As you might know, Beginning Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been dramatically redesigned to allow for greater flexibility. Major advantage of this new approach is to use Real IP addresses instead of Mapped IP addresses for numerous different applications & features ( interface ACLs, MPF , botnet traffic filter etc. to name a few). In this blog post, i would attempt to lay the basics for you first before delving in to more complex configuration examples in later posts. If you are preparing for CCNP Security exam or waiting for CCIE Security 4.0 Lab Exam update, you are most likely required to be familiar with these concepts.

Understanding Network Objects :

The implementation of NAT in Post-8.3 ASA versions is accomplished by leveraging “Network Objects’. A Network Object can be an IP address (for a single host), a subnet, an IP address range or a fully qualified domain name. Here is an example of what a Network Object might look like for a single Host (Server)

object network privateServer
host 192.168.2.50

You could also add network objects for subnets/or ranges in a similar fashion.

NAT Types :

NAT can generally be implemented in two types :

  • Auto NAT (Object-based NAT)
  • Manual NAT ( Twice NAT)

Auto NAT is easier to configure but has limitations. Manual NAT ( or twice NAT) is more flexible & offer more features. Let’s get into a common example so that you can understand it in a better fashion.

Example :: 1 :: Dynamic NAT

 

Local Subnet : 10.10.10.0/24
Translated Subnet : 20.20.20.25-20.20.20.30
Traffic Direction : Traffic is arriving at the INSIDE interface & leaving the OUTSIDE interface i.e. an OUTBOUND connection

 

For sake of completeness, i would post pre-8.3 NAT configuration too so that you can understand it in a better fashion.

Pre-8.3 Dynamic NAT :

nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 20.20.20.25-20.20.20.30 netmask 255.255.255.0
!

Old NAT configuration requires use of nat / global statements as shown above

Post-8.3 Dynamic NAT :

object network OUTSIDE_POOL
range 20.20.20.25 20.20.20.30
!
object network INSIDE_POOL
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic OUTSIDE_POOL
!

New NAT configuration requires use of object based NAT configuration.

So, all INSIDE_POOL hosts will be translated to OUTSIDE_POOL range of IP addresses .

What if, you wanted to use PAT (Port Address Translation) for last IP address allocated to your company so that you never ran out of IPv4 address space ? Here’s how you would use NAT & interface PAT together.

 

Example :: 2 :: Dynamic NAT & Interface PAT together

 

Local Subnet : 10.10.10.0/24
Translated Subnet (NAT): 20.20.20.25-20.20.20.30
Interface address (PAT) :Interface IP address
Traffic Direction : Traffic is arriving at the INSIDE interface & leaving the OUTSIDE interface i.e. an OUTBOUND connection

 

Pre-8.3 Dynamic NAT + Interface PAT:


nat (inside) 1 10.10.10.0 255.255.255.0
global (outside) 1 20.20.20.25-20.20.20.30 netmask 255.255.255.0
global (outside) 1 interface
!

Post-8.3 Dynamic NAT + Interface PAT :

object network OUTSIDE_POOL
range 20.20.20.25 20.20.20.30
!
object network INSIDE_POOL
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic OUTSIDE_POOL interface
!

As you can see, adding ‘interface’ keyword will ensure that you can use dynamic NAT & interface PAT at the same time.

Having laid the basics in this post, in future blog posts, i would explain configurationĀ  & use of several other scenarios i.e.

  • Static NAT ( for accessing Servers in DMZ ) ,
  • Policy NAT scenarios,
  • Outside NAT ,
  • Policy NAT Exemption (using Twice NAT) etc
  • & many more.

If you wish to see any specific scenario covered, let me know.

Happy Learning !!!

PDF Converter    Send article as PDF   

Tags: , , , , , , , , ,


Fatal error: Uncaught CurlException: 60: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed thrown in /home/content/b/r/a/brainbump/html/wp-content/plugins/seo-facebook-comments/facebook/base_facebook.php on line 825