Cisco ASA Static NAT Configuration


(Rene Molenaar) #1

This topic is to discuss the following lesson:


(sims) #2

Hi Rene ,

Could you explain twice nat and use cases also ?

Thank you


(Rene Molenaar) #3

Hi Sims,

I will, added it to the list.

Rene


(asi m) #4

Hi Rene,

Need help again, So its NAT this time.

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

Let’s call this statement A.

The configuration above tells the ASA that whenever an outside device connects to IP address 192.168.2.200
that it should be translated to IP address 192.168.1.1.

ASA1(config)# object network DMZ
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static PUBLIC_POOL

Let’s call this statement B.

The configuration above tells the ASA to translate any IP address from the subnet DMZ (192.168.1.0 /24) to an
IP address in the PUBLIC_POOL (10.10.10.0 /24).

Both NAT statement`s are similar except one has a IP other has a POOL.

statement-A is performing translation for the inbound traffic
statement-B is performing translation for outbound traffic

My question is what part of command makes ASA to perform translation on INBOUND traffic or OUTBOUND traffic and on which interface.


(Rene Molenaar) #5

Hi Asi,

The first statement tells the ASA that a device with IP address 192.168.1.1 on the DMZ has to be translated to 192.168.2.200 which is on the outside. On the interfaces we configured to which security-zone it belongs (INSIDE, DMZ or OUTSIDE).

The direction doesn’t matter…from the outside you can connect to 192.168.2.200 and it will be translated to 192.168.1.1. When 192.168.1.1 initiates traffic that goes from DMZ > outside then it also gets translated to 192.168.2.200. The only thing the ASA cares about is what to translate.

The same thing applies to the second statement except that the first time when traffic goes from DMZ to OUTSIDE, an IP address from the pool is selected. When the translation is in place, you can also connect from the outside to the pool address if you want…the ASA only cares about what to translate.

Rene


(asi m) #6

hi Rene Thanks for the reply
i got most of it ,Actually my confusion started by reading the following configuration from cisco. For last if you can explain short and simple on waht is REAL_ifc and MAPPED_ifc from the below example this will make it crystal clear

Thanks in Advance
nat (real_ifc,mapped_ifc) dynamic mapped_obj [interface] [dns]

Example:
hostname (config-network-object)# nat (inside,outside) dynamic MAPPED_IPS interface
Configures dynamic NAT for the object IP addresses. See the following guidelines:

***Interfaces —If you do not specify the real and mapped interfaces, all interfaces are used. You can also specify the keyword any for one or both of the interfac


(Rene Molenaar) #7

Hi Asi,

The mapped interface is the “exit” interface of the traffic. When traffic goes from a host on the INSIDE > OUTSIDE then it is translated.

Rene


(asi m) #8

Hi Rene can you explain this one please

If I am writing an object NAT, from what basis can I make the decision to use the order of INTERFACE in my NAT command?

(INSIDE,OUTSIDE)
(OUTSIDE,INSIDE)
(INSIDE,DMZ)
(DMZ,OUTSIDE)

How can I decide which interface name to use first and second in NAT command? For example, NAT (which interface will be used here, which interface will this be here)?


(Rene Molenaar) #9

Hi Asi,

As a rule of thumb, you can use (INSIDE,OUTSIDE) or (DMZ,OUTSIDE) when you want to translate the entire subnet of your INSIDE or DMZ to a public IP address.

(OUTSIDE,INSIDE) or (OUTSIDE,DMZ) can be used for port forwarding.

Rene


(asi m) #10

Hi Rene

Can you please outline the difference between the below configuration as both the NAT rule is mapping a subnet from LAN to an outside pool/subnet

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL
ASA1(config)# object network DMZ
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static PUBLIC_POOL

(Rene Molenaar) #11

Hi Asi,

The configuration is exactly the same. The only difference is the source. In the first example you are matching traffic from the INSIDE zone, the second one is for the DMZ.

Rene


(asi m) #12

Thanks for the response

I was looking at NAT statement where there is Nat(inside,outside)dynamic and the other is Nat(inside,outside)static both the commands are achieving pool-to-pool mapping or lets say subnet to pool mapping

Dynamic is mapping from pool to pool and static is mapping from one-to-one but we are using static here to map whole subnet to pool of IP-address as this is more for dynamic NAT


(asi m) #13

Hi Rene,

can you please comment on above and would like to as -In a scenario where the a static NAT is performed and the mapped pool does not have same number of IP as the real pool. What is the outcome of this scenario


(Rene Molenaar) #14

Hi Asi,

When you run out of IP addresses for your static NAT, you should get pool exhaustion messages on your ASA and you won’t be able to translate anything anymore. Static NAT is 1:1 translation.

If you use dynamic NAT, then you can add the “interface” parameter at the end of your NAT rule. This will enable “PAT fallback” in case your pool is exhausted.

Rene


(PALANIAPPAN M) #15

Hi Rene

In the NAT table of the ASA why the subnets are /23. We are using /24.

ASA1# nat: untranslation - OUTSIDE:10.10.10.3/23 to DMZ:192.168.1.3/23 (xp:0xab2b3980, policy:0xad2632a0)

Thanks
Palani


(Rene Molenaar) #16

Hmm that is a good question. I just labbed it up again to make sure it wasn’t a copy/paste mistake or anything. It still shows up as /23. No idea why the ASA shows it like this…perhaps a cosmetic bug.


(Mohammad Hasanuz Zaman) #17

Dear Rene,

In my network I have added a ASA 5525-X FW and behind the FW there is a Softswitch & Asterisk Server . FW simply perform a Double NAT operation. In this setup I saw IP-PHONE to IP-PHONE call connecting properly means signalling is okk but no voice.Assuming RTP is blocking on FW . For your information FW simply doing Double NAT operation. Is there any configuration on FW end to pass RTP Packect ?? Can you please help me to sort out the issue dear :slight_smile:


(Rene Molenaar) #18

Hi Mohammad,

RTP/SIP and NAT is a pain…they never thought about NAT when SIP was designed.

The problem is that the private IP address will be visible in the SDP (Session Description Protocol) of SIP, and the device on the other end won’t be unable to send RTP packets to your end.

On your ASA, you can try to play with the inspect sip command. This inspects the SIP header and makes required changes…sometimes it works, other times you have to disable SIP inspection and use some access-list to accept the return traffic.

Rene


(Mohammad Hasanuz Zaman) #19

Thanks Rene . I have sorted out the issue when capturing the packet.Many Thanks


(Michael M) #20

Hi Rene,

For static NAT, does it matter if the direction of the nat is from low to high or high to low.
What I mean is say for example:

nat (inside,outside) static – 100 to 0
nat (outside,inside) static – 0 to 100

Because to me static nat is bi directional it shouldnt matter which direction traffic is initated. Do you agree or should snat be from High to low in the config?