Cisco ASA Static NAT Configuration

Hello Ankit,

If you run into issues with NAT or packet drops, check xlate and packet tracer first. Here’s an example where I use it for the config in this lesson:

Verify that my NAT rules are correct:


ASA1# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80
    flags sr idle 0:03:27 timeout 0:00:00
TCP PAT from DMZ:192.168.3.3 22-22 to OUTSIDE:192.168.2.254 10022-10022
    flags sr idle 0:00:03 timeout 0:00:00

Verify that I can connect. In my case, TCP 192.168.2.254:10022 translates to 192.168.3.3:22:

ASA1# packet-tracer input OUTSIDE tcp 192.168.2.2 12345 192.168.2.254 10022

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SSH_SERVER
 nat (DMZ,OUTSIDE) static interface service tcp ssh 10022 
Additional Information:
NAT divert to egress interface DMZ
Untranslate 192.168.2.254/10022 to 192.168.3.3/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_SERVERS in interface OUTSIDE
access-list DMZ_SERVERS extended permit tcp any host 192.168.3.3 eq ssh 
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW 
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SSH_SERVER
 nat (DMZ,OUTSIDE) static interface service tcp ssh 10022 
Additional Information:

Phase: 7
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

If something gets natted when it shouldn’t, or doesn’t get natted when it should…it’ll show up. If an access-list drops something, it will show.

Let’s break down this line:

nat (outside,inside_1) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp

We translate traffic routed from the outside to the inside:

nat (outside,inside_1)

We do static nat (1:1):

source static

For any source:

any

For this mapped source:

any

For this destination:

destination static interface inside-server

Where inside-server is an object with probably the IP address of your server?

For real service:

service RDP-33320

That probably has TCP 33320

And mapped service:

RDP-3389

That probably has TCP 3389. You don’t want the ASA to respond to ARP requests for IP addresses that belong to the subnet of the interface:

no-proxy-arp

I tried a similar NAT rule like yours:

nat (OUTSIDE,DMZ) source static any any destination static interface TELNET_SERVER service TCP_10023 TCP_23

It installs two entries:

ASA1(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from OUTSIDE:0.0.0.0/0 0 to DMZ:0.0.0.0/0 0
    flags srIT idle 0:00:40 timeout 0:00:00
TCP PAT from DMZ:192.168.3.3 23-23 to OUTSIDE:192.168.2.254 10023-10023
    flags srT idle 0:00:40 timeout 0:00:00

If you look at the first line, you can see it adds an Identity NAT entry:

Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create NAT translations and responding traffic is allowed back.

This messes up your Internet access, it translates your private IP address to the same private IP addresses.

Your port translation partly works. When you connect to TCP 33320 then it gets translated to TCP 3389.

Also, make sure you have an access-list that permits the real port number. Not the translated one.

Your internet NAT line works:

nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside

And shows up like this:

ASA1(config)# show xlate
3 in use, 4 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from OUTSIDE:0.0.0.0/0 to any:0.0.0.0/0
    flags sIT idle 0:00:47 timeout 0:00:00

If you want to get port forwarding and Internet access working, I would remove both NAT entries and replace them with this:

object network inside-server
 nat (DMZ,OUTSIDE) static interface service tcp 3389 33320 
object network any-inside-networks
 nat (DMZ,OUTSIDE) dynamic interface

And an access-list that permits TCP 3389. That’s all you need.

Hope this helps!

Rene