‎12-15-2011

I work exclusively from the command line. I have been trying to understand the configuration rules for 8.3 and above nat and could really use some assitance....

Here is a sample prior to 8.3:

global (outside) 2 192.168.2.3 netmask 255.255.255.255

nat (inside) 2 10.1.2.3 255.255.255.255

Could some one translate this to 8.3 and above and explain how the process?

Thank you!

Rick

Julio Carvajal · ‎12-15-2011

Hello Richard,

It would be a pleassure to help you on this.

Object network host_inside_ 10.1.2.3

host 10.1.2.3

object network host_inside_10.1.2.3_natted

host 192.168.2.3

nat (inside,outside) source dynamic host_inside_ 10.1.2.3 host_inside_10.1.2.3_natted

1-First thing to say. On 8.3 we now use object networks on the nat statements so you will need to create one for each nat statement ( you can use the same object for different nat statements)

2- on prior versions to 8.3 you got to configure more than one command for each nat rule (except from the static) no on 8.3 you are going to be able to configure all kind of nat statements on one line ( Policy nat in one line, nat exemption, etc)

Here is a document I use when I was learning about 8.3.

https://supportforums.cisco.com/docs/DOC-9129

Any other question just let me know I will be more than glad to help.

Please rate helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Richard Stanger · ‎12-15-2011

Object network host_inside_ 10.1.2.3

host 10.1.2.3

object network host_inside_10.1.2.3_natted

host 192.168.2.3

nat (inside,outside) source dynamic host_inside_ 10.1.2.3 host_inside_10.1.2.3_natted

So, we are saying

1) nat from the inside interface to the outside interface

2) for the source address nat from host 10.1.2.3 to host 192.168.2.3

but when we use dynamic, are we referring to the port used on the source? And if that is true, would I substitute static if I wanted the same source port used?

Julio Carvajal · ‎12-15-2011

Hello Richard,

When you use Dynamic nat will be just for outbound connections ( will nat the ip and source IP address on the outside interface).That being said you will use a random port ( higher than 1024)

Now If you want to nat the port to a specific port you will need to use port forwarding or a static one to one witch is used just for bydirectional.(Port forwarding is just for inbound connections)

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Richard Stanger · ‎12-15-2011

Okay, take a look at this and tell me if this would work....

Object network host_inside_ 10.1.2.3

host 10.1.2.3

object network host_inside_10.1.2.3_natted

host 192.168.2.3

object network net_201.201.192.0

subnet 201.201.192.0 255.255.255.0

object service port_1500
service tcp destination eq 1500

nat (inside,outside) source dynamic host_inside_ 10.1.2.3 host_inside_10.1.2.3_natted destination static net_201.201.192.0 service port_1500

Julio Carvajal · ‎12-15-2011

Hello Richard,

The Nat statement is incomplete..

First of all what is what you want to acommplish with this?

1- Nat the inside user 10.1.2.3 to 192.168.2.3 when he goes to any host on the 201.201.192.0 /24 network on port 1500

The nat would look like these

nat (inside,outside) source dynamic host_inside_ 10.1.2.3 host_inside_10.1.2.3_natted destination static net_201.201.192.0

net_201.201.192.0 service service port_1500 service port_1500 .

Let me know if this is what you were looking for,

Please rate helpful posts.

Julio!!

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC