Cisco ASA Static NAT Configuration

Hello Naila

Yes you are absolutely correct!

Laz

Hello

nat (outside,inside_1) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp

Can you please explain this NAT rule?

I have already ask you guys below question in different forum. I don’t know where. It works through above NAT rule only.

We are configuring new ASA 5506 and this is our topology.
we are having some serious issue to access remote desktop from outside.

nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside

we use above rule to allow internet from inside to outside and it works and It is at number 1 in NAT rules.

Now we have few server that we would like to access from outside so we were trying to open ports.
we create network object NAT rules and access-lists for that for some reason it didn’t work so we create manual NAT before network object NAT rules. It only works when It is at number 1. That’s fine but than our internet stops working.

So we don’t have any idea what we are doing wrong.

If some can help me ASAP because we are planning to deploy ASAP

Hello Ankit,

If you run into issues with NAT or packet drops, check xlate and packet tracer first. Here’s an example where I use it for the config in this lesson:

Verify that my NAT rules are correct:

ASA1# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from DMZ:192.168.3.1 80-80 to OUTSIDE:192.168.2.254 80-80
    flags sr idle 0:03:27 timeout 0:00:00
TCP PAT from DMZ:192.168.3.3 22-22 to OUTSIDE:192.168.2.254 10022-10022
    flags sr idle 0:00:03 timeout 0:00:00

Verify that I can connect. In my case, TCP 192.168.2.254:10022 translates to 192.168.3.3:22:

ASA1# packet-tracer input OUTSIDE tcp 192.168.2.2 12345 192.168.2.254 10022

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network SSH_SERVER
 nat (DMZ,OUTSIDE) static interface service tcp ssh 10022 
Additional Information:
NAT divert to egress interface DMZ
Untranslate 192.168.2.254/10022 to 192.168.3.3/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group DMZ_SERVERS in interface OUTSIDE
access-list DMZ_SERVERS extended permit tcp any host 192.168.3.3 eq ssh 
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW 
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
object network SSH_SERVER
 nat (DMZ,OUTSIDE) static interface service tcp ssh 10022 
Additional Information:

Phase: 7
Type: QOS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 3, packet dispatched to next module

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: DMZ
output-status: up
output-line-status: up
Action: allow

If something gets natted when it shouldn’t, or doesn’t get natted when it should…it’ll show up. If an access-list drops something, it will show.

Let’s break down this line:

nat (outside,inside_1) source static any any destination static interface inside-server service RDP-33320 RDP-3389 no-proxy-arp

We translate traffic routed from the outside to the inside:

nat (outside,inside_1)

We do static nat (1:1):

source static

For any source:

any

For this mapped source:

any

For this destination:

destination static interface inside-server

Where inside-server is an object with probably the IP address of your server?

For real service:

service RDP-33320

That probably has TCP 33320

And mapped service:

RDP-3389

That probably has TCP 3389. You don’t want the ASA to respond to ARP requests for IP addresses that belong to the subnet of the interface:

no-proxy-arp

I tried a similar NAT rule like yours:

nat (OUTSIDE,DMZ) source static any any destination static interface TELNET_SERVER service TCP_10023 TCP_23

It installs two entries:

ASA1(config)# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from OUTSIDE:0.0.0.0/0 0 to DMZ:0.0.0.0/0 0
    flags srIT idle 0:00:40 timeout 0:00:00
TCP PAT from DMZ:192.168.3.3 23-23 to OUTSIDE:192.168.2.254 10023-10023
    flags srT idle 0:00:40 timeout 0:00:00

If you look at the first line, you can see it adds an Identity NAT entry:

Identity NAT translates the real IP address to the same IP address. Only “translated” hosts can create NAT translations and responding traffic is allowed back.

This messes up your Internet access, it translates your private IP address to the same private IP addresses.

Your port translation partly works. When you connect to TCP 33320 then it gets translated to TCP 3389.

Also, make sure you have an access-list that permits the real port number. Not the translated one.

Your internet NAT line works:

nat (any,outside) source dynamic any-inside-networks interface description Allow Inside to Ouside

And shows up like this:

ASA1(config)# show xlate
3 in use, 4 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from OUTSIDE:0.0.0.0/0 to any:0.0.0.0/0
    flags sIT idle 0:00:47 timeout 0:00:00

If you want to get port forwarding and Internet access working, I would remove both NAT entries and replace them with this:

object network inside-server
 nat (DMZ,OUTSIDE) static interface service tcp 3389 33320 
object network any-inside-networks
 nat (DMZ,OUTSIDE) dynamic interface

And an access-list that permits TCP 3389. That’s all you need.

Hope this helps!

Rene

Hi Rene,

One question: I understand the NAT concept, I know what is static NAT, dynamic NAT and PAT; also, I know how to configure each type, but I cannot imagine why should I use static NAT. Can you give me a real example where we need a 1 by 1 translation with static NAT instead PAT ?Doesn’t matter if is a Firewall or router.

THanks in advance!

Hello Marco

1 to 1 static NAT can be useful if you have an internal server which is running many different services, and if this server is behind a NAT router. Imagine you have a server running a SIP server, web, email, FTP, and Video on Demand, and you want this server to be reachable from the Internet. With a 1 to 1 mapping you have no need of setting up multiple ports for each service. You can simply reach the server using a single public IP address, which maps to the particular internal private IP address.

