Solved: nat(inside,outside) real mapped,mapped real

mahesh18 · ‎07-28-2013

Hi Everyone,

Normally when we do static map from inside to outside or dynamic NAT using range of IP we use

nat(inside,outside) real source mapped source mapped destination real destination.

Need to know when we will use the order below

nat(inside,outside) real source mapped source real destination mapped destination?

also if i have below config

nat (inside,outside) after-auto source dynamic inside_net inside_natted destination static Partnet_internal Out_natted

and i put interface just before the destination what it will mean then?

nat (inside,outside) after-auto source dynamic inside_net inside_natted interface destination static Partnet_internal Out_natted

Regards

MAhesh

Jouni Forss · ‎07-28-2013

Hi Mahesh,

To my understanding the ordering of the Real/Mapped sections of the NAT commands never change in any format.

It should always be

nat (sourceint,destinationint) source destination static

The "nat" configuration with the added "interface" parameter to my understanding does so that if the addresses under the "inside_natted" runs out then the "interface" IP address will be used. I can't see what is configured under "inside_natted" though, it might be a range of addresses or a single address.

- Jouni

View solution in original post

Jouni Forss · ‎07-28-2013

Hi,

Lets take this example of the mentioned configuration format

object network LAN

subnet 10.10.10.0 255.255.255.0

object network NAT-POOL

range 1.1.1.1 1.1.1.2

object network REMOTE-NETWORK

subnet 3.3.3.0 255.255.255.0

nat (inside,outside) after-auto source dynamic LAN NAT-POOL interface destination static REMOTE-NETWORK REMOTE-NETWORK

What the above NAT configuration basically does is

It performs Dynamic NAT+PAT between the "inside" and "outside" interfaces
It performs this translation only when the source network is "LAN" and the destination is "REMOTE-NETWORK"
It will first use the IP addresses from "NAT-POOL" for users on the "LAN". So after 2 different hosts from subnet 10.10.10.0/24 have initiated a connection and gotten a translation on the ASA, the pool is out of IP addresses. After this happens the next host that connects to "REMOTE-NETWORK" will use the "interface" IP address of "outside" interface for Dynamic PAT translation.

So in your case with the below configuration

nat (inside,outside) after-auto source dynamic inside_net inside_natted interface destination static Partnet_internal Out_natted

The hosts on the "inside_net" would be NATed to the NAT Pool of "inside_natted" until that NAT Pool runs out. After it runs out the remaining hosts that initiate connections that match this NAT rule will use the "outside" interface IP address as a Dynamic PAT address as is specified by the parameter "interface" that you have added.

- Jouni

View solution in original post

Jouni Forss · ‎07-28-2013

Hi Mahesh,

To my understanding the ordering of the Real/Mapped sections of the NAT commands never change in any format.

It should always be

nat (sourceint,destinationint) source destination static

The "nat" configuration with the added "interface" parameter to my understanding does so that if the addresses under the "inside_natted" runs out then the "interface" IP address will be used. I can't see what is configured under "inside_natted" though, it might be a range of addresses or a single address.

- Jouni

mahesh18 · ‎07-28-2013

Hi Jouni,

Inside_natted has range of IP addresses.

When you say interface ip address to use does it mean that it will use the outside interface ip address?

Regards

MAhesh

Jouni Forss · ‎07-28-2013

Hi,

Lets take this example of the mentioned configuration format

object network LAN

subnet 10.10.10.0 255.255.255.0

object network NAT-POOL

range 1.1.1.1 1.1.1.2

object network REMOTE-NETWORK

subnet 3.3.3.0 255.255.255.0

nat (inside,outside) after-auto source dynamic LAN NAT-POOL interface destination static REMOTE-NETWORK REMOTE-NETWORK

What the above NAT configuration basically does is

It performs Dynamic NAT+PAT between the "inside" and "outside" interfaces
It performs this translation only when the source network is "LAN" and the destination is "REMOTE-NETWORK"
It will first use the IP addresses from "NAT-POOL" for users on the "LAN". So after 2 different hosts from subnet 10.10.10.0/24 have initiated a connection and gotten a translation on the ASA, the pool is out of IP addresses. After this happens the next host that connects to "REMOTE-NETWORK" will use the "interface" IP address of "outside" interface for Dynamic PAT translation.

So in your case with the below configuration

nat (inside,outside) after-auto source dynamic inside_net inside_natted interface destination static Partnet_internal Out_natted

The hosts on the "inside_net" would be NATed to the NAT Pool of "inside_natted" until that NAT Pool runs out. After it runs out the remaining hosts that initiate connections that match this NAT rule will use the "outside" interface IP address as a Dynamic PAT address as is specified by the parameter "interface" that you have added.

- Jouni

mahesh18 · ‎07-28-2013

Hi Jouni,

I will need some time and practice to go through these replies.

Best Regards

MAhesh