Cisco ASA Static NAT Configuration

ReneMolenaar · August 29, 2016, 5:31pm

Hi Mohammad,

RTP/SIP and NAT is a pain…they never thought about NAT when SIP was designed.

The problem is that the private IP address will be visible in the SDP (Session Description Protocol) of SIP, and the device on the other end won’t be unable to send RTP packets to your end.

On your ASA, you can try to play with the inspect sip command. This inspects the SIP header and makes required changes…sometimes it works, other times you have to disable SIP inspection and use some access-list to accept the return traffic.

Rene

Zaman.rubd · September 7, 2016, 9:19am

Thanks Rene . I have sorted out the issue when capturing the packet.Many Thanks

michmoor · September 17, 2016, 12:18am

Hi Rene,

For static NAT, does it matter if the direction of the nat is from low to high or high to low.
What I mean is say for example:

nat (inside,outside) static – 100 to 0
nat (outside,inside) static – 0 to 100

Because to me static nat is bi directional it shouldnt matter which direction traffic is initated. Do you agree or should snat be from High to low in the config?

maher1 · September 26, 2016, 11:09am

Hi Michael,

Normally it should work as Rene has previously explained because the direction doesn’t matter for the ASA, the only thing that matters is what to translate. If you want that the request is sourced from the inside, you can specify “unidirectional” by end of the command of nat(inside,outside) static so the destination addresses cannot initiate traffic to the source addresses.

Hope this can help.

shantel · December 27, 2016, 4:57pm

19 posts were merged into an existing topic: Cisco ASA Static NAT Configuration

ReneMolenaar · August 4, 2017, 6:34am

A post was merged into an existing topic: Cisco ASA NAT Port Forwarding

naveedmasood2000 · November 6, 2017, 9:55am

I need help please

I am using the same topology but but unable to telnet 192.168.2.200 there is an an error % Connection timed out; remote host not responding

lagapides · November 8, 2017, 7:34am

Hello Naveed

Make sure that all of the commands you have entered are as described in the lesson. Keep in mind also that you will require the use of an access list to allow the traffic to go through, otherwise it will be dropped. Specifically, for ASA versions before 8.3, you will need to issue the following command:

ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.1.1

For version 8.3 and later, you will have to substitute the “real” IP address for the “NAT translated” address. So the command would look like this:

ASA1(config)# access-list OUTSIDE_TO_DMZ extended permit tcp any host 192.168.2.200

Depending on the version you have, you should put in the appropriate command.

Try it out and let us know your results!

I hope this has been helpful!

Laz

naveedmasood2000 · November 9, 2017, 11:45am

Thanks sorted out this problem

sims · December 17, 2017, 8:00pm

Hi,

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

Let’s say I have one more subnet 192.168.3.0 wants to nat DMZ host 192.168.1.10 in the same scenario.What we have to do in this case?

Thanks

ReneMolenaar · December 20, 2017, 4:07pm

Hi Sims,

You want users in 192.168.3.0 to reach 192.168.1.10 through 192.168.2.200? Where is your 192.168.3.0 subnet located?

Rene

sims · December 21, 2017, 5:42am

Hi,
I’ ll advertise the network in the internet edge router .
and create static route to asa
In asa do nat

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.3.200

Thanks

ReneMolenaar · December 21, 2017, 10:07am

This will make your host at 192.168.1.1 reachable through 192.168.3.200 yes.

ksschaitanyakumar · February 26, 2018, 5:42am

Hi Rene,

This demonstrates that each IP address in the pool is translated to the “same” IP address in the DMZ. For example:

10.10.10.1 > 192.168.1.1
10.10.10.3 > 192.168.1.3
10.10.10.200 > 192.168.1.200
etc.

How is this gonna happen exactly 10.1 to 1.1, 10.2 to 1.2 etc…?
What if we have more than 255 servers hosted in our DMZ, i.e. pool of ip exhausted?

ReneMolenaar · March 5, 2018, 3:03pm

Hi Siva,

The ASA tries to do a 1:1 mapping, here’s a quick example:

R2#telnet 10.10.10.55

ASA1#
nat: untranslation - OUTSIDE:10.10.10.55/23 to DMZ:192.168.1.55/23 (xp:0x00007f84fc2ea0c0, policy:0x00007f84fda09fd0)

You can see it translates 10.10.10.55 to 192.168.1.55. Here is another example:

ASA1#
nat: untranslation - OUTSIDE:10.10.10.88/23 to DMZ:192.168.1.88/23 (xp:0x00007f84fc2ea0c0, policy:0x00007f84fda09fd0)

Same thing for .88.

This is a 1:1 static NAT so if you don’t have enough IP addresses in your pool, you’ll need to use PAT (port forwarding) instead.

Rene

pavanc.08 · March 25, 2018, 7:34am

Do the above examples define static nat bi-directional?

Also If it translates to IP address in DMZ, what will the packet be like this since IP is already assigned to the host?

pavanc.08 · March 25, 2018, 8:00am

We are translating 192.168.2.200 to 192.168.1.1 to reach the same…normally as explained is translating adress is equal to the webserver ip… in am confused

ReneMolenaar · April 3, 2018, 12:58pm

Hi Pavan,

This is not bi-directional NAT since we only translate one address here. If you use static NAT then you have a 1:1 relation, you can’t use the IP address for any other devices. If that’s what you want, you need to use PAT instead.

As to why we translate like this. Imagine the outside IP address is not 192.168.2.254 but some public IP address. If you want the web server to be reachable from the outside world, you’ll have to use NAT since the web server is using a private IP address.

m.berete · May 3, 2018, 6:48am

I’m new here, how can I save a lesson or add it to favorite list please ?

Thanks

ReneMolenaar · May 11, 2018, 12:05pm

Hello Moussa,

We have a member ideas list here where you can create new ideas or vote on others:

Rene