This is especially useful for real time services such as voice and video. For example, for VoIP, SIP may use ports 5060 and 5061 but the voice packets themselves that use RTP can use ports ranging anywhere from 16384 to 32767. So it’s not useful create PAT translations for all of those ports. There are solutions to this problem to allow voice to function over a PAT translation using features such as Session Traversal Utilities for NAT (STUN), but these can often be complex and time consuming to configure and may require specialized NAT routers/firewalls.

Also, any changes made to such an internal server would require changes to be made to the NAT router to accommodate all of the new translations.

Now one could argue that you can just get a routable IP address and assign it to the internal server directly, but that may be too costly for some users who may simply want to run such a server behind an ADSL or Cable connection.

So 1 to 1 NAT vastly simplifies the provisioning of an Internet-accessible server behind a NAT router especially for real time services.

I hope this has been helpful!

Laz

Hi, Laz!

It has been very helpful! thank you so much!

Regards.

Hi, Is it possible for you to talk about twice NAT?

Thank you,

Hello Helen

Yes, this is a topic that needs to be added to the list of ASA lessons. We were chatting about this a few days ago with @ReneMolenaar. It is in the works to have that for you soon.

Thanks you for mentioning it, as this is useful to improve the site and its content!

Laz

Thank you very much.

ASA1(config)# object network WEB_SERVER
ASA1(config-network-object)# host 192.168.1.1
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static 192.168.2.200

For the statement above when trying to replicate i have the following error:

ASA1(config-network-object)# nat (dmz,outside) static (public IP)
ERROR: Address (public IP) overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Any toughs on this?

Hello Bruno

Take a look at this post:

I hope this has been helpful!

Laz

Thank you, much apreciated

Hi Rene,
I configure static NAT exactly as you did but its not working. The only thing I added was define the security levels. DMZ- 50 and outside-0.

I also added: policy-map global_policy
class inspection_default. inspect icmp

But still no translation from outside to DMZ.

I am using ASA Version 9.1(5)16.

Is there any additional configuration that makes it work that you did not add in this particular lesson?

Hello Ayong

First of all, this configuration in the lesson is supported for all ASAs version 8.3 and later, including your version. Secondly, I suggest you initially follow the configuration of the lesson and ensure that it is working as is, before you make any other changes. Once you get it working, you can then tweak it as you like and experiment with changes.

Even so, with the information you have given, there doesn’t seem to be anything that immediately indicates that there is a problem with your config. I suggest you do some troubleshooting or start again with a clean config.

I hope this has been helpful!

Laz

First we configure the pool with IP addresses. Our next step is to create a network object for the DMZ subnet and to enable NAT:

ASA1(config)# object network DMZ
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static PUBLIC_POOL

Why is the static keyword given here instead of dynamic since the address will be taken from the pool dynamically right?

Hello Abirami

The dynamic keyword is typically used when you want to map multiple internal private IP addresses to a pool of public IP addresses dynamically. It’s not suitable for mapping one subnet to another, because dynamic NAT deals with individual hosts, not entire subnets.

I hope this has been helpful!

Laz

Hi, Does the Static NAT works only for directly connected devices?
I am able to NAT the switch connected directly to ASA Firewall however it doesn’t work for device hanging off from that switch. Am I doing something wrong?

image693×383 11.1 KB

Issue is Resolved now - The server had .201 (Switch IP) set as GW - Once I changed it to .203 (FW IP), it worked.

Hello Atif

Yes, it is possible to NAT all inside addresses regardless of whether or not they are directly connected to the edge device. You can learn more about this at this NetworkLessons note on the topic.

Thanks for updating us on your progress and sharing with us the problem as well as the solution you discovered yourself, it always adds to the value of the forum!

I hope this has been helpful!

Laz

Hello Rene/Laz,
Based on the below configuration:

1. What happens when multiple DMZ servers initiate connections simultaneously to go out to internet (could be going to the same IP address in the internet)?
2. Since Static NAT is bidirectional, what happens when multiple connections come from internet to 100.100.100.100 IP address simultaneously?

ASA1(config)# object network PUBLIC_IP
ASA1(config-network-object)# subnet 100.100.100.100 255.255.255.255

ASA1(config)# object network DMZ
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (DMZ,OUTSIDE) static PUBLIC_IP

Thanks a lot.

Hello Azm

In the given configuration, the NAT setup on an ASA is such that the entire DMZ subnet (192.168.1.0/24) is statically NATed to a single public IP address (100.100.100.100). This means that any host in the DMZ subnet appearing on the outside network will have its source IP translated to 100.100.100.100. However, the ASA will use different source ports to distinguish between the different connections. Even if the destination on the Internet is the same IP address (say the same web server) they will be distinct communications because the source port is different.

Static NAT is bidirectional, but only under certain circumstances.

There are two types of inbound communications. The first is a response to a previous outbound communication, i.e., a response from a web browser to a request for data. Such traffic is allowed and is directed to the host that originated the request based on the destination TCP port used.

The second type is a communication that was originated on the outside. Such a communication will not be successful unless you have certain other conditions met. For example, by default an ASA will not allow traffic to go from the outside interface to the DMZ interface unless you have set up an access list that permits it. Secondly, because you are configuring a “one to many” translation (i.e. from one outside IP to a whole subnet on the inside) you must also set up port forwarding so that the appropriate destination TCP port is translated and forwarded to the correct inside host. As your setup stands now, any communication initiated on the outside will be dropped.

I hope this has been helpful!

Laz