OSI Matrix

Welcome!

Cisco ASA 8.3 / 8.4 NAT Guide (simple yet practical overview)

I’ve never been a big fan of NAT as I feel it limits what the Internet was meant to be.  In addition, I also didn’t think of NAT as much of a “protection” for business networks.  Best Practices have always indicated using proper ACL’s and inspections for proper security management rather than relying on presence or lack of NAT provisions.

So; I personally like the new ASA 8.3+ NAT scheme; to me, it’s more object-oriented, flow oriented, and modular as compared to previous NAT schemes.

Also, NAT-CONTROL is now gone (deprecated).  I won’t miss it.  That was just a legacy “thing” from the old PIX days. I’m happy it’s gone.  ;)  If you still wish to have something like NAT-CONTROL, you’d have to create bunch unnecessary and convoluted “object_any” or “0.0.0.0″  dynamic NAT for desired interfaces–I’m sure you got better things to do.  ;-p

OK; these are some practical 8.3 NAT configuration samples along with pre-8.3 analogous configurations:

LAN/inside network: 10.10.10.0 /24
outside interface IP: 1.1.1.1/27
remote access VPN IP pool: 192.168.245.0/24

*********
8.2 > Dynamic overloaded interface NAT (PAT) before 8.3 (perhaps in version 8.2)
:
global (outside) 100 interface

nat (inside) 100 10.10.10.0 255.255.255.0
!
!
!
8.3 > Dynamic overload interface NAT (PAT) with 8.3 and up (AKA “Auto-NAT”):
object network INSIDE-HOSTS_10.10.10.0
subnet 10.10.10.0 255.255.255.o
nat (inside,outside) dynamic interface
!
!!!This could be another PAT method (this is from Cisco)
ASA(config)#object network Generic_All_Network
ASA(config−obj)#subnet 0.0.0.0 0.0.0.0
ASA(config−obj)#exit
ASA(config)#nat (inside,outside) source dynamic Generic_All_Network interface
!
!
object network WAN_SECONDARY_IP_2.2.2.2
host 2.2.2.2
!
object network OBJ_DMZ-HOSTS_172.16.1.0
subnet 172.16.1.0 255.255.255.0
nat (dmz,outside) dynamic WAN_SECONDARY_IP_2.2.2.2
!
!!Note: as a best practice or generally a necessity, you’d want to NAT DMZ traffic to a different public IP.
!!In the above example is the secondary WAN IP.

*********

8.2 > Dynamic ANY overloaded interface NAT (PAT) with 8.2:
global (outside) 100 interface
nat (inside) 100 0 0
!
!
!
8.3 > Dynamic ANY overloaded interface NAT (PAT) with 8.3:
object network ANY-0.0.0.0
subnet 0.0.0.0  0.0.0.0
nat (inside,outside) dynamic interface
!
!!Note: as a best practice or generally a necessity, you’d want to NAT DMZ !!traffic to a different public IP

**********

8.2 > NAT exemption used for VPN purposes (i.e. No NAT):
access-list NAT_EXEMPT_OUTBOUND extended  permit ip 10.10.10.0 255.255.255.0 ip 192.168.245.0 255.255.255.0
!
nat (inside) 0  access-list NAT_EXEMPT_OUTBOUND

!
!
!

8.3 > NAT exemption used for VPN purposes (i.e. No NAT):
object network INSIDE_HOSTS-10.10.10.0
subnet 10.10.10.0 255.255.255.0
!
object network RAVPN_HOSTS-192.168.245.0
subnet 192.168.245.0 255.255.255.0
!
nat (inside,outside) source static INSIDE_HOSTS-10.10.10.0
INSIDE_HOSTS-10.10.10.0  destination static RAVPN_HOSTS-192.168.245.0 RAVPN_HOSTS-192.168.245.0
!!In simple terms, this says: NOT NAT  or “double NAT”  ;)

**********

8.2 > Inside to DMZ traffic (if NAT-CONTROL is enabled):
static (inside,DMZ) 10.10.10.0  10.10.10.0  netmask 255.255.255.0
!! If NAT-CONTROL is enabled, traffic from higher security to lower security
!!zone must be NAT’d.  If NAT-CONTROL is not enable, then as long as
!!routing and ACL’s are satisfied, traffic from inside to DMZ would flow
!!normally. If you have NAT-CONTROL, you’d need some down time
!!if you wish to remove it as you’ll have redo all NAT configurations–so I’d be
!!careful.

8.3 > Inside to DMZ traffic:
!!There’s really no explicit or “out-0f-the-box” need for NAT between inside !!and DMZ unless deemed necessary by specific requirements.
!!Since NA-CONTROL is deprecated, there’s no need to have NAT to
!!have inside communicate with DMZ.
!
!
!

8.2 > Port Forwarding for Servers:
static (DMZ,outside) tcp 1.1.1.1 https 1.0.0.0.1 https netmask 255.255.255.255
!!Yes, it was pretty confusing in 8.2

8.3 > Port Forwarding for Servers:
object service TCP-POP3-110
service tcp source eq pop3
!
object network WAN_IP_3.3.3.3
host 3.3.3.3
!
object network SERVER_OBJECT_10.10.10.50
host 10.10.10.50
nat (DMZ,outside) source static SERVER_OBJECT_10.10.10.5  WAN_IP_OBJECT_3.3.3.3 service TCP-POP3-110 TCP-POP3-110
!!The new NAT scheme is actually much more straight forward and clear.


About these ads

33 responses to “Cisco ASA 8.3 / 8.4 NAT Guide (simple yet practical overview)

  1. ccieid10t 17/08/2011 at 14:54

    sweet!!!!!! Thanks for the blog. Helped me out a lot.

    • Kaveh 17/08/2011 at 19:52

      You’re welcome! :)

      • Jeff 20/06/2012 at 08:01

        Could you help me please? I’m trying to NAT a DMZ host to an external address and the same host to an Inside address is that possible ?

      • Kaveh 15/07/2012 at 15:48

        Hey Jeff; my sincere apologies for delay in responding! Bunch of emails ended up in Junk folder! :-o Do you still need help?

  2. Philip 20/09/2011 at 11:07

    This helped me out of a jam. Thanks!

  3. swampie51 27/09/2011 at 14:43

    1.0.0.0.1 NICE. Great description and some excellent examples.

  4. ravi 31/10/2011 at 09:17

    Thankyou .This is awesome.

  5. wavemotion 11/11/2011 at 06:05

    Ty Buddy!

  6. Greg 16/11/2011 at 14:17

    You made sense of a lot of gobbledigook on Cisco’s website…Thanks a bunch!!!

  7. Allen 04/01/2012 at 08:00

    This is great – I do have a question though…..

    In 8.2, for instance to NAT the 10.10.10.0/24 subnet to the outside interface you use the following configuration:

    nat (inside) 1 10.10.10.0 255.255.255.0
    global (outside) 1 interface

    The “1″ tag links the NAT statement with the GLOBAL statement.

    In 8.3 the same configuration is accomplished by the following config, as you have shown in your examples above:

    object network INSIDE_HOSTS
    subnet 10.10.10.0 255.255.255.0
    !
    nat (inside, outside) dynamic interface

    Question: What ties the nat statement to the defined object INSIDE_HOSTS statement?

    Thanks in advance,
    Allen

    • Kaveh 04/01/2012 at 13:54

      Hi Allen,
      Thanks for the comment.

      With 8.3:
      8.3 > Dynamic overload interface NAT (PAT) with 8.3 and up (AKA “Auto-NAT”):
      object network INSIDE-HOSTS_10.10.10.0
      subnet 10.10.10.0 255.255.255.o
      nat (inside,outside) dynamic interface
      !

      that “nat” statement is actually embedded within the network_object “container”. In other words, when you create that network object, in it, you create a dynamic PAT scheme….this is one way of doing it. Does this answer your question?

      Cheers,
      Kaveh.

      • Allen 11/01/2012 at 13:29

        Hey Kaveh,

        Yes – that answers my question…

        You mentioned that “this is one way of doing it” – would you mind showing how else this can be done.

        Thanks,
        Allen

      • Kaveh 03/02/2012 at 09:38

        Hey; Sorry for the late reply. Do you still need help with this?

  8. Allen 04/02/2012 at 17:32

    Hey Kaveh,

    No problem; I would like to see the alternative config if possible.

    Thanks in advance,
    Allen

    • Kaveh 14/02/2012 at 20:43

      Hey Allen; once again apologies for delayed response. I’m in the middle of migrating my email account (not fun). :(

      I’ll post that option tomorrow. The alternate option is using through the NAT statement rather than the statement inside the object. More to come, :)

  9. Allen 21/02/2012 at 00:23

    Hey Kaveh…. Thanks Allen

  10. Alessandro 28/02/2012 at 06:30

    Very useful! It helped me a lot!

  11. Nauman 16/03/2012 at 23:59

    Dear ,

    Can you Help me out here :

    i have a situation to make the NAT of below in version 8.4(2)

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    access-list outlook permit ip any host 212.114.145.24
    access-list outlook permit ip any host 172.17.1.254
    access-list outlook permit ip any host 8.8.8.8
    access-list outlook permit ip host 172.16.152.13 any
    access-list outlook permit ip host 172.16.202.214 any
    access-list outlook permit ip 172.16.204.0 255.255.255.0 any
    access-list outlook permit ip 172.16.208.0 255.255.255.0 any
    access-list outlook permit tcp any host 195.14.19.120 eq www
    access-list outlook permit tcp any host 195.14.19.119 eq ldap
    access-list outlook permit tcp any host 195.14.19.121 eq 829
    access-list outlook permit tcp any host 195.14.19.119 eq www

    global (outside) 69 interface
    global (dmz) 90 172.16.203.98
    nat (inside) 69 access-list outlook 0 0
    nat (inside) 90 0.0.0.0 0.0.0.0 0 0
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    • Kaveh 18/03/2012 at 09:57

      Hi There,

      This is a rather interesting config. ;) Could you help me understand what you’re trying to do? What are your goals?

      • Nauman 18/03/2012 at 22:36

        access-list outlook permit ip any host 212.114.145.24
        access-list outlook permit ip any host 172.17.1.254
        access-list outlook permit ip any host 8.8.8.8
        access-list outlook permit ip host 172.16.152.13 any
        access-list outlook permit ip host 172.16.202.214 any
        access-list outlook permit ip 172.16.204.0 255.255.255.0 any
        access-list outlook permit ip 172.16.208.0 255.255.255.0 any
        access-list outlook permit tcp any host 195.14.19.120 eq www
        access-list outlook permit tcp any host 195.14.19.119 eq ldap
        access-list outlook permit tcp any host 195.14.19.121 eq 829
        access-list outlook permit tcp any host 195.14.19.119 eq www

        global (outside) 69 interface
        global (dmz) 90 172.16.203.98
        nat (inside) 69 access-list outlook 0 0
        nat (inside) 90 0.0.0.0 0.0.0.0 0 0
        !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

        Well – there are some server Inside of my Network – like my internal DNS Server which i want to be allowed to go the internet using my outside interface

        similarly there are some subnet – which needs to be bypassed for proxy – so i m PATing them using my outside Interface

        i m creating an access-list and then matching these criteria and then Pating them out.

        these commands are from PIX 6.3 – so this would be a major migration …

        from 6.3 to 8.4

      • Kaveh 20/03/2012 at 20:28

        Hey; Yes, from 6.3 to 8.3+, you may have many items to consider and test.
        The config you’ve shown will most likely need to be broken into combination of Network Objects and Service Objects. Then You’ll most likely need individual NAT statements similar to this:

        nat (inside,outside) source dynamic …………..

        I’d love to compile one for you but I’m little short on time.
        Here’s a link that might help: https://supportforums.cisco.com/docs/DOC-9129

        Cheers.

  12. R9922 18/03/2012 at 09:17

    That is a fantastic guide. I did not understand the Cisco guide. I will bookmark this for sure. Thanks alot.

    This helped me out alot to.
    http://cognitiveanomalies.com/cisco-nat-how-nat-works/
    I never understand the cisco guides :P

  13. Shoaib Merchant 29/03/2012 at 04:52

    The Cisco Documentation should be replaced with your post! :D Seriously, you nailed it! Thanks!

    • Kaveh 30/03/2012 at 06:43

      LoL. Thank you for your kind comment. :-)

      • Addy 13/11/2012 at 07:55

        Could you help please?
        I upgrade from 8.2 to 8.3 , but i can not access SMTP from Outside . here is my Comfiguratiom;

        >>>8.2<<>>8.3<<>> 8.3
        access-list 101 extended permit tcp any host 192.168.10.73 eq smtp
        acces-gropup OUTSIDE_IN in OUTSIDE

  14. parquet pas cher paris 25/05/2013 at 21:45

    My brother recommended I would possibly like this website.

    He used to be totally right. This publish actually made my day.
    You can not imagine simply how so much time I had
    spent for this information! Thanks!

    • Kaveh 27/02/2014 at 21:33

      Happy to hear that. I hope to continue this. Been really busy with family and work lately. I hope to resume soon! :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: