Solved: Re: Configure NAT on ASA

Jewgeni Uschegow · ‎08-12-2013

Hi Everyone,

I need to configure NAT on Cisco ASA 5520 and NAT has to translate inside ip address to outside ip address with a specific range of ports.

How can I do it?

Regards,

Evgenii

Jouni Forss · ‎08-13-2013

Hi,

I have not used such a NAT before personally but I would imagine it would be configured something like this

CONFIGURATION

Source interface LAN
Destination interface WAN
Source host is 10.0.0.150
Destination host is 1.1.1.1
Real source and destination ports is ANY
Mapped Source is the range we want
Mapped destination is ANY (in other words no change for the destination ports as its ANY/ANY)
NAT only applies between these hosts. To include multiple hosts or networks better to use "object-group" instead of "object network"

object network HOST-A
 host 10.0.0.150
object network HOST-B
 host 1.1.1.1
object service REAL-PORTS
 service tcp source range 0 65535 destination range 0 65535
object service MAPPED-PORTS
 service tcp source range 2000 2020 destination range 0 65535
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS

TEST

Using "packet-tracer" to confirm that the NAT operates as expected

ASA(config)# packet-tracer input LAN tcp 10.0.0.150 12345 1.1.1.1 1000
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
NAT divert to egress interface WAN
Untranslate 1.1.1.1/1000 to 1.1.1.1/1000
! Destination parameters are unchanged as per configurations. NAT configuration only applies to destination IP address 1.1.1.1
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
Static translate 10.0.0.150/12345 to /2018
! Real Source port is translated to one port from Mapped Source range
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1014220, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow

- Jouni

View solution in original post

Julio Carvajal · ‎08-12-2013

Hello,

First of all,

what version are U running?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jewgeni Uschegow · ‎08-12-2013

I use the Cisco ASA 5520 with version 8.4(5)

Julio Carvajal · ‎08-12-2013

Sorry for the long wait

Was creating a blog post just for you,

Check it out at http://www.laguiadelnetworking.com/how-to-create-a-nat-translation-for-a-range-of-ports-on-asa-8-3-and-higher-software/

And let me know what you think

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jewgeni Uschegow · ‎08-13-2013

Julio, There's good information!

But I need to realisation the following situation:

1. I send packet from A to B

2. ASA does change source ip-address to 10.0.20.1 and change source port to any port form range 2000-2020

3. B sees packet with ip 10.0.20.1 and port 2001

I can't find information how configure this construction=(

Regards,

Evgenii

Jouni Forss · ‎08-13-2013

Hi,

Just out of interest, why would you want to do so that when a Host A connects to Host B that Host A address should be NATed and also its source port should be NATed to some specific range?

Or did I understand the above situation wrong?

- Jouni

Jewgeni Uschegow · ‎08-13-2013

Hi Jouni,

I have a few hosts in inside LAN, only one ip-address in outside. And I need to a unique idetification this hosts in outside. Therefore I want to use the range port as identificator.

Jouni Forss · ‎08-13-2013

Hi,

I have not used such a NAT before personally but I would imagine it would be configured something like this

CONFIGURATION

Source interface LAN
Destination interface WAN
Source host is 10.0.0.150
Destination host is 1.1.1.1
Real source and destination ports is ANY
Mapped Source is the range we want
Mapped destination is ANY (in other words no change for the destination ports as its ANY/ANY)
NAT only applies between these hosts. To include multiple hosts or networks better to use "object-group" instead of "object network"

object network HOST-A
 host 10.0.0.150
object network HOST-B
 host 1.1.1.1
object service REAL-PORTS
 service tcp source range 0 65535 destination range 0 65535
object service MAPPED-PORTS
 service tcp source range 2000 2020 destination range 0 65535
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS

TEST

Using "packet-tracer" to confirm that the NAT operates as expected

ASA(config)# packet-tracer input LAN tcp 10.0.0.150 12345 1.1.1.1 1000
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
NAT divert to egress interface WAN
Untranslate 1.1.1.1/1000 to 1.1.1.1/1000
! Destination parameters are unchanged as per configurations. NAT configuration only applies to destination IP address 1.1.1.1
Phase: 2
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
Static translate 10.0.0.150/12345 to /2018
! Real Source port is translated to one port from Mapped Source range
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source static HOST-A interface destination static HOST-B HOST-B service REAL-PORTS MAPPED-PORTS
Additional Information:
Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 10
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1014220, packet dispatched to next module
Result:
input-interface: LAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow

- Jouni

Jewgeni Uschegow · ‎08-13-2013

Thank Jouni very much