In a previous article posted on the Intense School site, I discussed different Network Address Translation (NAT) types on the Cisco ASA version 8.4. In that article, I hinted that the NAT configuration syntax on the Cisco ASA has changed considerably from version 8.3. In this article, we will compare the NAT configuration on the Cisco ASA pre-version 8.3 to the NAT configuration from version 8.3.

We will use the diagram below to confirm that our NAT configuration on both ASA versions achieve the same thing:

Note: I am using version 8.0(2) for one ASA and version 8.4(2) for the other ASA.

CCNA Training – Resources (Intense)

Dynamic NAT

Let us begin with dynamic NAT which allows us to translate a group of real addresses to a usually smaller group of mapped addresses.

The configuration to achieve this on the pre-8.3 ASA is as follows:

nat (inside) 1 10.0.80.0 255.255.255.0
global (outside) 1 192.0.80.10-192.0.80.20

The configuration to achieve this on the ASA version 8.3 and higher is as follows:

object network INSIDE-MAPPED
 range 192.0.84.10 192.0.84.20
object network INSIDE-REAL
 subnet 10.0.84.0 255.255.255.0
 nat (inside,outside) dynamic INSIDE-MAPPED

Let us confirm our configuration. We will start our verification on the ASA 8.0. I will initiate a connection from a host on the inside (10.0.80.10) to a host on the outside (192.0.80.2).

We can use the show xlate command on the Cisco ASA to view this translation:

Now we will move to the ASA 8.4 and do the same test.

Again the show xlate command reveals the translation on the Cisco ASA:

Dynamic PAT

Dynamic PAT is similar to dynamic NAT except that instead of a group of mapped addresses, a single mapped address is used. The configuration on the Cisco ASA is also very similar to the configuration of dynamic NAT so there is no need to revisit it.

Static NAT

Static NAT allows you to create a fixed (persistent) translation of a real address (or addresses) to a mapped address (addresses). Unlike dynamic NAT/PAT, static NAT allows bidirectional connection initiation, i.e. the real host can initiate the connection or a connection can be initiated to the real host by another device.

The configuration on the ASA 8.0 is as follows:

static (inside,outside) 192.0.80.20 10.0.80.20

To achieve the same thing on the ASA version 8.3 and higher, we use the following:

object network SERVER-MAPPED
 host 192.0.84.20
object network SERVER-REAL
 host 10.0.84.20
 nat (inside,outside) static SERVER-MAPPED

We usually configure static NAT when we want a host on our internal network (or DMZ), such as a web server, to be accessible from the outside (e.g. Internet). Note that even though static NAT allows connections to be initiated from any side, we still need to configure access rules to permit connections from a lower security interface to a higher security interface.

Something else to be aware of is the IP address used when defining access rules: in pre-8.3, you specify the mapped address while in version 8.3 and later, you specify the real address. Therefore, the ACL on the ASA 8.0 will be something like:

access-list OUTSIDE-IN extended permit tcp any host 192.0.80.20 eq www
access-group OUTSIDE-IN in interface outside

Notice that we specified the mapped address above. However, for version 8.3 and later, the configuration for the ACL will be as follows:

access-list OUTSIDE-IN extended permit tcp any host 10.0.84.20 eq www
access-group OUTSIDE-IN in interface outside

To test the static NAT configuration, I will initiate an HTTP connection from the outside to the mapped address of the server. Let’s start with the ASA 8.0:

Next we can test the configuration on the ASA 8.4:

Static NAT with Port Translation

Static NAT with port translation is just like normal static NAT except that it allows us to specify the port to translate. With normal static NAT, you can only use one mapped address for one real address but with port translation, you can use one mapped address for several real addresses as long as a different port is used for each rule.

Note: The one mapped address per one real address restriction applies to pre-8.3 ASA. With ASA version 8.3 and later, there are other forms of static NAT such as few-to-many, many-to-few, and many-to-one.

