Configuring NAT on an ASA (Version 7)

Aileron88 · ‎02-15-2012

Hi everyone,

I'm a little confused about the configuiration of NAT on an ASA 5520.

On the ASA I have 1 x WAN connection and 1 x Internet Connection as well as the Inside and DMZ. I want to translate traffic from certain subnets on the inside (say 10.1.2.0 255.255.255.0) to an outside address (say 1.2.3.0 255.255.255.0).

Is this done with the following:

nat-control

nat (inside) 1 10.1.2.0 255.255.255.0

nat (outside) 1 1.2.3.0 255.255.255.0

I'm assuming the ASA using the number after the brackets to distinguish what to translate? So if I had another entry with a '2' after the brackets, any of the '1' entries wouldn't translate to this? I have access-lits inbound on the INSIDE interface, I'm assuming these are applied before any NAT and only items allowed through the access-list are allowed to NAT?

I also have an address I would like to statically NAT with a certain port number, how do I do this? After I've configured this, what are the commands to apply NAT on the interface?

I'm currently reading the documentation but sometimes the examples arn't great!

Thanks,

Adam

Latchum Naidu · ‎02-15-2012

Hi Adam,

Always the traffic from inside to outside is allowed by default, you need not to do any other configuration.
See the below example nat rule.
static (inside,outside) 1.1.1.10 10.30.30.2 netmask 255.255.255.255

See the below link for how to configure NAT and ACL's on ASA.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/nat_overview.html

See below example config to configure NAT with some ports allowed (PAT)

static(inside, outside) tcp interface 32 x.x.x.x 22 netmask 255.255.255.255
where x.x.x.x is the ip address of the pc in the inside lan to which you want the ssh access.

ps: dont't forget, you will also need an access-list which will permit the traffic to 32 port on the outside interface.

access-list inbound_traffic extended permit tcp any interface outside eq 32
access-group inbound_traffic in interface outside

Please rate all the helpfull posts.
Regards,
Naidu.

JohnTylerPearce · ‎02-15-2012

On the ASA I have 1 x WAN connection and 1 x Internet Connection as well as the Inside and DMZ. I want to translate traffic from certain subnets on the inside (say 10.1.2.0 255.255.255.0) to an outside address (say 1.2.3.0 255.255.255.0).

Is this done with the following:

nat-control

nat (inside) 1 10.1.2.0 255.255.255.0

nat (outside) 1 1.2.3.0 255.255.255.0

Is there a reason for you to have nat-control on? It can be a bit of a pain to deal with, You will need nat translations

from high to low and low to high as far as I know.

As for the configuration below your nat-control statement, which I believed is turned on by default in the version you are using. You will need "global statement". It also looks like your outside statement appears to be a dynamic nat pool statement so you would need to do the following.

nat (inside) 1 10.1.2.0 255.255.255.0

global (outside) 1 1.2.3.1-1.2.3.254 netmask 255.255.255.0

Since it seems like you are wanting to do multiple subnets to the outside interface I would setup a PAT statement for all the subnets that you want to access the internet, unless you need a static statement for any reason, i.e. server, website, etce tc.

For Example:

nat (inside) 1 10.1.2.0 255.255.255.0

nat (inside) 1 10.1.3.0 255.255.255.0

nat (inside) 1 10.1.4.0 255.255.255.0

global (outside) 1 1.2.3.4 netmask 255.255.255.255

All the subnets from 10.1.2.0, 10.1.3.0, and 10.1.4.0 will use the PAT address of 1.2.3.4, since a single PAT address will give you up to 65,535 addresses for NATng purposes you will be fine.

Aileron88 · ‎02-15-2012

Thanks for the replies. The configuration you have provided makes a lot of sense.

For Example:

nat (inside) 1 10.1.2.0 255.255.255.0

nat (inside) 1 10.1.3.0 255.255.255.0

nat (inside) 1 10.1.4.0 255.255.255.0

global (outside) 1 1.2.3.4 netmask 255.255.255.255

I need to do a couple of static translations too, can I do these seperatly from this? I think I misunderstood the function of nat-control, does this just dynamically translate from inside to outside?

Thanks,

Adam

JohnTylerPearce · ‎02-15-2012

Yes, you can do those seperately. Look at the configuration that Laidu gave you, and you can see the static nat syntax.

For Example:

static (inside,outside) 75.111.23.1 10.0.0.1 netmask 255.255.255.255

The inside interface is whatever your real interface is and the outside interface will match whatever you mapped interface is.

The first IP outside of the brackets is the mapped IP and the second is the real IP. Since this is a static nat you will need netmask 255.255.255.255, since you are doing a one to one mapping.

Aileron88 · ‎02-18-2012

So just to add another question, as I'm still trying to get my head around how this all works...

I've turned nat-control off. I've got configuration to say simply

nat (inside) 1 0 0

nat (outside) outside address & mask

So from what I can tell this will translate anything to the outside address. I also have a DMZ hanging off the firewall. What happens when I send traffic from the inside to the DMZ? Will the ASA attempt to NAT this traffic? Do I need to add nat 0 rules for all the destinations in the DMZ that I don't want the ASA to NAT to?

Thanks,

Adam

Latchum Naidu · ‎02-20-2012

Hi Hi Adam,

What happens when I send traffic from the inside to the DMZ?
When you send traffic from inside to DMZ the traffic allowed by default as you might heard that traffic from higher level (inside 100) to lower level (DMZ 90 or x) the traffic allowed by default.
For this kind of traffic ASA never do any NAT translations.
ASA do NAT translation when traffic from DMZ to Inside originated.

Please rate all the helpfull posts.
Regards,
Naidu.

cadet alain · ‎02-20-2012

Hi,

if NAT control is off then it's not mandatory to do any NAT but if your inside address is private so not routeable on the internet then you'll have to do NAT anyway( static and dynamic)

Regards.

Alain

Don't forget to rate helpful posts.

Latchum Naidu · ‎02-20-2012

Hi Alain,

if NAT control is off then it's not mandatory to do any NAT but if your inside address is private so not routeable on the internet then you'll have to do NAT anyway( static and dynamic)
I am not quite understanding this, could you please explain more on this?

What do you mean "if your inside address is private so not routeable on the internet then you'll have to do NAT anyway"

I think inside address always private (corporate LAN) and outside address is public (internet).

Please rate all the helpfull posts.
Regards,
Naidu.

cadet alain · ‎02-20-2012

Hi Naidu,

I just emphasised what the nat-control command does that is force you to do NAT from a higher level to a lower level.

Now if you have DMZ and inside, with nat-control disabled then no need to nat anymore from inside to DMZ but there must exist a route for DMZ to reach inside and same for DMZ to inside( you just need an ACL permitting traffic inbound on DMZ).

I've never seen such topology with public addresses on inside or DMZ but it surely isn't forbidden and some may even use it.

Regards.

Alain

Don't forget to rate helpful posts.