Hey, Thanks for that.

Do I need to configure NAT Outside and Nat Inside under the interfaces like I do in a router?

Hi,

For NAT0 you only need the above configurations.

Naturally your interface names and network are what they are currently on your device/network.

Hmm, now that I read about the original post again. I guess you were asking for Dynamic PAT configurations also?

For those you can do

global (outside) 1 interface

nat (inside) 1

This will do Dynamic PAT using the "outside" interface IP address for the users in the network defined in the "nat" statement. If you want to add more source network to this Dynamic PAT then you simply add another line with other network.

Again interface names and networks you define using the ones used in your device/network.

- Jouni

Hi Jouni,

Still a little bit confused, probably because I haven't worked with ASA much. Only routers.

my example is -

I want to enable Dynamic PAT for network 10.44..x.x for internet access.

However for the following ACL - I dont not want NAT.

access-list Test extended permit ip 10.44.128.0 255.255.240.0 172.0.0.0 255.0.0.0

access-list Test extended permit ip 10.44.128.0 255.255.240.0 10.129.0.0 255.255.0.0

What do I need to configure? Still a bit confused about the outside 0, global etc..

Hi,

If I presume that the local network is 10.44.0.0/16 and the NAT0 is as you mentioned above

Then the configuration would be

Dynamic PAT

The below number "1" is a ID number for this Dynamic PAT rule. The ID 1 number is simply meant to match the "nat" and "global" commands together. The ID number might as well be 100 in this case if you wanted. It wouldnt affect the Dynamic PAT.

global (outside) 1 interface

nat (inside) 1 10.44.0.0 255.255.0.0

NAT0

access-list INSIDE-NAT0 remark NAT0 for interface INSIDE

access-list INSIDE-NAT0 permit ip 10.44.128.0 255.255.240.0 172.0.0.0 255.0.0.0

access-list INSIDE-NAT0 permit ip 10.44.128.0 255.255.240.0 10.129.0.0 255.255.0.0

nat (inside) 0 access-list INSIDE-NAT0

By the way, are you sure about the mask /8 there in the NAT0 rule?

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

- Jouni

Hi Jouni,

Ok,

I've added the following command in my asa

ciscoasa(config)# nat (inside) 0 access-list Test

Still not working. Do I need both Dynamic PAT commands and NAT0 commands?

Hi,

What is not working?

Would also need to see some device configurations to be able to find any problems in it.

- Jouni

Internet Access is not working on the servers which are on the 10.44.x.x range.

Hi,

What is your exact software level

Use the following command to view it

show version

- Jouni

Hi,

Show Version provides -

Cisco Adaptive Security Appliance Software Version 7.2(4).

Config below

ciscoasa# show run

: Saved

:

ASA Version 7.2(4)

!

hostname ciscoasa

names

!

interface Ethernet0/0

nameif outside

security-level 0

ip address x.x.x.x 255.255.255.252

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 10.44.10.5 255.255.255.0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address yyyyy  255.255.255.0

!

ftp mode passive

dns domain-lookup management

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list Test extended permit ip 10.44.128.0 255.255.240.0 172.16.0.0 255.240.0.0

access-list Test extended permit ip 10.44.128.0 255.255.240.0 10.129.0.0 255.255.0.0

pager lines 24

logging enable

logging timestamp

logging buffer-size 1048576

logging monitor debugging

logging buffered debugging

logging trap debugging

logging history debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-702.bin

no asdm history enable

arp timeout 14400

nat (inside) 0 access-list Test

route outside 0.0.0.0 0.0.0.0 xxxxxxx

route outside xx

route inside xxx

route inside xxxx

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authorization command LOCAL

http server enable

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TSTEST esp-3des esp-md5-hmac

crypto map VPN 10 match address Test

crypto map VPN 10 set peer xxxxx

crypto map VPN 10 set transform-set TSTEST

crypto map VPN interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes-256

hash md5

group 2

lifetime 3600

telnet timeout 5

ssh timeout 5

ssh version 2

console timeout 0

group-policy portalgp internal

group-policy portalgp attributes

vpn-tunnel-protocol webvpn

webvpn

  url-list none

pre-shared-key *

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum 512

  message-length maximum client auto

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

!

service-policy global_policy global

prompt hostname context

: end

ciscoasa#

Hey :-)

That's working now, super, thank you.

Can you break down the commands and let me know what each is doing? I'd rather understand it than being able to just do it.

Thanks again, appreciate it.

Hi,

Well basically when you are configuring a new Dynamic PAT or Dynamic NAT you will need "global" and "nat" command to achieve it. They are paired by the ID number that is used after the section which specifies the interface used.

The "nat" command line specifies the source interface on the firewall for which hosts/networks we want to do Dynamic PAT or Dynamic NAT.

The "global" command line specifies the actual PAT/NAT address(ess) used to which the source addresses are NATed to. (The source addresses specified with the above "nat" command)

As you can see also, NAT0 is one of the only "nat" configurations that use only the "nat" command to achieve the NAT (or rather the lack of translation) without the use of any "global" command.

So lets say we have three networks behind interface "inside" and want to do Dynamic PAT for all of them using "outside" interface IP address. Then we would configure

global (outside) 1 interface

nat (inside) 1 10.10.10.0 255.255.255.0

nat (inside) 1 10.10.20.0 255.255.255.0

nat (inside) 1 10.10.30.0 255.255.255.0

Now lets say we want to use some different public IP address for a few hosts for example and want to keep the previously configure Dynamic PAT working for all other hosts. Then we would configure/add

global (outside) 10 1.1.1.2

nat (inside) 10 10.10.10.2

nat (inside) 10 10.10.10.3

nat (inside) 10 10.10.10.4

Notice that we use now a separate IP address in the "global" command since we ARE NOT using the "outside" interface IP address which was used in the other Dynamic PAT configuration because of the use of "interface" parameter in the "global" command.

To be honest, even with the older software levels there is still a lot of things related to NAT that we could mention but the above ones are essentially the very basic PAT configurations that people use.

Hope this clarifies things

Naturally if you run into situation where you have a question about some other NAT related configuration you can always start a discussion on the forums.

- Jouni