Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

ASA NAT 8.3+ - NAT Operation and Configuration Format (CLI)

Table of Contents

Introduction

(Back to Top)

My  name is Jouni Forss. I have worked in Finland at a local ISP for 5  years as a networking Engineer in a unit dedicated to servicing business  customers. My work for the most part consists of  managing/installing/developing Firewall and VPN environments that  include the use of Cisco PIXs , FWSMs and ASAs.

I participate at the Cisco Support Community in the Firewall and VPN section. And of those mainly at the Firewall section.

Version History

  • 20.3.2013 Initial version
  • 22.3.2013
    • Added Pictures attachement
    • Added NAT Configurations Text Files attachment

Possible Future Updates

The  Initial version of this document is supposed to provide some basic  information on the new 8.3+ NAT format. I will possibly add some more  sections to the document but the main point initially was to get some  version of this document out. If you want to get a notifications on the  changes to this document you can check the setting from the right side  panel of this page while logged in to the CSC.

Documents Purpose

(Back to Top)

This  documents purpose will be to act as an informative document for users  new to ASA NAT configurations in general or just the New ASA NAT 8.3+  configurations format. The content directly reflects the things I run  into my day to day work or things that get asked on the CSC (Cisco  Support Community) Firewall and VPN sections.

The  document naturally wont contain every possible setup regarding the NAT  but more might be added later. Suggestions are welcome.

NAT Operation in ASA 8.3+

(Back to Top)

Sections

The  new NAT format in 8.3 (and newer) software has introduced changes to  how the NAT rules are ordered in the ASA configurations. NAT  configurations are now divided into 3 different sections. The Section  determines the order of the NAT rules matched. Section 1 NAT  configurations are gone through first then Section 2 and finally Section  3

Sections.jpg

Rule Types

There are 2 NAT Rule Types

  • Twice NAT / Manual NAT
  • Network Object NAT

The  NAT Rule Types refer more to the configuration format of the NAT than  the actual type of the NAT (Dynamic PAT, Static PAT and so on). Below is  more information on both of the NAT Rule Types

Network Object NAT

Network Object NAT always consists of a "object network <object name>" configuration which holds a configuration for host address/subnet/range  and binds that to a NAT rule also present inside that same "object network". In other words all configuration related to the NAT configuration are gathered under a single "object network".

Notice that this is totally different than "object-group network <object-group name>". NAT configurations CANT BE configured under "object-group network"

This "object network <object name>" can be later referenced in other configurations with the name of the object. (ACL configurations)

Twice NAT / Manual NAT

Twice NAT / Manual NAT is not configured under any "object network" or "object-group network".

Instead Twice NAT / Manual NAT uses both "object network" and "object-group network" as its configuration parameter to define the source and destination  addresses/subnets/networks/ranges for your NAT configurations.

Twice NAT / Manual NAT also lets you utilize "object service <object name>" to manipulate the source and destination TCP/UDP ports in the NAT configurations.

The  key thing with Twice NAT / Manual NAT compared to Object Network NAT is  that you can manipulate both address/port source and destination  paremeters of the NAT. Therefore Twice NAT / Manual NAT gives you alot  more options than Network Object NAT.

Rule Types used per Section

The mentioned 3 Sections use different NAT Rule Types.

  • Section 1 uses Twice NAT / Manual NAT
  • Section 2 uses Network Object NAT
  • Section 3 uses Twice NAT / Manual NAT

Twice  NAT are by default inserted to the Section 1 of NAT rules on the ASA so  they are the first ones matched against traffic incoming to the ASA.  Network Object NAT rules are always inserted to the Section 2 of NAT  rules. Twice NAT rules configured with an "after-auto" parameter will be  moved to Section 3 of the NAT configuration and will therefore be the  last NAT rules matched on the ASA firewall.

Sections-Rule-Types.jpg

NAT Types used with Twice NAT / Manual NAT and Network Object NAT

So far we know that NAT operates in 3 Sections and that each Section uses only certain Rule Type.

Now  we can have a look at which NAT Types are usually configure with each  NAT Rule Type. Take note that the below mentioned NAT Types per each NAT  Rule Type and the related commens inside "()" arent the absolute truth  on how you are supposed to configure NAT. It all depends on your  networks complexity among other things.

NAT Types of Network Object NAT (but NOT LIMITED to)
  • Static NAT
  • Static PAT (= Port Forward)
  • Dynamic Normal PAT (Usually done as Twice NAT in Section 3 instead of Section 2)
  • Dynamic Normal NAT (Usually done as Twice NAT in Section 3 instead of Section 2)
  • Dynamic Normal NAT+PAT (Usually done as Twice NAT in Section 3 instead of Section 2)
NAT Types of Twice NAT / Manual NAT (But NOT LIMITED to)
  • Dynamic Normal PAT (Used in Section 3)
  • Dynamic Normal NAT (Used in Section 3)
  • Dynamic Normal NAT+PAT (Used in Section 3)
  • Dynamic Policy PAT (Used in Section 1, possibly Section 3)
  • Dynamic Policy NAT (Used in Section 1, possibly Section 3)
  • Dynamic Policy NAT+PAT (Used in Section 1, possibly Section 3)
  • NAT0 / NAT Exemption / Identity NAT (Used in Section 1)
  • Static Policy NAT (Used in Section 1)
  • Static Policy PAT (Used in Section 1)

What  you have to notice regarding the Twice NAT / Manual NAT is the fact  that IT CAN BE USED IN BOTH SECTION 1 and SECTION 3. Part of the  mentioned NAT Types are therefore usually only used in Section 1 and  others only used in Section 3.

No use using a  NAT0/Identity NAT configuration in Section 3 when every other NAT rule  will possibly override it because of the order the NAT is processed.

Sections-NAT-Types.jpg

Ordering of Rules Types Inside Sections

So  as mentioned in this document already, the Sections of the NAT  configurations already lay a foundation on what the Order/Priority of  the NAT configurations should be. In addtion to this each section has a  certain ordering of NAT rules.

Section 1 and Section 3 (Twice NAT / Manual NAT)

Twice NAT / Manual NAT has its own "line" parameter value that you use with the command.

It  operates/behaves the same way as ACL "line x" configurations in that it  moves the existing (on the line used) and any rule after it one line  number down wihtout removing any existing NAT configuration. Naturally  there is a chance that the configured rule will override some later rule  because it was inserted inbetween the existing configuration.

Opposed  to 8.2 (and below) software levels, this gives you the chance to insert  a NAT rule where want without the need to remove the existing NAT  configurations (Compare 8.2 Static NAT vs. Static Policy NAT between  same interfaces for example. If Static NAT has been configured first it  will always override the Static Policy NAT for the same interfaces)

Section 2 (Network Object NAT)

Network  Object NAT behaves more like the older 8.2 (and below) software. It has  a set order by which it decides what NAT rule to use. You cant  manipulate the order of the NAT rules with any kind of "line" value. The  only way to control the Section 2 Network Object NAT order is based on  how specific the NAT rules parameters are.

The Section  2 NAT however does have line number visible in some of the command  output BUT this value is determined by the ASA and as soon as you enter a  new Object Network NAT configuration the ASA calculates the new order  of the Network Object NAT rules.

Below is more on what factors into the priority of which Object Network NAT rule is used.

The first deciding factor in order is the NAT Type

  • Static
  • Dynamic

Inside the above mentioned NAT Types the following order applies

  • Amount  of IP addresses contained in "object  network"                                                                                                    
  • For "object network" containing same amount of IP addresses the lowest IP address number is first in order
  • For "object network" being equal on both above counts will be ordered by the alphabetical order of their names

Sections-Ordering.jpg

NAT Configuration Structure and Considerations

(Back to Top)

The Elements and Format of NAT Configurations

(Back to Top)

This sections purpose is to go a bit more into the actual format and elements of the new NAT configurations.

From   the 8.2 (and older) NAT format we remember that that the three  commands  ("global", "nat" and "static") that form the basis of the NAT   configurations. Generally you would only use IP addresses or networks  as  the parameters of the NAT configuration. In special cases you would  use  "access-list" configurations to either define a NAT0 or Policy NAT   configuration.

In the software 8.3 (and newer) there   are no more ACLs in NAT configurations. You also very rarely refer to  an  actual IP address or network directly in the NAT configuration  line.  The new NAT format now utilizes "object network" , "object  service" and  "object-group network" to define the parameters of the  NAT  configuration. Naturally also the source and destination interface   "nameif" and the keyword "interface" will play a role.

Objects / Object-groups

As   mentioned above (and earlier in the document), the NAT configurations   now rely heavily on "object" and "object-group" configuration to  provide  the information to the actual NAT configuration.

You will be using the following as a parameter of Twice NAT / Manual NAT configurations

  • object-group network <NAME>                                                                                               
    • Used to define multiple networks, host addresses or combination of both in NAT configurations
  • object network <NAME>                                                                                              
    • Used to define a single subnet, address range or host address in NAT configurations
  • object service  <NAME>                                                                                            
    • Used to define source/destination services in NAT configurations

You can use the following as a parameter of Network Object NAT

  • object-group network <NAME>                                                                                                
    • Used to define multiple networks, host addresses or combination of both in NAT configurations
  • object network <NAME>                                                                                              
    • Used to define a single subnet, address range or host address in NAT configurations

And   I say you "CAN" use the "object" and "object-group network" even under  a  Object Network NAT but to this day I have still not done this. The   situation where you might do this is when you configure a Dynamic   NAT/PAT/NAT+PAT configuration as an Network Object NAT.

Naming Objects

Naming   the "object" and "object-group" objects in your configuration will  play  a big part in your NAT configurations. As almost every single one  of  your NAT rules will rely on some sort of object its good to come up  with  a policy for naming objects that will remain logical. It will save  you  time and possibly help in troubleshooting situations also.

My   personal preference is to use CAPS configuring the "object" or   "object-group" name. The most important reason for this is the fact  that  almost every command on the ASA uses lower case letters. In a NAT   configuration using CAPS means that you can read the CLI format   configuration more easily as the used "object" and "object-group" names   stand out better from the configurations.

The ASA  does  give you some options to rename objects/ACLs in the configuration  though  sadly this doesnt apply to every object type used in the NAT   configurations.

You can rename

  • object network
  • object service
  • access-list

With commands

  • object network <name> rename <newname>
  • object service <name> rename <newname>
  • access-list <name> rename <newname>

You CANT rename

  • object-group

Network Object NAT

This section will list the basic configuration format for the Network Object NAT

Static NAT & Static PAT

NON - Static NAT.jpg

NON - Static PAT Interface.jpg

NON - Static PAT IP.jpg

Dynamic PAT & Dynamic NAT & Dynamic NAT+PAT

NON - Dynamic PAT.jpg

NON - Dynamic NAT.jpg

NON - Dynamic NAT+PAT.jpg

Twice NAT / Manual NAT

This section will list the basic configuration format for the Twice NAT / Manual NAT

Dynamic PAT & Dynamic NAT & Dynamic NAT+PAT

TWICE - Dynamic PAT.jpg

TWICE - Dynamic NAT.jpg

TWICE - Dynamic NAT+PAT.jpg

Dynamic Policy PAT

TWICE - Dynamic Policy PAT.jpg

Dynamic Policy NAT

TWICE - Dynamic Policy NAT.jpg

Dynamic Policy NAT+PAT

TWICE - Dynamic Policy NAT+PAT.jpg

NAT0 / NAT Exemption / Indentity NAT

TWICE - NAT0 - NAT Exempt - Identity NAT.jpg

Static Policy NAT

TWICE - Static Policy NAT.jpg

Static Policy PAT

TWICE - Static Policy PAT.jpg

How to Utilize the NAT Sectioning

So far in this document we have discussed how the NAT configurations are structured in the new 8.3+ software levels.

We have seen that there is 3 Sections are processed in order

  • Section 1
  • Section 2
  • Section 3

We have seen that there is a Rule Type for each section

  • Section 1 - Twice NAT / Manual NAT
  • Section 2 - Network Object NAT
  • Section 3 - Twice NAT / Manual NAT

We have seen what NAT Types can be configured with each NAT Rule Type.

The  next question would be how to organize all this information so  configuring NAT on the ASA would be as clear as possible. I personally  configure NAT rules so that each Section serves a specific purpose  and/or specific users

Section 3 - The Default Dynamic Rules for Networks

The  NAT configurations located in Section 3 are the last ones to be matched  against a packet coming through the ASA. It seems only fitting to me  that this should be the Section where you build your most basic NAT  rules. Here you build the Dynamic PAT or Dynamic NAT or Dynamic NAT+PAT  for all the users so that they will have some "last resort" NAT when  they are connecting to networks past the ASA firewall.

As  Section 3 holds Twice NAT / Manual NAT type configurations you also  have the possibility to create destination based NAT rules so I would  also possibly consider creating Dynamic Policy PAT / NAT / NAT+PAT rules  for the users here.

In this case you will have to  make sure that you order the rules under the Section correctly. This  basically means that you should insert the Dynamic Policy PAT / NAT /  NAT+PAT rules for a certain pair of source/destination interfaces before  the the Default Dynamic PAT / NAT / NAT+PAT rule so it wont override  the Policy rule inside the same section.

Section 2 - The Default Static Rules for Single Hosts

The  NAT configurations located in Section 2 are matched against packet  coming through the ASA before the Section 3 rules. This makes it a  natural place to configure host specific NAT rules that you dont want to  fall into the Default NAT Rules.

As Section 2 holds  Network Object NAT rules, you dont have as much possibilities as with  Twice NAT / Manual NAT. For the most common Static NAT and Static PAT  configurations the Network Object NAT of Section 2 is more than enough  to meet the basic requirements for hosting services

Section 1 - The Special Dynamic/Static NAT Rules for Networks and Single Hosts

The  NAT configurations located in Section 1 are matched against packet  coming through the ASA before any of the other Sections. This makes  Section 1 the place where you will want to configure some rule that  needs to override any other rules you might have for the same  hosts/servers/networks. Naturally at the same time you will have to be  extra carefull in what you really define here because there is obviously  the highest risk of overriding something that you were not supposed to  override.