For our example, we will translate port 80 on an inside server to port 8080 on the outside. We will also translate port 23 on another server to port 2323 on the outside using the same mapped address. The configuration on the ASA 8.0 is as follows:

static (inside,outside) tcp 192.0.80.100 8080 10.0.80.30 www netmask 255.255.255.255
static (inside,outside) tcp 192.0.80.100 2323 10.0.80.31 telnet netmask 255.255.255.255

The configuration on the ASA 8.3 and later is as follows:

object network SERVER1-REAL
 host 10.0.84.30
  nat (inside,outside) static 192.0.84.100 service tcp www 8080
object network SERVER2-REAL
 host 10.0.84.31
  nat (inside,outside) static 192.0.84.100 service tcp 23 2323

Note: Remember to add the necessary access rules to permit traffic initiated from the outside. On version 8.3 and later, you will need to specify the REAL ports just like you specify the real address.

As usual, we will begin testing from the ASA 8.0 side:

Next, let’s move on to the ASA 8.4 side:

Policy NAT

Policy NAT gives us more control over our NAT rules. For example, we can create NAT rules that translate a real address to mapped_address1 when going to destination A, and translate the same real address to mapped_address2 when going to destination B.

For our example, we will translate a host 10.0.80.40 to 192.0.80.111 when going to 1.1.1.1 but will translate the same address to 192.0.80.222 when going to 2.2.2.2. We can achieve this on the ASA 8.0 as follows:

access-list POLICY1 permit ip host 10.0.80.40 host 1.1.1.1
access-list POLICY2 permit ip host 10.0.80.40 host 2.2.2.2
!
nat (inside) 10 access-list POLICY1
global (outside) 10 192.0.80.111
nat (inside) 20 access-list POLICY2
global (outside) 20 192.0.80.222

To achieve this same configuration on the ASA version 8.3 and later, we need to use Twice NAT (so far we have been using network object NAT):

object network HOST_REAL
 host 10.0.84.40
object network HOST_MAPPED1
 host 192.0.84.111
object network HOST_MAPPED2
 host 192.0.84.222
object network DEST1
 host 1.1.1.1
object network DEST2
 host 2.2.2.2
!
nat (inside,outside) source dynamic HOST_REAL HOST_MAPPED1 destination static DEST1 DEST1
nat (inside,outside) source dynamic HOST_REAL HOST_MAPPED2 destination static DEST2 DEST2

We will begin our test on the ASA 8.0 side.

Now let us test the configuration on the ASA 8.4:

NAT Exemption

The last type of NAT we will consider is NAT exemption which is quite self-explanatory: exempt certain traffic from being translated. We usually configure NAT exemption for VPN traffic. The configuration on the ASA 8.0 is as follows:

access-list NAT_EXEMPT permit ip host 10.0.80.50 host 3.3.3.3
nat (inside) 0 access-list NAT_EXEMPT

On the ASA version 8.3 and later, there really isn’t a NAT exemption as we have in previous versions; however, we can use Twice NAT to create identity NAT rules as follows:

object network EXEMPT
 host 10.0.84.50
object network DEST3
 host 3.3.3.3
!
nat (inside,outside) source static EXEMPT EXEMPT destination static DEST3 DEST3

Note: We can also use Static Identity NAT (with policy NAT) on the ASA 8.0 to achieve the same thing as the NAT exemption we configured.

As usual we will begin our test on the ASA 8.0 side:

As you can see when the host 10.0.80.50 accesses 3.3.3.3, the IP address was not translated. Let’s test on the ASA 8.4 side:

As shown above, when the host 10.0.84.50 accesses 3.3.3.3, the IP address remained the same, i.e. it was translated to itself. In the end, we achieved the same result.

Summary

This brings us to the end of this article where we have looked at the configuration differences between NAT in pre-8.3 ASA and ASA version 8.3 and later.

I hope you have found this article useful.

References and Further reading