In a previous article posted on the Intense School site, I discussed different Network Address Translation (NAT) types on the Cisco ASA version 8.4. In that article, I hinted that the NAT configuration syntax on the Cisco ASA has changed considerably from version 8.3. In this article, we will compare the NAT configuration on the Cisco ASA pre-version 8.3 to the NAT configuration from version 8.3.
We will use the diagram below to confirm that our NAT configuration on both ASA versions achieve the same thing:
Note: I am using version 8.0(2) for one ASA and version 8.4(2) for the other ASA.
CCNA Training – Resources (Intense)
Let us begin with dynamic NAT which allows us to translate a group of real addresses to a usually smaller group of mapped addresses.
The configuration to achieve this on the pre-8.3 ASA is as follows:
nat (inside) 1 10.0.80.0 255.255.255.0 global (outside) 1 220.127.116.11-18.104.22.168
The configuration to achieve this on the ASA version 8.3 and higher is as follows:
object network INSIDE-MAPPED range 22.214.171.124 126.96.36.199 object network INSIDE-REAL subnet 10.0.84.0 255.255.255.0 nat (inside,outside) dynamic INSIDE-MAPPED
Let us confirm our configuration. We will start our verification on the ASA 8.0. I will initiate a connection from a host on the inside (10.0.80.10) to a host on the outside (188.8.131.52).
We can use the show xlate command on the Cisco ASA to view this translation:
Now we will move to the ASA 8.4 and do the same test.
Again the show xlate command reveals the translation on the Cisco ASA:
Dynamic PAT is similar to dynamic NAT except that instead of a group of mapped addresses, a single mapped address is used. The configuration on the Cisco ASA is also very similar to the configuration of dynamic NAT so there is no need to revisit it.
Static NAT allows you to create a fixed (persistent) translation of a real address (or addresses) to a mapped address (addresses). Unlike dynamic NAT/PAT, static NAT allows bidirectional connection initiation, i.e. the real host can initiate the connection or a connection can be initiated to the real host by another device.
The configuration on the ASA 8.0 is as follows:
static (inside,outside) 184.108.40.206 10.0.80.20
To achieve the same thing on the ASA version 8.3 and higher, we use the following:
object network SERVER-MAPPED host 220.127.116.11 object network SERVER-REAL host 10.0.84.20 nat (inside,outside) static SERVER-MAPPED
We usually configure static NAT when we want a host on our internal network (or DMZ), such as a web server, to be accessible from the outside (e.g. Internet). Note that even though static NAT allows connections to be initiated from any side, we still need to configure access rules to permit connections from a lower security interface to a higher security interface.
Something else to be aware of is the IP address used when defining access rules: in pre-8.3, you specify the mapped address while in version 8.3 and later, you specify the real address. Therefore, the ACL on the ASA 8.0 will be something like:
access-list OUTSIDE-IN extended permit tcp any host 18.104.22.168 eq www access-group OUTSIDE-IN in interface outside
Notice that we specified the mapped address above. However, for version 8.3 and later, the configuration for the ACL will be as follows:
access-list OUTSIDE-IN extended permit tcp any host 10.0.84.20 eq www access-group OUTSIDE-IN in interface outside
To test the static NAT configuration, I will initiate an HTTP connection from the outside to the mapped address of the server. Let’s start with the ASA 8.0:
Next we can test the configuration on the ASA 8.4:
Static NAT with Port Translation
Static NAT with port translation is just like normal static NAT except that it allows us to specify the port to translate. With normal static NAT, you can only use one mapped address for one real address but with port translation, you can use one mapped address for several real addresses as long as a different port is used for each rule.
Note: The one mapped address per one real address restriction applies to pre-8.3 ASA. With ASA version 8.3 and later, there are other forms of static NAT such as few-to-many, many-to-few, and many-to-one.