As Section 1 holds Twice NAT / Manual NAT  rules you manipulate both source and destination parameters of the NAT.  Section 1 would therefore be the section to use for example for NAT0 /  NAT Exempt / Identity NAT type configurations different Dynamic/Static  Policy NAT/PAT configurations.

Sections Combined

When    we combine the above defined roles of the different Sections we get   the  following general view of what NAT configurations we should use in   each  Section. Again, this is what I am used to doing and doesnt mean   this  wouldnt work in some other way.

  • Section 1
    • NAT0 / NAT Exemption
    • Policy PAT / NAT / NAT+PAT (for everything when Section 2 host based rules need to be overridden also)
    • Non-standard NAT configurations
  • Section 2
    • Static NAT
    • Static PAT (Port Forward)
  • Section 3
    • Default PAT / NAT / NAT+PAT
    • Policy PAT / NAT / NAT+PAT (for users)

Public IP Address Considerations

This  sections purpose is simply to suggest some things to consider regarding  the use of the public IP addresses you are given by the local ISP.  Wether they will help you naturally depends largely on how your ISP  functions and what it provides.

Single IP Address

  • Use Bridged WAN connection to the ASA when possible
  • Use Static Public IP address if possible                                                  
    • Ask for the possibility of MAC address binded DHCP if a Static Public IP address isnt possible otherwise
  • If forced to use DHCP consider using Dynamic DNS
  • Provide Internet access with Dynamic PAT and host local services with Static PAT

Probably the most common situation for any smaller company.

If  possible, try to get a bridged device to provide the Internet  connectivity to enable you to use the ISP provided public IP address  straight on your ASA. This will make related NAT configuration easier  and avoid the complexity and potential problems having a router in front  of ASA also doing NAT.

If you are planning on hosting  any services on a local server or using the ASA as a endpoint for VPN  connection, try to get a static public IP address from the ISP. If a  Static Public IP address isnt possible, consider asking for the  possiblity of binding a DHCP address to your devices MAC address

IP - Single IP.jpg

Small Subnet

Also  a pretty common setup. Usually a /29 (or 255.255.255.248) public subnet  provided to you by the ISP. Remember that 3 of the 8 IP-addresses  provided by the /29 sized subnet are already taken from the start for  other purposes and you will have 5 IP address at your disposal.

For example

  • Network 1.1.1.0/29                                                                                                         
    • 1.1.1.0 = Network Address
    • 1.1.1.1 = Gateway (can naturally be some other IP address from the subnet)
    • 1.1.1.7 = Broadcast Address
    • 1.1.1.2 - 1.1.1.6 = Usable Addresses on your ASA (one for ASA interface)

The  probably most common setup would be to use one public IP address as the  ASA "outside" interface IP address and also as the PAT IP address for  all outbound traffic from your LANs or DMZs. Other IP addresses could be  reserved for Static NAT use of servers. You should only resort to Port  Forward / Static PAT configurations if you know you wont have public IP  addresses for all your server needs.

IP - Small Subnet.jpg

Large Subnet

I  guess this is a relative term. I would already consider a /28  (255.255.255.240) or /27 (255.255.255.224) network a Large public  Network in our cases. Personally I dont see many bigger networks/subnets  handed out to business customers anymore. Only the bigger ones usually  have 1 - 3 /24 subnets.

When assigned with a /28, /27  or bigger network I would already consider splitting the networks into  2  to be used for different purposes and in 2 different places in your  network.

For example using one subnet for the link  between you and the ISP which can be utilized for Default PAT  configurations and possibly Static NAT configurations for server other  than the ones hosted on the DMZ of the ASA. Other segment could be used  direcly on the ASA DMZ interface or further on in your network on some  other L3 device which provides the gateway for the servers.

Though  naturally by segmenting an already relatively small subnet (even though  I call them large in this situation) means you are wasting some public  IP addresses as they will be deemed as network/gateway/broadcast  address.

The idea/reason with segmenting the public  subnets is that you can have the actual servers with the public IP  addresses without the need to resort to any special NAT setups on the  ASA side. You also can avoid problems related to DNS, especially when  you have a DNS server local to the users LAN.

IP - Large Subnet.jpg

Multiple Subnets

With  multiple discontinuous public subnets at our disposal I would also  suggest considering the same option as above. Using a subnet directly on  the DMZ segments to avoid any special needs regarding the NAT and DNS  while at the sametime using other subnet(s) directly on the ASA firewall  "outside" facing the ISP

IP - Multiple Subnets.jpg

One  thing to keep in mind with using multiple subnets on the interface  facing the ISP is that there have been changes from software version  8.4(2) -> 8.4(3) -> 8.4(4/5) in how the ASA operates with multiple  subnets on one interface. This mostly depends on how the ISP has  handled the routing of your public subnets.

