Cisco ASA PAT Configuration

This topic is to discuss the following lesson:

Hi Rene,

I dont know exactly what topic to place this question in thats why i am placing it here
i got an opportunity for 3 days to work under a CCIE who was very rude and did not bother to ask him any questions as i knew he was not interested in explaining

i was able to understand all bits till core SW through knowledge of your tutorials on VLAN and routing ,However cannot understand few bits in design at this point

They got a public IP block from ISP lets say 90.81.31.128/27 30 host count

Now the way the IP are assigned is as - 90.81.3.157 => ISP router LAN interface connecting to my ASA
- 90.81.3.158 => Outside interface of my ASA

Then there is CORE-SW- with different and server VLAN and few servers connected to server-vlan and require public access to them (web and email)[no-dmz].

For the purpose hiding internal IP-scheme NAT is configured at ASA pointing to server as follows

10.0.0.32 ===NAT===>90.81.3.132
10.0.0.42====NAT====?90.81.3.142
10.0.0.52====NAT====>90.81.3.152 …

So after all this lines my Question WHICH INTERFACE THIS IP 90.81.3.132 - 90.81.3.142 - 90.81.3.152 is assigned ,Where does this IP reside

-Do this IP remain in company network

please explain -As i know no one can expalain better than you in simple way

OH ! ATTACHED IS A DESIGN LAYOUT

Thanks in ADVANCE

Hi Rene,

If I have many subnets inside my local network.
How can I PAT all of subnets?

Thank you!

i did not understand that answer and did not expect this kind of answer

thanks you any way

that was help ful

@Asi

When you configure an IP address on the ASA then your ASA will know which IP addresses belong to the subnet. For example, let’s say you have subnet 90.81.31.128/27.

Once you configure 90.81.3.158/27 on the outside interface, your ASA knows that this is a subnet with 30 addresses. You can use any of the addresses in this subnet for NAT and you don’t have to configure these addresses on the interface. Just make sure that it’s not in use…

@net2net

You could use object groups to “bundle” multiple network objects. You could also configure a bigger subnet range in the network object.

Rene

ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253

this tells our firewall to translate traffic from the 192.168.1.0 /24 subnet headed towards the OUTSIDE to IP address 192.168.2.253. If you configure the IP address like this then it has to be an IP address that is not in use on the interface. For example, when I try to use 192.168.2.254 (that’s the IP address on the OUTSIDE interface) then I will get an error

Hi Rene,

Can you please explain from the above statement if 192.168.2.253 is INSIDE GLOBAL OR DESTINATION IP in the packet that is sourced from INSIDE?

Hi Asi,

When a host on the inside tries to reach something on the Internet then the destination will be the device on the Internet. For example, a webserver that is reachable on 1.2.3.4 or something.

When the packet reaches the ASA, the 192.168.1.x address will be translated to 192.168.2.253. It translates the source address. 192.168.2.253 is the inside global address.

Rene

So, I have an odd situation.

I have a traditional 3-legged set up with my ASA 5505, running 9.2, with security plus license.

Following your design, the inside is the 1 network, dmz is the 3 network and outside is the 2 network. I have an additional host beyond that is 2.20.20.10.

I am just doing what is apparently a traditional PAT, which works from the inside, but not from the outside. I see the icmp requests going out from dmz, but no reply. Because of the security level, does that require something else?

Here is some of the relevant code:

ASA5505# sh run object
object network inside
 subnet 192.168.1.0 255.255.255.0
object network dmz
 subnet 192.168.3.0 255.255.255.0
ASA5505# sh run nat
nat (dmz,outside) source dynamic any interface
!
object network inside
 nat (inside,outside) dynamic interface
object network dmz
 nat (dmz,outside) dynamic interface
ASA5505#

My host at 192.168.3.10 can ping its gateway at 192.168.3.1 on the asa.
Inside hosts can ping all hops from gateway 192.168.1.1 to outside 192.168.2.10 to remote host 2.20.20.10

I have no other acls.

So, after wiping out my ASA 5505 configuration and starting over, with the same nat rules as above, and also playing with ACLs like this:

access-list dmz-out extended deny ip object dmz object inside
access-list dmz-out extended permit ip object dmz any4

I’ve come to some conclusions.

1. the deny line above was used to prevent the dmz traffic to inside (worked)
2. that nat, xlate were there.
3. that icmp is not allowed out from dmz
4. that ssh, and other protocols are allowed out without any ACL, just based on nat.

