Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Example of Manual NAT to implement NAT exemption

Hi Everyone,

Below is from Cisco LEarning Network site

Referring to the Cisco ASA NAT configuration  below

object network one

  subnet 10.1.1.0 255.255.255.0

!

object network two

  subnet 192.168.1.0 255.255.255.0

!

nat (inside,outside) source static one one destination static two two

Need to understand how below answer is correct?

This is an example of Cisco ASA 8.3 manual NAT to implement NAT exemption.

Regards

MAhesh

3 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: Example of Manual NAT to implement NAT exemption

Hi Mahesh,

Yes, the above configuration achieves a NAT0 type configuration in the new 8.3+ ASA softwares.

In the 8.2 and older softwares we used an ACL to tell the ASA between which networks there should be no translation to the source address.

The above configuration could correspond to the following on the 8.2 software

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

And as you have already mentioned the 8.3+ format is

object network one

  subnet 10.1.1.0 255.255.255.0

object network two

  subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static one one destination static two two

In the new format you see the same things as you saw in the older format using ACL. It tells between which interfaces this NAT applies. It also tells between which source and destination networks this applies.

Now lets look at the above "nat" statement in all of its parts

  • nat = Is the actual command which starts the NAT configuration whatever NAT you were configuring
  • inside = Is the source interface for the NAT as its mentioned first
  • outside = Is the destination interface for the NAT its mentioned second
  • source = Simply specifies that the source parameters for this NAT configuration will follow
  • static = Defines that were doing a Static type of NAT
  • one = Defines the real source network
  • one = Defines the mapped source network
  • destination = Simply specifies that the destination parameters for this NAT configuration will follow
  • static = Defines that the destination is static. It can only be static
  • two = Defines the mapped destination network
  • two = Defines the real destination network

And the key things to notice from the configuration.

  • Both source and destination real and mapped networks are the same. This means that the source network and destination network should stay unchanged. So in essence we are doing NAT0.
  • When we add the "destination static " this automatically means that the NAT will only be applied when the destination of the traffic is this network. This naturally applies in the reverse direction since the rule is bidirectional.

I am not really sure if I explained the above in the best way I could. Hope it makes any sense

- Jouni

Example of Manual NAT to implement NAT exemption

Exactly,

As you are basically natting One to One when going to Two. And at the same time Two is being nattted to Two.

So no changes on the IP header will ocurr

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Super Bronze

Example of Manual NAT to implement NAT exemption

And to further add to my above explanation,

The above NAT0 configuration will be matched WHEN

  • Traffic is going between "inside" and "outside" interface
  • Traffic is coming from behind "inside" from the real source network "one" to mapped destination network "two"
  • Traffic is coming from behind "outside" from the real destination network "two" to mapped source network "one"

The latter 2 points above just indicate which section of the "nat" configuration is matched against the traffic depending behind which interface the traffic is coming from.

- Jouni

4 REPLIES
Super Bronze

Re: Example of Manual NAT to implement NAT exemption

Hi Mahesh,

Yes, the above configuration achieves a NAT0 type configuration in the new 8.3+ ASA softwares.

In the 8.2 and older softwares we used an ACL to tell the ASA between which networks there should be no translation to the source address.

The above configuration could correspond to the following on the 8.2 software

access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list INSIDE-NAT0

And as you have already mentioned the 8.3+ format is

object network one

  subnet 10.1.1.0 255.255.255.0

object network two

  subnet 192.168.1.0 255.255.255.0

nat (inside,outside) source static one one destination static two two

In the new format you see the same things as you saw in the older format using ACL. It tells between which interfaces this NAT applies. It also tells between which source and destination networks this applies.

Now lets look at the above "nat" statement in all of its parts

  • nat = Is the actual command which starts the NAT configuration whatever NAT you were configuring
  • inside = Is the source interface for the NAT as its mentioned first
  • outside = Is the destination interface for the NAT its mentioned second
  • source = Simply specifies that the source parameters for this NAT configuration will follow
  • static = Defines that were doing a Static type of NAT
  • one = Defines the real source network
  • one = Defines the mapped source network
  • destination = Simply specifies that the destination parameters for this NAT configuration will follow
  • static = Defines that the destination is static. It can only be static
  • two = Defines the mapped destination network
  • two = Defines the real destination network

And the key things to notice from the configuration.

  • Both source and destination real and mapped networks are the same. This means that the source network and destination network should stay unchanged. So in essence we are doing NAT0.
  • When we add the "destination static " this automatically means that the NAT will only be applied when the destination of the traffic is this network. This naturally applies in the reverse direction since the rule is bidirectional.

I am not really sure if I explained the above in the best way I could. Hope it makes any sense

- Jouni

Super Bronze

Example of Manual NAT to implement NAT exemption

And to further add to my above explanation,

The above NAT0 configuration will be matched WHEN

  • Traffic is going between "inside" and "outside" interface
  • Traffic is coming from behind "inside" from the real source network "one" to mapped destination network "two"
  • Traffic is coming from behind "outside" from the real destination network "two" to mapped source network "one"

The latter 2 points above just indicate which section of the "nat" configuration is matched against the traffic depending behind which interface the traffic is coming from.

- Jouni

Example of Manual NAT to implement NAT exemption

Exactly,

As you are basically natting One to One when going to Two. And at the same time Two is being nattted to Two.

So no changes on the IP header will ocurr

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Example of Manual NAT to implement NAT exemption

Hi Jouni,

Another great answer form you.

I will go through your replies in more detail.

Best regards

MAhesh

123
Views
0
Helpful
4
Replies
CreatePlease login to create content