Cisco ASA PAT Configuration

Hi Asi,

When a host on the inside tries to reach something on the Internet then the destination will be the device on the Internet. For example, a webserver that is reachable on 1.2.3.4 or something.

When the packet reaches the ASA, the 192.168.1.x address will be translated to 192.168.2.253. It translates the source address. 192.168.2.253 is the inside global address.

Rene

So, I have an odd situation.

I have a traditional 3-legged set up with my ASA 5505, running 9.2, with security plus license.

Following your design, the inside is the 1 network, dmz is the 3 network and outside is the 2 network. I have an additional host beyond that is 2.20.20.10.

I am just doing what is apparently a traditional PAT, which works from the inside, but not from the outside. I see the icmp requests going out from dmz, but no reply. Because of the security level, does that require something else?

Here is some of the relevant code:

ASA5505# sh run object
object network inside
 subnet 192.168.1.0 255.255.255.0
object network dmz
 subnet 192.168.3.0 255.255.255.0
ASA5505# sh run nat
nat (dmz,outside) source dynamic any interface
!
object network inside
 nat (inside,outside) dynamic interface
object network dmz
 nat (dmz,outside) dynamic interface
ASA5505#

My host at 192.168.3.10 can ping its gateway at 192.168.3.1 on the asa.
Inside hosts can ping all hops from gateway 192.168.1.1 to outside 192.168.2.10 to remote host 2.20.20.10

I have no other acls.

So, after wiping out my ASA 5505 configuration and starting over, with the same nat rules as above, and also playing with ACLs like this:

access-list dmz-out extended deny ip object dmz object inside
access-list dmz-out extended permit ip object dmz any4

I’ve come to some conclusions.

  1. the deny line above was used to prevent the dmz traffic to inside (worked)
  2. that nat, xlate were there.
  3. that icmp is not allowed out from dmz
  4. that ssh, and other protocols are allowed out without any ACL, just based on nat.
 174: 15:28:50.809345       802.1Q vlan#4 P0 192.168.3.10.65114 > 192.168.2.10.22: F 731092586:731092586(0) ack 902071277 win 32832 <nop,nop,timestamp 3218242 3220456>
 175: 15:28:50.819888       802.1Q vlan#4 P0 192.168.2.10.22 > 192.168.3.10.65114: . ack 731092586 win 32780 <nop,nop,timestamp 3220468 3218241>
 176: 15:28:50.819919       802.1Q vlan#4 P0 192.168.2.10.22 > 192.168.3.10.65114: F 902071277:902071277(0) ack 731092586 win 32832 <nop,nop,timestamp 3220471 3218241>
 177: 15:28:50.822009       802.1Q vlan#4 P0 192.168.3.10.65114 > 192.168.2.10.22: F 731092586:731092586(0) ack 902071278 win 32831 <nop,nop,timestamp 3218258 3220471>
 178: 15:28:50.823535       802.1Q vlan#4 P0 192.168.2.10.22 > 192.168.3.10.65114: . ack 731092587 win 32831 <nop,nop,timestamp 3220480 3218258>
 179: 15:28:59.991739       802.1Q vlan#4 P0 192.168.3.10.57911 > 192.168.2.10.23: S 3651934508:3651934508(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 3227424 0,sackOK,eol>
 180: 15:28:59.993524       802.1Q vlan#4 P0 192.168.2.10.23 > 192.168.3.10.57911: S 2606032245:2606032245(0) ack 3651934509 win 65535 <mss 1380,nop,wscale 1,nop,nop,timestamp 3229649 3227424,sackOK,eol>
 181: 15:28:59.996255       802.1Q vlan#4 P0 192.168.3.10.57911 > 192.168.2.10.23: . ack 2606032246 win 32832 <nop,nop,timestamp 3227428 3229649>

So, in conclusion, it all works just fine. Its likely a limitation or “security feature” of the 5505, but not because of the security-level on the dmz interface (security-level 50).

Hello Ryan.

Thanks for sharing that valuable information from your experience!

Laz

Hi Rene,

I am still not clear with the ASA order of operation. I think its different before 8.3 and after 8.3 IOS. Can some one help me in understanding it? .

Nat rule–> access rule —> route look up –
or
access rule —> nat rule —> route lookup

Hello Ajith

The order of operation depends on if the NAT involved is source NAT or destination NAT. Specifically:

For ASA versions before AND after 8.3 with SOURCE NAT, the order of operation does NOT change. That is:

1 Routing, 2 Inbound ACL, 3 NAT

For ASA versions BEFORE 8.3 and DESTINATION NAT, the order of operation is as follows:

1 ACL 2 Destination NAT 3 Routing

For ASA versions AFTER 8.3 and DESTINATION NAT, the order of operation is as follows:

1 Destination NAT/Partial routing* 2 ACL

*Partial routing refers to the determination of the exit interface based on the NAT rule.

I hope this has been helpful!

Laz

thanks its clear now

1 Like

HI i need explanation about NAT sections in ASA. Please help me on this topic

Hi Pavan,

Anything in particular? I have quite some NAT/PAT examples for the ASA:

Take a look at unit 2.

Rene

Hi
In your example only configure PAT for a single outside IP address, If I have a pool of outside IP address and i want to configure Dynamic NAT and PAT in the same time. What i need to do ?
Please help me check this out Thank you
Sovandara

Hello Sovandara

In the example in the lesson, the PAT configuration uses a range of internal addresses defined by

ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0

and translates them to a single outside address using this command:

ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253

If you want to have a pool of outside addresses, you could use the following command instead:

ASA1(config-network-object)# nat (inside,outside) dynamic pat-pool IP_POOL

where IP_POOL is an access list defining a pool of addresses.

Now let’s say you have a range of outside addresses from 12.1.1.2 to 12.1.1.8. You can define a pool to be used for PAT as 12.1.1.2 to 12.1.1.6 and have an internal subnet be mapped to that range using PAT. Now PAT is a many-to-one mapping of internal IP addresses to external IP addresses.

Now dynamic NAT is a one-to-one mapping of internal to external IP addresses. On the same interface you can configure dynamic NAT to use external IP addresses 12.1.1.7 and 12.1.1.8 to translate dynamically to a range of (two) internal addresses.

I hope this has been helpful!

Laz

When I try to enter:

ASA1(config)# object network INSIDE_TO_OUTSIDE
ASA1(config-network-object)#  nat (INSIDE,OUTSIDE) dynamic interface

I get the following error:

ERROR: empty object/object-group(s) detected. NAT Policy is not downloaded

I’m new to ASA and don’t know what the problem is, any ideas?

Hell Jeremy

It looks like NAT can’t find the addresses that are identified as inside and/or outside. They look like they’re undefined for some reason. There are several things you may need to look at.

First, verify that you have successfully identified and configured your INSIDE and your OUTSIDE interfaces. If that is OK, then you may just need to reset the NAT configuration. To do so, copy your existing NAT config to a text editor, do clear configuration nat and then reapply. The process sometimes gets “stuck”. This is known to occur with version 8.4.5.

I hope this has been helpful!

Laz

Thanks Laz, I’ll give it a shot!

1 Like

hello when ASA does port translations what are the range of port address it picks from >? and what is the maximum noumber of port translatiosn it can do

Hello Harshi

PAT divides the available ports per global IP address into three ranges:

  • 0-511
  • 512-1023
  • 1024-65535

Each global address will use one of these ranges. PAT assigns a unique source port for each TCP or UDP session. It attempts to assign the same port value of the original request, but if the original source port has already been assigned, it starts scanning from the beginning of the particular port range to find the first available port and assigns it to the conversation.

Theoretically, the maximum number of ports that can be assigned is equal to the number of free ports available in the particular range being used. However, this limit will rarely if ever be reached due to the limitations of memory and CPU resources needed to manage so many translations. The more powerful the device, the more translations can be made.

I hope this has been helpful!

Laz

1 Like

Hi Rene,
This was the interface NAT, but I couldnt find the Port Address Translation, where the traffic will start using the port numbers to identify each server/host inside the LAN. Could you please suggest where am I going wrong in understanding ?

Hello Praveen

From the moment that Rene configured the inside portion of the object to contain a subnet with IP addresses ranging from 192.168.1.0 to 255.255.255.0, and the outside portion using a single IP address (using either the IP address itself or the interface keyword), PAT has indeed been configured. This is because we have a many-to-one mapping of inside to outside addresses, and the only way this can be achieved is by using Transport Layer port numbers to distinguish between communications. The output of the show xlate command shows how the inside address has been translated to the outside address/port number pair.

I hope this has been helpful!

Laz

Yeah, I can now imagine what he was trying to do. Thanks!

1 Like

1 )

object network test
 host 10.0.2.10

object network test
 nat (any, outside) dynamic interface

2 )

ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253

Hi what is the difference between 1 and 2

Thanks