 174: 15:28:50.809345       802.1Q vlan#4 P0 192.168.3.10.65114 > 192.168.2.10.22: F 731092586:731092586(0) ack 902071277 win 32832 <nop,nop,timestamp 3218242 3220456>
 175: 15:28:50.819888       802.1Q vlan#4 P0 192.168.2.10.22 > 192.168.3.10.65114: . ack 731092586 win 32780 <nop,nop,timestamp 3220468 3218241>
 176: 15:28:50.819919       802.1Q vlan#4 P0 192.168.2.10.22 > 192.168.3.10.65114: F 902071277:902071277(0) ack 731092586 win 32832 <nop,nop,timestamp 3220471 3218241>
 177: 15:28:50.822009       802.1Q vlan#4 P0 192.168.3.10.65114 > 192.168.2.10.22: F 731092586:731092586(0) ack 902071278 win 32831 <nop,nop,timestamp 3218258 3220471>
 178: 15:28:50.823535       802.1Q vlan#4 P0 192.168.2.10.22 > 192.168.3.10.65114: . ack 731092587 win 32831 <nop,nop,timestamp 3220480 3218258>
 179: 15:28:59.991739       802.1Q vlan#4 P0 192.168.3.10.57911 > 192.168.2.10.23: S 3651934508:3651934508(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3227424 0,sackOK,eol>
 180: 15:28:59.993524       802.1Q vlan#4 P0 192.168.2.10.23 > 192.168.3.10.57911: S 2606032245:2606032245(0) ack 3651934509 win 65535 <mss 1380,nop,wscale 1,nop,nop,timestamp 3229649 3227424,sackOK,eol>
 181: 15:28:59.996255       802.1Q vlan#4 P0 192.168.3.10.57911 > 192.168.2.10.23: . ack 2606032246 win 32832 <nop,nop,timestamp 3227428 3229649>

So, in conclusion, it all works just fine. Its likely a limitation or “security feature” of the 5505, but not because of the security-level on the dmz interface (security-level 50).

Hello Ryan.

Thanks for sharing that valuable information from your experience!

Laz

Hi Rene,

I am still not clear with the ASA order of operation. I think its different before 8.3 and after 8.3 IOS. Can some one help me in understanding it? .

Nat rule–> access rule —> route look up –
or
access rule —> nat rule —> route lookup

Hello Ajith

The order of operation depends on if the NAT involved is source NAT or destination NAT. Specifically:

For ASA versions before AND after 8.3 with SOURCE NAT, the order of operation does NOT change. That is:

1 Routing, 2 Inbound ACL, 3 NAT

For ASA versions BEFORE 8.3 and DESTINATION NAT, the order of operation is as follows:

1 ACL 2 Destination NAT 3 Routing

For ASA versions AFTER 8.3 and DESTINATION NAT, the order of operation is as follows:

1 Destination NAT/Partial routing* 2 ACL

*Partial routing refers to the determination of the exit interface based on the NAT rule.

I hope this has been helpful!

Laz

thanks its clear now

HI i need explanation about NAT sections in ASA. Please help me on this topic

Hi Pavan,

Anything in particular? I have quite some NAT/PAT examples for the ASA:

Take a look at unit 2.

Rene

Hi
In your example only configure PAT for a single outside IP address, If I have a pool of outside IP address and i want to configure Dynamic NAT and PAT in the same time. What i need to do ?
Please help me check this out Thank you
Sovandara

Hello Sovandara

In the example in the lesson, the PAT configuration uses a range of internal addresses defined by

ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0

and translates them to a single outside address using this command:

ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253

If you want to have a pool of outside addresses, you could use the following command instead:

ASA1(config-network-object)# nat (inside,outside) dynamic pat-pool IP_POOL

where IP_POOL is an access list defining a pool of addresses.

Now let’s say you have a range of outside addresses from 12.1.1.2 to 12.1.1.8. You can define a pool to be used for PAT as 12.1.1.2 to 12.1.1.6 and have an internal subnet be mapped to that range using PAT. Now PAT is a many-to-one mapping of internal IP addresses to external IP addresses.

Now dynamic NAT is a one-to-one mapping of internal to external IP addresses. On the same interface you can configure dynamic NAT to use external IP addresses 12.1.1.7 and 12.1.1.8 to translate dynamically to a range of (two) internal addresses.

I hope this has been helpful!

Laz

When I try to enter:

ASA1(config)# object network INSIDE_TO_OUTSIDE
ASA1(config-network-object)#  nat (INSIDE,OUTSIDE) dynamic interface

I get the following error:

ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded

I’m new to ASA and don’t know what the problem is, any ideas?

Hell Jeremy

It looks like NAT can’t find the addresses that are identified as inside and/or outside. They look like they’re undefined for some reason. There are several things you may need to look at.

First, verify that you have successfully identified and configured your INSIDE and your OUTSIDE interfaces. If that is OK, then you may just need to reset the NAT configuration. To do so, copy your existing NAT config to a text editor, do clear configuration nat and then reapply. The process sometimes gets “stuck”. This is known to occur with version 8.4.5.

I hope this has been helpful!

Laz

Thanks Laz, I’ll give it a shot!