If the ISP  has for example configure a new public subnet as a "secondary" network  on their gateway interface AND you are using 8.4(3) software you will  run into problems with connectivity of the hosts in the "secondary"  network range. This is because of changes to ARP related behaviour.  Basically the ASA will not populate ARP table with nonconnected  networks.

Your solution is either to ask the ISP to  route the new subnet directly towards the ASA "outside" interface IP  address OR you will have to upgrade the ASA to 8.4(4/5) software level  and use the configuration command "arp permit-nonconnected"

IP - Multiple Subnets ARP.jpg

Supporting Documentation

Cisco ASA Gonfiguration Guides

  • Contains example configurations
  • Provides background information/theory
  • Provides information about possible limitations

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

    Cisco ASA Command References

    • Contains more detailed information on different ASA configuration commands
    • Gives usage guidelines

    http://www.cisco.com/en/US/products/ps6120/prod_command_reference_list.html

    Cisco Support Community Firewall Discussion Area

    • Ask questions related to NAT from both Cisco Employees and Experts

    https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions

    Final Word

    Hopefully  you have gotten some new information from this document and it has  helped you someway. If you have found it helpfull please do take the  time to rate it.

    Suggestion  about possible additions to the document are welcome. Please keep  specific question about how to configure some NAT configurations to the  actual Firewall section of CSC (link provided just above) If you happen  to find some error in the document that I have missed please let me know  and I will try to correct it.

    - Jouni

    Version history
    Revision #:
    1 of 1
    Last update:
    ‎03-20-2013 12:55 PM
    Updated by:
     
    Labels (1)
    Attachments
    Comments
    Hall of Fame Super Silver

    Jouni,

    This is a very nice addition to the body of knowledge about ASA and NAT. I've have myself been caught more than once by having NAT rules in the wrong section and had to fix that to get the desired behavior.

    Thanks so much for the work you put into it.

    Jouni,

    Great job!!

    Keep it up

    Jouni,

    Good job done!!!!.  It is really nice document..

    Some of the snapshots are not opening properly. it would be great if you share the document as attachment as well.

    Regards,

    Saurabh 

    Super Bronze

    Thank you all,

    There was several things I originally wanted to put into the document but in the end it seemed that it would take weeks upon weeks to get document here in some usefull form.

    I ended up changing the order content and the actual content all the time.

    Atleast some things that I will probably consider adding to the document are

    • Attachement files for the NAT configurations so they can more easily applied to everyones own uses. They were originally just as text on the document but it made them harder to read so I ended up making them as pictures
    • Pictures are currently only in a MS Visio format and will have to go through them  before attaching them here
        • NAT changes from 8.3(1) to 9.1(1)
        • Viewing NAT configurations and their operation
        • Additional NAT configurations and more clarifications to the ones already mentioned
        • Originally my idea was also to make an lab network for which I would do all the common NAT configurations and attach an complete ASA configuration in CLI format here.
        • And so on

        I dont know if its the size of the document or the amount of pictures (directly copy/pasted from Visio to the document) that it makes updating the document very hard. I will have to have multiple attempts to save the changes to get them through.

        - Jouni

        Super Bronze

        Hi,

        Instead of Copy/Paste the pictures to the document I uploaded them in the normal way. Though this causes them to be resized in the actual document so you will have to click on them to view them in normal size.

        I also added the NAT configurations shown in the pictures as a Text file and all the pictures as a ZIP file.

        EDIT: Uhm, seems the text files got automatically put into ZIP files too

        EDIT2: Well it seems I had to click the Publish again for the changes to actually be visible to everyone. Im such a noob

        - Jouni

        New Member

        Jouni,

        Excellent Document!

        New Member

        I would look forward to the same document but for 8.2 as that would be of great assistance in my NAT studies beyond the common standard such as interface overload (PAT), etc... When to use NAT exemption, policy NAT types etc.. seem to trip me up.

        Thanks again and great document.

        Jeff

        Super Bronze

        Hi,

        The "bad" thing about the older NAT format is that I am personally using almost only the new NAT format anymore. But I might consider it. Though I would have to refresh my own information about it in the process Then there is ofcourse the question how usefull it would be at the moment when most new impelementations are already new using new software.

        In the meantime I suggest checking this document out

        https://supportforums.cisco.com/docs/DOC-9129

        It gives some NAT examples side by side in the old and new format. Though it doesnt really explain the situation they might be used in.

        - Jouni

        Silver

        If anyone has issues with Images being uploaded or not inserting.. sometimes we encounter anomalies.. please feel free to contact me - or the supportforums help alias in the Contact Us - and we will be more than happy to help!

        This one is good and interesting.good docs about 8.3 NAT statements.

        Shine

        New Member

        This is a very good document to have in order to learn the new NAT stuff. Good Job

        However, i noticed many typo and literal mistakes that i find them annoying to read. I believe official Cisco documents should be published in a clear and pure english language. I understand you are from Finland but regardless where you come from, the audience all over the world expect to understand the document well.

        Thanks for uploading. awesome

        Super Bronze

        Hi,

        Thank you,

        Though I have to say that this is not an official Cisco document as I don't work for Cisco. I am only affiliated with Cisco through the Cisco Support Communitys Cisco Designated VIP program and the company I work at is a Cisco Partner. This document has been written out of my own will on my own personal time (because there seemed to be a lot of questions related to this subject and its a subject I have had to deal with a lot through my work).

        Would you mind mentioning the typos and errors you have noticed so that they can be corrected?

        - Jouni

        New Member

        Jouni, it is hard to pick them up right now as they are in different places in the document. I am reading your excellent document and i will try to hunt them one by one as i am reading.

        By the way, this document is a gift to all who are not familiar with the new NAT command formats.

        Great effort.

        Super Bronze

        Hi,

        Ok, the document does have several things that bother me aswell that I plan to change. I basically put it out there before it was fully done because I was worried I would end up not finishing it at all if I didn't put it out in some form.

        For example the NAT example section is totally lacking of explanations on the configurations formats other than the pictures that are meant to at least somehow illustrate what is happening with each command/configuration.

        The IP address sections pictures have a lot of needless information as I first imagined I would give a complete example network for which we build NAT rules but I ended up scrapping that idea for now.

        Then I am for example missing a lot of other type of NAT setups that are commonly asked here on the CSC.

        Just waiting for that right time again when I feel I have enough energy to put some hours into this document again. But as always, getting started with it is the hardest part.

        - Jouni

        New Member

        Take your time please. You already did a nice job.

        I have a couple of questions regarding the NAT rules sections that confuses me.

        1- You stated between the "()" that the Dynamic NAT/PAT/both are usually processed by section 3 instead of section 2 but in the "Rule types and NAT types in sections" picture you stated that they are processed in section 1. Does this mean that both sections process these NAT types with taking into account the overriding behavior in case of conflicting parameters. For example, if i have a host/subnet stated in a NAT rule in section 3 and this same host/subnet stated in a NAT rule in section 1, then section 1 override section 3.

        2- If i configure a dynamic rule using the Network Object NAT, why is it processed by section 1 or 3 and we know already that these sections process Twice NAT rules?

        3- What did you mean by "Default Dynamic and Static Rules" in sections 3 and 2 respectively? Do you mean there is default NAT rules come with the appliance out of the box in those sections?

        Last thing to add in this document, is to mention also the directions of initiating connections in the pictures. For example, static supports inbound/outbound, dynamic supports outbound only,...etc

        Thx

        Super Bronze

        Hi,

        Some of the things you mention are already some things I know I need to clarify.

        A lot of NAT Types and their used Sections are based on my own perference on how I configure them usually.

        I should probably remove any reference to normal Dynamic PAT, Dynamic NAT or Dynamic NAT+PAT in Section 1 as its not really a common place where they would used anyway. I guess my idea was simply to illustrate that you can configure it pretty much in each Section of the NAT. But I have not followed the same logic in every section of the document and every picture for that matter. So its certainly something that needs clarification when I next edit this document.

        As you say in the end of your first question, if you have a Dynamic PAT rule configured with the same source network on Sections 1 and Sections 3 then Section 1 rule will always be applied.

        I guess with hindsight I can say that it was a bad idea to list all the NAT types you can configure in certain section as you most of the time dont use them at all. For example Dynamic PAT in Section 1 wouldnt usually make any sense unless you have a very very simple network setup. In a larger environment you would be bound to override other NAT rules unless everything was configured Section 1.

        To give you an example related to the Dynamic PAT configuration of Section 2 vs. Section 3

        Lets take this starting situation

        • 3 LAN networks
          • 10.10.10.0/24
          • 10.10.20.0/24
          • 10.10.30.0/24
        • 2 DMZ networks
          • 192.168.10.0/24
          • 192.168.20.0/24
        • ALL LAN and DMZ networks are behind their own interfaces
        • We want to provide basic Dynamic PAT for outbound access to all these networks

        Section 2 - Network Object NAT configurations

        object network LAN1

        subnet 10.10.10.0 255.255.255.0

        nat (lan1,outside) dynamic interface

        object network LAN2

        subnet 10.10.20.0 255.255.255.0

        nat (lan2,outside) dynamic interface

        object network LAN3

        subnet 10.10.30.0 255.255.255.0

        nat (lan3,outside) dynamic interface

        object network DMZ1

        subnet 192.168.10.0 255.255.255.0

        nat (dmz1,outside) dynamic interface

        object network DMZ2

        subnet 192.168.20.0 255.255.255.0

        nat (dmz2,outside) dynamic interface

        Section 3 - Manual NAT / Twice NAT

        object-group network DEFAULT-PAT-SOURCE

        network-object 10.10.10.0 255.255.255.0

        network-object 10.10.20.0 255.255.255.0

        network-object 10.10.30.0 255.255.255.0

        network-object 192.168.10.0 255.255.255.0

        network-object 192.168.20.0 255.255.255.0

        nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

        So as you can see there is a very BIG different in the amount of configuration generated. In the Section 2 configurations you create an "object network" and "nat" statement for every single network that needs to be PATed.

        In the Section 3 example you simply configure a single "object-group network" to define all the source networks for the Dynamic PAT and use it in the "nat" command. We also use the "any" source interface in the "nat" configuration so that any source interface is accepted.

        If you were to have several different VPN Pools for example that needed outboud access while in Full Tunnel mode you could simply add the VPN pools to the existing "object-group network" and they would be added to the existing "nat" configurations without creating anything new.

        So yes, that section of the document will need some additions and clarifications.

        EDIT:

        Now that I think of it, I wonder if one way (if not the only) to configure Dynamic PAT for all networks in a single command using Network Object NAT would be

        object network ALL

        subnet 0.0.0.0 0.0.0.0

        nat (any,outside) dynamic interface

        Though I guess this takes away any direct control of the source networks but minimizes the amount of configuration generated by the above example.

        2.)

        If you have configured Dynamic PAT in all 3 Sections.

        • Manual NAT / Twice NAT in Section 1
        • Network Object NAT in Section 2
        • Manual NAT / Twice NAT in Section 3 (with the "after-auto" added to the Section 1 configuration format)

        You would naturally have a situation where the Section 1 would override any of the other 2 rules. Furthermore it would possinly override everything else also configured for that source networks. Static NAT and Static PAT would fail. NAT Exempt would fail. Provided ofcourse the Section 1 Dynamic PAT rule we are talking about is placed at the spot "1" in the order of Section 1 NAT rules.

        3.)

        This is also one thing that might misslead naturally as its really not any basic term Cisco uses.


        What I personally mean by Default rules is just rules that you configure to "catch" all the connections/traffic that doesnt have specific rules. Good examples of these are in the top of this reply where we build Dynamic PAT rule for ALL of our 5 networks behind the ASA. So by default rule I mean a NAT rule/configurations that should be matched when there is absolutely no other NAT configuration for that connection/traffic. Therefore it should be at a very low priority. In my case I use the Section 3 to configure default Dynamic PAT for my LAN networks. Some people use Section 2 Network Object NAT. It might be the default way the ASA creates the default rules through ASDM, I am not sure as I dont use ASDM to configure NAT or ACL or almost anything.

        Thank you for the last idea also. I'll be sure to keep that in mind. That section in a whole needs a lot of work anyway. The pictures were a compromise at the end when I tried to finalize the document.

        - Jouni

        New Member

        Wow! .. i really didn't expect this detailed and nice reply. Appreciate it

        Well, i am still trying to understand the ordering scheme of the new NAT.  I am currently using the 8.2 OS and there will be a plan for an upgrade soon. The new configuration stuff isn't so hard but my understanding issue is with the new ordering scheme that is called "Sections", it confuses me a bit. However, your explanation answered many questions in my mind. Surely, It will take some time to get used to the new NAT feeling. Also, new NAT types (standard or non-standard) came up recently that added extra challenges such as multiple layers or Double NAT, Destination NAT, and others. Like anything in the world, NAT can be as simple as delicious apple pies or as complicated as the maze game.

        Wish you the best luck with your document.

        Cisco Employee

        Excellent !!! Document. Please add complext scenarios like, DYN NATting between inside,dmz,outside with single pool.

        New Member

        Excellent document ............

        New Member

        Thanks

        This  document very helpfull. Also for CCIE Security exam   

        Kill NAT 8.4 >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
        New Member

        This is a great article I've ever seen, even better than cisco official training or their online docs...

         

        New Member

        Does anyone know how to download this as a pdf document?  I have looked and do not see how to do it.

         

         

        Super Bronze

        Hi,

         

        On the right hand side there is a box with information about this document. It seems to have a Save button that lets you save this document as a PDF. The problem is that in my case atleast it just converts about 2 pages of this document to PDF and leaves out the rest.

         

        Also a problem is that since the Cisco Support Community went through a complete change the format of the document in its above form suffered. The text spacing among other things is not like it was before the forum update. Seems also that the document conversion to PDF through this page also stopped working after the update since you used to be able to load the whole document as PDF

         

        - Jouni

        New Member

        great doc by Jouni. I want to add to the NAT table sectioning since I still get a lot of questions about just that.

        I have come to realise that section 2 (auto-NAT/object NAT) and it's purpose causes the most confusion given the presence of 1 and 3. Object-NAT is the simplest and easiest to understand and deploy when one cares only about the *source*.

        On to section 3 now:

        Actually, *everything* can be accomplished via section1 and 3 only. A combination of 1, 2 and 3 gives the user  additional ability to keep NAT *organized*.

        Here's how I do it:

        All identity NAT ( nat 0/nat exexptions) go in section 1

        All NATs where the *destination* has to be taken into account goes into section 1

        All NATs where the the source( the more-specific-kind) needs to be mapped to a specific IP but *destination IP* is a don't-care go into section 2

        All NATs where the source is a subnet/range and the destination May or May-Not-matter goes into section 3.

        ...and now a question for everyone including Jouni: ( Jouni, how would you do the following? )

        Consider this:

        I have 300+ web-servers in my DMZ. The destination does not matter. So strictly speaking, I could make it work in section 1, 2 or 3. Section 2 obviously wouldn't scale. I put them in section 3 where a object-group network web-real has the 300+ real ips and object-group network web-mapped-ips have the corresponding number of mapped ips ( 1-to-1). The only thing I have to always remember is IF/WHEN I have to *remove* a real IP, I need to remove the corresponding mapped-ip from mapped-ip object group immediately so as not to break all translations hosts below the point of removal.

        -Diasporia

        You would use a load balancer so this would never really come into play in the real world.
        New Member

        ..this is actually one of those real world corner cases. Have been trying to explain to layer 8 and above why an LB is needed...:-)

        New Member

        nice doccument

        Thank you very much !!

         

        --Rajiv

        New Member

        Thank you very much for focusing so much on these important details.  Everyone will talk about how nat can be done in the object or globally but not many further explain the concept of those 3 sections.

         

        This helped me out a lot!

         

        Ben

        New Member

        Hi Jouni,

        Thank you for the very informative post.  This has been immensely helpful to us in our deployment!

        I was also hoping you could shed some light on failover NAT scenarios, ex. ASA multi-homed to two ISPs and configured for failover.  In our case, we'll be configuring BGP in a 9.2+ software version, so we'll be using the BGP for failover routing etc.  However, I'm not too sure as to how we can configure our PAT addresses for failover, since a different address will be used for PAT through each ISP.  

        Regards,

        Alireza

         

        New Member

        Jouni,

        Thanks for this great document, it is really very detailed and a great help indeed.

        Regards,

        Josh

        New Member

        just WOW! that was great ;)

        New Member

        Hi Jouni,

        Thanks for the info. But i would like to which the best for this scenario for allowing specific address on nat while any other address are not allowed.

        thanks

         

        New Member

        Excellent Document

        Thank you very much !!

        New Member

        I go through this document more often to refresh my ASA NAT knowledge. I must appreciate efforts put by Juoni. Thank you very much. 

        I have one query though-
        If I have 2 twice NAT statements
        1. Static PAT (For port forwarding)
        2. Identity NAT (For site-to-site VPN tunnel) 

        Considering execution of section 1 NAT rules, Traffic from internal server for which I have added 1st NAT rule, wont be able to pass through the tunnel because of rule 1 getting executed always. 

        Correct me If i am wrong? 

        New Member

        Thank you very much for this valued document. it helps me alot on day to day jobs on firewall natting.

        thank you very much.

        New Member

         Excellent document,  Thank you very much!!

        Thank you very much!
        New Member

        Rite now am working in ASA 5505 firewall,

        New Member

        Hi,

        Thanks for this!


        What is the order of operation then if the traffic is from a lower security level to a higher security level?

        Example:
        lower security interface > higher security interface
        1.acl
        2.twice nat
        3.route
        source IP (unchanged) > destination IP (translated or changed)

        Would the return traffic need also an ACL allowing
        higher security interface > lower security interface
        source IP (translated) > source IP (changed back to mapped IP) destination IP

        If you need further details, please just ask.


        Cheers,

        New Member

        The inbound-acl applied to lower-security interface will reference the real destination-IP not the mapped-IP.

        So the order: NAT(untranslate), consult acl and if allowed, route to real-destination.

        Return traffic doesn't need to be explicitly allowed via a separate inbound-acl on higher security interface.

        Pre-8.3 implementations needed the mapped-destination-IP

        Order: consult acl and if mapped-destination-IP is allowed, untranslate to real-dest-IP and route.

        First of all, I want to thank Jouni Forss for posting such useful document. I came across it due I was looking for HOW TO APPLY ACLs to NAT/PAT on ASA. I am quite familiar with IOS, so I was thinking that it would be like in IOS. I mean, in IOS NAT/PAT is defined by ACLs. I am wondering, is there more option than applying ACLs to the interfaces for packet filtering for NAT/PAT on ASA?

        Cheers.

         

        Screenshot from 2017-10-25 17-43-19.png