Cisco ASA Dynamic NAT Configuration

Hello Harshi

You can use the clear xlate command to clear all NAT entries in the NAT table.

In order to have the ASA firewall perform NAT, you will require the use of a Layer 3 inside interface and a Layer 3 outside interface. This means that you cannot use a layer 2 trunk connection on the ASA to perform the NAT. You must have a layer 3 interface on the inside.

I hope this has been helpful!

Laz

1 Like

Hello I went through your lessons on dynamic NAT, static NAT , PAT , per session and multi sesson.
They where very helpful.
Can you please explain if we can implemnte source NAT and Destination NAT on ASA ?

Hello Harshi

Source and destination NAT are possible to implement on a Cisco ASA. The following document shows very useful examples of many scenarios of both source and destination NAT.

I hope this has been helpful!

Laz

Hi Rene,

I’m just a beginner, so maybe this question is stupid
I try to config Dynamic NAT IP range for INSIDE to OUTSIDE
In your teaching the command like below:

ASA1(config)# object network PUBLIC_POOL
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200

.

but in my ASA, there is no “range” that I can command…

ASA1(config)#object network PUBLIC_POOL
ASA1(config-network-object)#range ?
% Unrecognized command

I’m using Packet Tracer and using ASA 5505 ( Version 8.4(2) )

Thank you,
Wayne

Hello Yu Chin

According to Cisco documentation, this range command is available in the version of ASA that you’re using. However, keep in mind that the ASA in the packet tracer only contains a subset of all of the real commands available to an ASA. I tried the same commands in my packet tracer and it seems that the “range” feature is not available.

The only way to get around this is to use an emulator such as GNS3 to have all commands available to you.

I hope this has been helpful.

Laz

A post was merged into an existing topic: Cisco ASA Dynamic NAT with DMZ

A post was merged into an existing topic: Cisco ASA Dynamic NAT with DMZ

HI dear Friend. i configure site to site beetwen ASA. i have 2 nats. first for users which can use internet connection second for site to site vpn. but if i wrife first nat for internet (nat (inside,outside) source dynamic any interface) and after nat (inside,outside) source static lan lan destination static remote remote then vpn cannot up.i must first wite nat for vpn after nat for internet. why like this?

Hello Cemil

I’m not sure I completely understand your question. Can you be more specific in what you have attempted to do? Are you saying that the order in which you implemented the commands made a difference in the end result of connectivity? Please give us an example so that we can examine it more clearly.

Thanks so much!

Laz

Please explain me

ASA1(config)# object network PUBLIC_POOL 
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200

after this configuration , i must configure a network object for the hosts that we want be to translate. Okey!

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL interface

which different in this confgiration ?

and what it is mean, please explain.
Why we added in the line “interface”

Hello Teymur

This command:

nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL interface

…is an additional command that allows NAT to use the IP address assigned to the outside interface for translation if the PUBLIC_POOL range of addresses is exhausted. The interface keyword simply tells the device to use the IP address of the outside interface for translation. It doesn’t remove the other NAT commands but is added to it.

For example, let’s say that 100 hosts on the inside are communicating, and each one has been translated to one of the addresses in PUBLIC_POOL. There are no more free IP addresses in the pool. The 101st host then tries to communicate. If this command is present, it can use 192.168.2.254 as the translated address.

I hope this has been helpful!

Laz

Hi, Is it not the 192.168.2.0/24 a private network? How can we use a private network for address translation?

Thanks,
Nihar

Hello Nihar

It is true that NAT is primarily used to translate private IP addresses to public addresses. However, NAT does not actually distinguish between public and private IP addresses. You can translate between whatever addresses you like, and it will work just fine.

You can even have inside addresses be in the range of 5.5.5.0/24 for example, and your outside addresses be 192.168.55.0/24. NAT as a feature will still work, and does not restrict you to a specific range of addresses.

However, in your configurations, you must conform to the appropriate address spaces that are given to you, so if you are indeed given public outside addresses, and private inside addresses, you must use them appropriately.

I hope this has been helpful!

Laz

Hi Rene,

Wondering how the NAT is done on a 5508X if the interface connects to a cable modem and gets an IP address from the DHCP server?
Also I am using to sub interfaces gig 1/7.10 and gig 1/7.30 to pass two vlans

 interface GigabitEthernet1/1
 description To_cable_modem
 nameif OUTSIDE
 security-level 0
 ip address dhcp 

interface GigabitEthernet1/7
 description To_3750_Crama
 duplex full
 nameif INSIDE
 security-level 100
 no ip address
!
interface GigabitEthernet1/7.10
 description xxx
 vlan 10
 nameif wireless_&_printers
 security-level 100
 ip address 192.168.0.13 255.255.255.0 
!
interface GigabitEthernet1/7.30
description xxx 
vlan 30
 nameif surveilance_cam
 security-level 100
 ip address 10.10.10.34 255.255.255.224 
!
interface GigabitEthernet1/7.99
 descriptio xxx
 vlan 99      
 nameif native_vlan
 security-level 100
 ip address x.x.x.x /xx

the native vlan subnet is only to pass the native vlan between switch and firewall

Hello Dan

When you have multiple inside subnets that you would like to NAT to an outside interface, you can use object groups to perform NATting. You can do this regardless of whether those inside subnets are connected to physical interfaces or subinterfaces.

