NAT for Cisco ASA's Version 8.3+JUN 24TH, 2011 | COMMENTS

There are two major kinds of NAT in 8.3+ Auto NAT and Manual NAT.

Auto is done inside the object and cannot take into consideration the

destination of the traffic. Manual is done in global configuration and

can NAT either the source IPs and destination IPs.

Auto NAT

The new term autoNAT is used in 8� � .3. Auto NAT is when the  NAT

command appears INSIDE the object statement on the firewall. 

There are two major variants of auto NAT: dynamic and static. Auto

NAT is also sometimes referenced as �Network Object NAT because the �configuration is done within the network object.

Regular Dynamic PAT

To create a many-to-one NAT where the entire inside network is

getting PATd to a single outside IP do the following.�

Old 8.2 command:

nat (inside) 1 10.0.0.0 255.255.255.0

global (outside) 1 interface

New 8.3 equivalent command:

object network inside-net

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) dynamic interface

Note: the interface command is the 2nd interface in the nat statement, in � �this case the outside.

Static Auto-NAT

To create a one to one NAT within the object like when you have

a webserver in your DMZ you can do the following NAT

configuration.

object network dmz-webserver

host 192.168.1.23

nat (dmz,outside) static 209.165.201.28

Please note, the nat (inside,outside) part of these commands are a lot

easier to read in 8.3. The first interface is the interface the traffic is

coming into the ASA on and the second interface is the interface

that this traffic is going out of the ASA on. So the command nat �(dmz,outside) static 209.165.201.28 should be read as NAT the IP address � �192.168.1.23 to 209.165.201.28 if the traffic is coming in on the dmz interface and

going out the outside interface, or vice versa. This will not NAT traffic �coming from the inside going to the DMZ, nor should it NAT the traffic coming from

the DMZ going to the inside.

Using the any interface in the NAT statement

ASA 8.3 introduces the any interface when configuring NAT. For

instance if you have a system on the DMZ that you wish to NAT not

only to the outside interface, but to any interface you can use this

command:

object network dmz-webserver

host 192.168.1.23

nat (dmz,any) static 200.200.200.200

This makes it so users on the inside can web to 200.200.200.200

and if traffic is routed to the firewall it will NAT it to the real IP in the

DMZ.

Port forwarding using Auto NAT

Suppose you have 2 web servers in your DMZ but you only have 1 IP

address. You can configure port forwarding using the auto NAT

feature in the following way:

object network dmz-webserver1

host 192.168.1.25

nat (dmz,outside) static interface service tcp 8000 www

object network dmz-webserver2

host 192.168.1.23

nat (dmz,outside) static interface service tcp 8080 www

This will make it so if you go to the IP address of the outside

interface over port 8000 it will take you to 192.168.1.25 port 80 but

if you go there using port 8080 it will take you to 192.168.1.23 port

80.

Confused yet? I hope not because its about to get weird� �Manual NAT or Twice NAT or Policy NAT or Reverse NAT

The limitation that Auto NAT has is that it cannot take

the destination into consideration when conducting its NAT. This also �of course results in it not being able to alter the destination address either. To

accomplish either of these tasks you must use manual NAT.� �All of these terms are identical: Manual NAT, Twice NAT, Policy

NAT, Reverse NAT. Dont be confused by fancy mumbo jumbo.�Policy NAT Exemption aka NAT Zero aka No NAT

In ASA 8.3 code this is known as Policy NAT exemption. This is

commonly used to not NAT traffic over a VPN tunnel.

object network inside-net

subnet 10.0.0.0 255.255.255.0

object network vpn-subnets

range 10.1.0.0 10.5.255.255

nat (inside,outside) source static inside-net inside-net destination static vpn-subnets vpn-

subnets

Policy NAT exemption for incoming remote access VPNs

In order for a packet to come in through a firewall from a lesser

security interface to a higher security interface it must have a

translation and an ACL to permit it through. If you are setting up

remote access VPN then the ACL is usually bypassed since its tunneled�

traffic. There still needs to be a translation. This is completed by

doing the following (Note the order of the interfaces in the NAT

statement):

object-group network OBJ-INSIDE-NETWORKS

network-object 172.16.200.0 255.255.255.0

object network obj-172.16.101.0

subnet 172.16.101.0 255.255.255.0

nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-

INSIDE-NETWORKS OBJ-INSIDE-NETWORKS

Dynamic Policy NAT

This is when you want to specify an ACL for your NAT traffic to

match on and if it matches that ACL then NAT it to something

Suppose you are trying to build a VPN tunnel to another site. The

problem is that your private IP addresses are overlapping with their

private IP addresses so they tell you that you MUST come from

172.27.27.27. If this was a static one to one translation it wouldnt be �so hard but in this case we have many users all needing to use that IP address.

In the pre 8.3 configuration your code would look something like

this:

access-list ACL-VENDOR-VPN-NAT extended permit ip 192.168.1.0 255.255.255.0 host

172.16.75.5

nat (inside) 3 access-list ACL-VENDOR-VPN-NAT

global (outside) 3 172.27.27.27

In the new ASA 8.3 config the code looks like this:

object network inside-net

subnet 192.168.1.0 255.255.255.0

object network vendor-vpn-nat

host 172.16.75.5

object network translated-ip

host 172.27.27.27

nat (inside,outside) source dynamic inside-net translated-ip destination static vendor-vpn-

nat vendor-vpn-nat

Miscellaneous Notes

Use real IPs in access-lists

In ASA version 8.3 you must specify the real IP and not the translate

IP. For instance to permit your traffic  to the webserver through the

outside ACL you must put:

access-list ACL-OUTSIDE-IN extended permit tcp any host

192.168.1.25 eq 80

This is a major change from pre 8.3 which would specify the public

or NATd IP address.�

Show commands

To view this configuration you must check two places to see what is

being NATd.�

show run object

show run nat

The command show run object in-line is som� � etimes useful to when using

the pipe commands.

You can also see the order of NAT and number of NAT translation hit

counts with:

show nat

Optional Destination keyword in manual NAT

The destination keyword and addresses in the manual NAT

command is optional.  This means that both of these configurations

do the same work:

object network inside-net

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) dynamic interface

!

object network inside-net

subnet 10.0.0.0 255.255.255.0

nat (inside,outside) source dynamic inside-net interface

NAT order and after-auto NATing�The order of operation in NAT commands is documented here:

http://www.cisco.com/en/US/partner/docs/security/asa/asa83/

configuration/guide/nat_overview.html#wp1118157

The NAT operation will only take place once. Once there is a match

on a NAT it will stop looking down the line to see whether it needs to

NAT this traffic or not. The order of operation for this is like so:

1. Twice NAT statements

2. Auto NAT statements

3. After-Auto NAT statements

Let’s say you have a Manual or Twice NAT that you want to be

considered AFTER all of the auto NATs. You can specify this by

adding the after-auto keyword which would look something like this:� �

nat (inside,outside) after-auto source dynamic any

Using Descriptions

The description keyword can be added to the end of a manual NAT

statement to keep things more organized like so:

nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-

INSIDE-NETWORKS OBJ-INSIDE-NETWORKS description ANYCON-NONAT

Inactive NAT statements

You may deactivate a manual NAT statement by adding the inactive � �keyword at the end of the statement like so:

nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-

INSIDE-NETWORKS OBJ-INSIDE-NETWORKS inactive

Cisco Documentation on NAT for 8.3

CLI NAT configuration guide for ASA

8.3 http://www.cisco.com/en/US/partner/docs/security/asa/asa83/con

figuration/guide/nat_overview.html

Upgrading to ASA 8.3 What you need to �know https://supportforums.cisco.com/docs/DOC-12690

Video examples and

tutorial https://supportforums.cisco.com/docs/DOC-12324

ASA Pre-8.3 to 8.3 NAT configuration

examples https://supportforums.cisco.com/docs/DOC-9129

ASA NAT migration problems when upgrading to 8.3 ; Syslog “%ASA-

5-305013: Asymmetric NAT rules matched for forward and reverse

flows” https://supportforums.cisco.com/docs/DOC-12569