ASA 8.4 NAT

Network object NAT rule:

All NAT rule having network object are considered to be as network object NAT rule. In Network object NAT rule we cannot specify when traffic is coming from this host going to this host translate the traffic to this IP.

Dynamic NAT:

ASA(config)# object network public-ip-obj
ASA(config-network-object)# range 2.2.2.1 2.2.2.10
ASA(config)# object network my-inside-obj
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic public-ip-obj

This rule says that whenever host coming from “inside” from subnet 192.168.1.0/24 going to “outside” change the source to 2.2.2.1 to 2.2.2.10

Dynamic PAT:

ASA(config)# object network my-inside-net
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)# nat (inside,outside) dynamic 2.2.2.2

This rule says that if any host coming from “inside” from 192.168.1.0/24 going to “outside” translate to 2.2.2.2

Static NAT:

ASA(config)# object network inside-server
ASA(config-network-object)# host 10.1.1.1
ASA(config-network-object)# nat (inside,outside) static 2.2.2.2

This rule says that any traffic coming from inside going to outside change the source IP to 2.2.2.2. This rule will be bidirectional.

Static NAT with port translation:

ASA(config)# object network webserver-inside
ASA(config-network-object)# host 10.1.1.1
ASA(config-network-object)# nat (inside,outside) static interface service tcp 80 8080

This rule says that when ever traffic coming from 10.1.1.1 port 80 translate the address to 8080.

Identity NAT:

ASA(config)# object network identity-host-obj
ASA(config-network-object)# host 10.1.1.1
ASA(config-network-object)# object network identity-nat-obj
ASA(config-network-object)#host 10.1.1.1
ASA(config-network-object)# nat (inside,outside) static identity-host-obj

This rule translate the host source address to itself.

Twice NAT:

Twice NAT uses both the source and destination address.

Dynamic Regular NAT:

object network real-subnet-obj
 subnet 10.1.1.0 255.255.255.0
object network mapped-sub-obj
 range 10.2.2.3 10.2.2.10
nat (inside,outside) source dynamic real-subnet-obj mapped-sub-obj

Dynamic Policy NAT:

object network real-subnet-obj
 subnet 10.1.1.0 255.255.255.0
object network mapped-sub-obj
 range 10.2.2.3 10.2.2.10
object network destination-obj
 host 10.2.2.2
object network destination-real-obj
 host 10.2.2.3
object network destination-mapped
 host 10.2.2.2
nat (inside,outside) source dynamic real-subnet-obj mapped-sub-obj destination static destination-real-obj destination-mapped-obj

This rule says that when ever traffic is coming from 10.1.1.0/24 going to 10.2.2.3 change the source to range 10.2.2.3-10.2.2.10

Dyanmic PAT:

object network real-subnet-obj
 subnet 10.1.1.0 255.255.255.0
nat (inside,outside) source dynamic real-subnet-obj interface

Dynamic Policy PAT:

object network real-subnet-obj
 subnet 10.1.1.0 255.255.255.0
object network mapped-sub-obj
 range 10.2.2.3 10.2.2.10
object network destination-obj
 host 10.2.2.2
object network destination-real-obj
 host 10.2.2.3
object network destination-mapped-obj
 host 10.2.2.2
nat (inside,outside) source dynamic real-subnet-obj interface destination static destination-real-obj destination-mapped-obj

Dynamic identity NAT:

object network real-host-obj
 host 10.1.1.2
nat (inside,outside) source dynamic real-host-obj real-host-obj

Static NAT:

object network real-host-obj
 host 10.1.1.2
object network mapped-host-obj
 host 10.2.2.10
nat (inside,outside) source static real-host-obj mapped-host-obj

Static PAT:

object network real-subnet-obj
 subnet 10.1.1.0 255.255.255.0
nat (inside,outside) source static real-subnet-obj interface

Static Identity NAT:

object network real-host-obj
 host 10.1.1.2
 nat (inside,outside) source static real-host-obj real-host-obj

NAT order of operation:

  1. Twice NAT
  2. Auto NAT
    • Static NAT
    • Dynamic NAT
  3. Twice NAT
Advertisements
This entry was posted in ASA and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s