An example of such a configuration is the following, assuming your outside IP address is 50.50.50.10:

object-group network all_subnets
network-object 192.168.0.0 255.255.255.0
network-object 10.10.10.32 255.255.255.224

object network PAT_ip
host 50.50.50.10

nat (inside,outside) source dynamic all_subnet PAT_ip

Now in the same scenario, if you are using DHCP for your outside interface, you can replace the destination object of the NAT command from PAT_ip to the keyword interface like so:

nat (inside,outside) source dynamic all_subnet interface

This will cause the ASA to use the IP address assigned to the outside interface as the IP address for translation.

Take a look at this NetworkLessons Note on ASA NAT with multiple inside subnets for more info.

I hope this has been helpful!

Laz

Lazaros

I have a query on the Firemon Tool Traffic Flow Analasys . Its mentioned the following Statement.

“FireMon’s Traffic Flow Analysis or “TFA” does the same thing to monitor traffic through a firewall rule, and instead of allowing all traffic to traverse in all direct
ions, it monitors the empirical behaviors on the network and lets administrators know which rules they can create to allow only the necessary access.”

I know the CISCO Packet Processing Algorithm . How are the following Rules 11 and 12 are effected by the Above statement aka Network Behaviour ???

  1. Here are the individual steps in detail:

  2. The packet is reached at the ingress interface.

  3. Once the packet reaches the internal buffer of the interface, the input counter of the interface is incremented by one.

  4. Cisco ASA first looks at its internal connection table details in order to verify if this is a current connection. If the packet flow matches a current connection, then the Access Control List (ACL) check is bypassed and the packet is moved forward.

  5. If packet flow does not match a current connection, then the TCP state is verified. If it is a SYN packet or UDP (User Datagram Protocol) packet, then the connection counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the packet is dropped and the event is logged.

  6. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the information is logged. The ACL hit count is incremented by one when the packet matches the ACL entry.

  7. The packet is verified for the translation rules. If a packet passes through this check, then a connection entry is created for this flow and the packet moves forward. Otherwise, the packet is dropped and the information is logged.

  8. The packet is subjected to an Inspection Check. This inspection verifies whether or not this specific packet flow is in compliance with the protocol. Cisco ASA has a built-in inspection engine that inspects each connection as per its pre-defined set of application-level functionality. If it passed the inspection, it is moved forward. Otherwise, the packet is dropped and the information is logged.

  9. Additional security checks will be implemented if a Content Security (CSC) module is involved.

  10. The IP header information is translated as per the Network Address Translation/ Port Address Translation (NAT/PAT) rule and checksums are updated accordingly. The packet is forwarded to Advanced Inspection and Prevention Security Services Module (AIP-SSM) for IPS related security checks when the AIP module is involved.

  11. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is specified in the translation rule, then the destination interface is decided based on the global route lookup.

  12. On the egress interface, the interface route lookup is performed. Remember, the egress interface is determined by the translation rule that takes the priority.

  13. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed. The Layer 2 rewrite of the MAC header happens at this stage.

  14. The packet is transmitted on the wire, and interface counters increment on the egress interface.

Hello Surendra

As with many marketing documents, this text is using general language to describe the operation of their product. By no means should this statement be taken as an exact description of their “TFA” algorithm. The statement

“it monitors the empirical behaviors on the network and lets administrators know which rules they can create to allow only the necessary access”

is imprecise and does not give us enough information to know what is actually being applied to traffic.

Cisco’s packet processing algorithm for the ASA that you have posted here, however, is very precise. So it is difficult to compare the process of one product with another with such a generalized description.

If you want to compare them, you will have to find technical documentation for the product that describes the process precisely.

Having said that, the description does tell us that the product possesses some level of intelligence that allows it to analyze traffic and make determinations based on traffic type and traffic volume. What those determinations are and how they are reached are unknown at this point.

I hope this has been helpful!

Laz

Hello Surendra

Based on the text of the explanation, I would assume that the TFA tool performs some sort of intelligent filtering based on application, on already established flows, and on policies and rules set by the administrator. From the tool seems to be able to automate to a certain extent, the security policies applied, based on the traffic used, as well as based on some predefined best-practice and most common profiles.

It sounds like a next-generation firewall (NGFW) with a level of intelligence similar to Cisco’s Identity Services Engine (ISE).

I hope this has been helpful!

Laz

ASA 5505 version8.2(5)
ASDM version 6.4(5)
Under Configuration >> Firewall >>NAT Rules

When do you need to check “Enable traffic through the firewall without address translation” ?
Are there any disadvantages to having this enabled?
Seems to be a default setting.

Thanks

Hello Donald

This command within ASDM is the same as the nat-control command in the CLI.

When enabled, this feature requires that packets traversing from an INSIDE interface to an OUTSIDE interface match a NAT rule. If no NAT rule is matched, the packet is dropped.

If it is disabled, then this matching is not a requirement, and the packet can be forwarded and routed without a NAT translation (assuming it passes any other checks that have been implemented on the ASA).

For more info, take a look at the following link:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/cfgnat.html#wp1065218

Now whether you enable this or disable this depends upon what you want to achieve. If you require that all traffic initiated from INSIDE be translated (which is often the case at the edge of a network where ASA devices are often placed), then you should enable this. When enabled, hosts on the INSIDE network that must access hosts on the OUTSIDE network must match a NAT translation rule for such communication to be successful. Thus you must ensure that your NAT translation rules are appropriate to ensure such communication.

I hope this has been helpful!

Laz