For our example, we will translate port 80 on an inside server to port 8080 on the outside. We will also translate port 23 on another server to port 2323 on the outside using the same mapped address. The configuration on the ASA 8.0 is as follows:
static (inside,outside) tcp 22.214.171.124 8080 10.0.80.30 www netmask 255.255.255.255 static (inside,outside) tcp 126.96.36.199 2323 10.0.80.31 telnet netmask 255.255.255.255
The configuration on the ASA 8.3 and later is as follows:
object network SERVER1-REAL host 10.0.84.30 nat (inside,outside) static 188.8.131.52 service tcp www 8080 object network SERVER2-REAL host 10.0.84.31 nat (inside,outside) static 184.108.40.206 service tcp 23 2323
Note: Remember to add the necessary access rules to permit traffic initiated from the outside. On version 8.3 and later, you will need to specify the REAL ports just like you specify the real address.
As usual, we will begin testing from the ASA 8.0 side:
Next, let’s move on to the ASA 8.4 side:
Policy NAT gives us more control over our NAT rules. For example, we can create NAT rules that translate a real address to mapped_address1 when going to destination A, and translate the same real address to mapped_address2 when going to destination B.
For our example, we will translate a host 10.0.80.40 to 220.127.116.11 when going to 18.104.22.168 but will translate the same address to 22.214.171.124 when going to 126.96.36.199. We can achieve this on the ASA 8.0 as follows:
access-list POLICY1 permit ip host 10.0.80.40 host 188.8.131.52 access-list POLICY2 permit ip host 10.0.80.40 host 184.108.40.206 ! nat (inside) 10 access-list POLICY1 global (outside) 10 220.127.116.11 nat (inside) 20 access-list POLICY2 global (outside) 20 18.104.22.168
To achieve this same configuration on the ASA version 8.3 and later, we need to use Twice NAT (so far we have been using network object NAT):
object network HOST_REAL host 10.0.84.40 object network HOST_MAPPED1 host 22.214.171.124 object network HOST_MAPPED2 host 126.96.36.199 object network DEST1 host 188.8.131.52 object network DEST2 host 184.108.40.206 ! nat (inside,outside) source dynamic HOST_REAL HOST_MAPPED1 destination static DEST1 DEST1 nat (inside,outside) source dynamic HOST_REAL HOST_MAPPED2 destination static DEST2 DEST2
We will begin our test on the ASA 8.0 side.
Now let us test the configuration on the ASA 8.4:
The last type of NAT we will consider is NAT exemption which is quite self-explanatory: exempt certain traffic from being translated. We usually configure NAT exemption for VPN traffic. The configuration on the ASA 8.0 is as follows:
access-list NAT_EXEMPT permit ip host 10.0.80.50 host 220.127.116.11 nat (inside) 0 access-list NAT_EXEMPT
On the ASA version 8.3 and later, there really isn’t a NAT exemption as we have in previous versions; however, we can use Twice NAT to create identity NAT rules as follows:
object network EXEMPT host 10.0.84.50 object network DEST3 host 18.104.22.168 ! nat (inside,outside) source static EXEMPT EXEMPT destination static DEST3 DEST3
Note: We can also use Static Identity NAT (with policy NAT) on the ASA 8.0 to achieve the same thing as the NAT exemption we configured.
As usual we will begin our test on the ASA 8.0 side:
As you can see when the host 10.0.80.50 accesses 22.214.171.124, the IP address was not translated. Let’s test on the ASA 8.4 side:
As shown above, when the host 10.0.84.50 accesses 126.96.36.199, the IP address remained the same, i.e. it was translated to itself. In the end, we achieved the same result.
This brings us to the end of this article where we have looked at the configuration differences between NAT in pre-8.3 ASA and ASA version 8.3 and later.
I hope you have found this article useful.
References and Further reading
- Cisco ASA 5500 Series Configuration Guide using the CLI, 8.4 and 8.6 – Information About NAT: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/nat_overview.html
- Cisco Security Appliance Command Line Configuration Guide, Version 8.0 – Configuring NAT: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/cfgnat.html
- ASA Pre-8.3 to 8.3 NAT configuration examples: https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples