Cisco ASA Static NAT Configuration

Hi,

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

Let’s say I have one more subnet 192.168.3.0 wants to nat DMZ host 192.168.1.10 in the same scenario.What we have to do in this case?

Thanks

Hi Sims,

You want users in 192.168.3.0 to reach 192.168.1.10 through 192.168.2.200? Where is your 192.168.3.0 subnet located?

Rene

Hi,
I’ ll advertise the network in the internet edge router .
and create static route to asa
In asa do nat

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.3.200

Thanks

This will make your host at 192.168.1.1 reachable through 192.168.3.200 yes.

Hi Rene,

This demonstrates that each IP address in the pool is translated to the “same” IP address in the DMZ. For example:

10.10.10.1 > 192.168.1.1
10.10.10.3 > 192.168.1.3
10.10.10.200 > 192.168.1.200
etc.

How is this gonna happen exactly 10.1 to 1.1, 10.2 to 1.2 etc…?
What if we have more than 255 servers hosted in our DMZ, i.e. pool of ip exhausted?

Hi Siva,

The ASA tries to do a 1:1 mapping, here’s a quick example:

R2#telnet 10.10.10.55

ASA1#
nat: untranslation - OUTSIDE:10.10.10.55/23 to DMZ:192.168.1.55/23 (xp:0x00007f84fc2ea0c0, policy:0x00007f84fda09fd0)

You can see it translates 10.10.10.55 to 192.168.1.55. Here is another example:

ASA1#
nat: untranslation - OUTSIDE:10.10.10.88/23 to DMZ:192.168.1.88/23 (xp:0x00007f84fc2ea0c0, policy:0x00007f84fda09fd0)

Same thing for .88.

This is a 1:1 static NAT so if you don’t have enough IP addresses in your pool, you’ll need to use PAT (port forwarding) instead.

Rene

Do the above examples define static nat bi-directional?

Also If it translates to IP address in DMZ, what will the packet be like this since IP is already assigned to the host?

We are translating 192.168.2.200 to 192.168.1.1 to reach the same…normally as explained is translating adress is equal to the webserver ip… in am confused

Hi Pavan,

This is not bi-directional NAT since we only translate one address here. If you use static NAT then you have a 1:1 relation, you can’t use the IP address for any other devices. If that’s what you want, you need to use PAT instead.

As to why we translate like this. Imagine the outside IP address is not 192.168.2.254 but some public IP address. If you want the web server to be reachable from the outside world, you’ll have to use NAT since the web server is using a private IP address.

I’m new here, how can I save a lesson or add it to favorite list please ?

Thanks

Hello Moussa,

We have a member ideas list here where you can create new ideas or vote on others:

Rene

Hi Rene,
When you say the direction does not matter,does that mean that writing the command like (inside,outside) or (outside,inside) becomes irrelevant.If i compare what you explain when the outside client wants to connect to DMZ server inside,your nat statement is

ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

whereas on this link under the second example


NAT for Inside Hosts (Dynamic NAT) and NAT for an Outside Web Server (Static NAT)
Step 5
Configure static NAT for the web server.

hostname(config-network-object)# nat (outside,inside) static 10.1.2.20

its the other way round???Please explain.

Hello Naila

Let’s look again at the example that Rene was referring to:

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

This statement will cause a translation from host 192.168.1.1 which is on the DMZ to be translated to a static external IP address of 192.168.2.200. This translation functions both ways, meaning that when 192.168.1.1 communicates with devices on the outside, the source address of this communication will be translated to 192.168.2.200, and when any outside devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.

This does not mean that we can switch the DMZ and OUTSIDE keywords in the NAT command and get the same result. The results will indeed be different.

For example, if the following was configured;

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (OUTSIDE, DMZ) static 192.168.2.200

This statement will cause a translation from host 192.168.1.1 which is on the OUTSIDE to be translated to a static IP address of 192.168.2.200 on the DMZ. This means that when 192.168.1.1 communicates with devices on the DMZ, the source address of this communication will be translated to 192.168.2.200, and when any DMZ devices communicate with 192.168.2.200, this destination address will be translated to 192.168.1.1.

I hope this has been helpful!

Laz

1 Like

Thanks,i think it makes sense now.By flipping the order inside(inside,outside)will change the whole meaning of the direction of the traffic and also the respective natting.

One more question.
When we define a Static Host Entry on the inside and refer to it in the Nat statement,are we saying it will use the Host Ip address.

e.g

object network myServer
host 192.168.1.1
nat(inside,outside)static 10.10.10.100

does this mean that the nat statement already knows the when we type “inside”,it should pick the IP address from the Object Network to be used as the Source.??

I get the idea but just want to confirm the flow of the how to read the NAT statement.

If the traffic was coming from outside to this Webserver,the above should still work as its Bidirectional.
Am i right…??

Thanks

Hello Naila

Yes you are absolutely correct! :sunglasses:

Laz

1 Like

Hello

nat (outside,inside_1) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp

Can you please explain this NAT rule?

I have already ask you guys below question in different forum. I don’t know where. It works through above NAT rule only.

We are configuring new ASA 5506 and this is our topology.
we are having some serious issue to access remote desktop from outside.

nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside

we use above rule to allow internet from inside to outside and it works and It is at number 1 in NAT rules.

Now we have few server that we would like to access from outside so we were trying to open ports.
we create network object NAT rules and access-lists for that for some reason it didn’t work so we create manual NAT before network object NAT rules. It only works when It is at number 1. That’s fine but than our internet stops working.

So we don’t have any idea what we are doing wrong.

If some can help me ASAP because we are planning to deploy ASAP

Hello Ankit,

If you run into issues with NAT or packet drops, check xlate and packet tracer first. Here’s an example where I use it for the config in this lesson:

Verify that my NAT rules are correct:


ASA1# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80
    flags sr idle 0:03:27 timeout 0:00:00
TCP PAT from DMZ:192.168.3.3 22-22 to OUTSIDE:192.168.2.254 10022-10022
    flags sr idle 0:00:03 timeout 0:00:00

Verify that I can connect. In my case, TCP 192.168.2.254:10022 translates to 192.168.3.3:22:

ASA1# packet-tracer input OUTSIDE tcp 192.168.2.2 12345 192.168.2.254 10022

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SSH_SERVER
 nat (DMZ,OUTSIDE) static interface service tcp ssh 10022 
Additional Information:
NAT divert to egress interface DMZ
Untranslate 192.168.2.254/10022 to 192.168.3.3/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_SERVERS in interface OUTSIDE
access-list DMZ_SERVERS extended permit tcp any host 192.168.3.3 eq ssh 
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW 
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SSH_SERVER
 nat (DMZ,OUTSIDE) static interface service tcp ssh 10022 
Additional Information:

Phase: 7
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

If something gets natted when it shouldn’t, or doesn’t get natted when it should…it’ll show up. If an access-list drops something, it will show.

Let’s break down this line:

nat (outside,inside_1) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp

We translate traffic routed from the outside to the inside:

nat (outside,inside_1)

We do static nat (1:1):

source static

For any source:

any

For this mapped source:

any

For this destination:

destination static interface inside-server

Where inside-server is an object with probably the IP address of your server?

For real service:

service RDP-33320

That probably has TCP 33320

And mapped service:

RDP-3389

That probably has TCP 3389. You don’t want the ASA to respond to ARP requests for IP addresses that belong to the subnet of the interface:

no-proxy-arp

I tried a similar NAT rule like yours:

nat (OUTSIDE,DMZ) source static any any destination static interface TELNET_SERVER service TCP_10023 TCP_23

It installs two entries:

ASA1(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from OUTSIDE:0.0.0.0/0 0 to DMZ:0.0.0.0/0 0
    flags srIT idle 0:00:40 timeout 0:00:00
TCP PAT from DMZ:192.168.3.3 23-23 to OUTSIDE:192.168.2.254 10023-10023
    flags srT idle 0:00:40 timeout 0:00:00

If you look at the first line, you can see it adds an Identity NAT entry:

Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create NAT translations and responding traffic is allowed back.

This messes up your Internet access, it translates your private IP address to the same private IP addresses.

Your port translation partly works. When you connect to TCP 33320 then it gets translated to TCP 3389.

Also, make sure you have an access-list that permits the real port number. Not the translated one.

Your internet NAT line works:

nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside

And shows up like this:

ASA1(config)# show xlate
3 in use, 4 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from OUTSIDE:0.0.0.0/0 to any:0.0.0.0/0
    flags sIT idle 0:00:47 timeout 0:00:00

If you want to get port forwarding and Internet access working, I would remove both NAT entries and replace them with this:

object network inside-server
 nat (DMZ,OUTSIDE) static interface service tcp 3389 33320 
object network any-inside-networks
 nat (DMZ,OUTSIDE) dynamic interface

And an access-list that permits TCP 3389. That’s all you need.

Hope this helps!

Rene

Hi Rene,

One question: I understand the NAT concept, I know what is static NAT, dynamic NAT and PAT; also, I know how to configure each type, but I cannot imagine why should I use static NAT. Can you give me a real example where we need a 1 by 1 translation with static NAT instead PAT ?Doesn’t matter if is a Firewall or router.

THanks in advance!

Hello Marco

1 to 1 static NAT can be useful if you have an internal server which is running many different services, and if this server is behind a NAT router. Imagine you have a server running a SIP server, web, email, FTP, and Video on Demand, and you want this server to be reachable from the Internet. With a 1 to 1 mapping you have no need of setting up multiple ports for each service. You can simply reach the server using a single public IP address, which maps to the particular internal private IP address.

This is especially useful for real time services such as voice and video. For example, for VoIP, SIP may use ports 5060 and 5061 but the voice packets themselves that use RTP can use ports ranging anywhere from 16384 to 32767. So it’s not useful create PAT translations for all of those ports. There are solutions to this problem to allow voice to function over a PAT translation using features such as Session Traversal Utilities for NAT (STUN), but these can often be complex and time consuming to configure and may require specialized NAT routers/firewalls.

Also, any changes made to such an internal server would require changes to be made to the NAT router to accommodate all of the new translations.

Now one could argue that you can just get a routable IP address and assign it to the internal server directly, but that may be too costly for some users who may simply want to run such a server behind an ADSL or Cable connection.

So 1 to 1 NAT vastly simplifies the provisioning of an Internet-accessible server behind a NAT router especially for real time services.

I hope this has been helpful!

Laz

1 Like

Hi, Laz!

It has been very helpful! thank you so much!

Regards.

1 Like