Let's see how the different types of NAT are configured in CLI in older ASAs..
Dynamic NAT & PAT
nat (inside) 1 10.0.0.0 255.255.255.0
global (outside) 1 192.168.1.10-192.168.1.100
global (outside) 1 192.168.1.101
1st statement is the match statement for incoming traffic.. It says that "If the source is coming from INSIDE interface & if the source IP is in the 10.0.0.0/24 range, put it into the NAT group 1"
2nd and 3rd statements here are action statements for the outgoing traffic..
2nd statement says the NAT group 1 should be translated to the pool starting from 192.168.1.10 and ends from 192.168.1.100 when it is going to OUTSIDE interface..
3rd statement says the NAT group 1 should be translated (PAT/NAT overload) to 192.168.1.101 when it is going to OUTSIDE interface..
This 3rd rule applies to the traffic after the dynamic pool is exhausted because the command is entered after the dynamic NAT statement (2nd)..
For the 3rd statement, you can give an interface instead of an IP address too..
Static NAT
static (dmz,outside) 192.168.1.175 172.16.0.5
static (dmz,inside) 172.16.0.5 172.16.0.5
Above are 2 static NAT rules..
1st one says when the traffic is moving between DMZ interface (source) and OUTSIDE interface (destination), the source IP 172.16.0.5 should be translated to 192.168.1.175..
2nd line translates to the same IP, which is called "Identity NAT"
NAT 0 Policy
In older ASAs, NAT was a mandatory feature. Which means there is an implicit NAT rule which NATs all the traffic which has not a specific NAT rule configured. (This is somewhat like the implicit deny rule at the end of ACLs) In some versions you can disable it using "no-nat control" command. Anyhow, now it is no longer there after 8.4 version..
In older versions, if you are not disabling it, you have to disable NAT for the specific traffic you don't want NAT to happen. As an example you will need to turn off NAT for the IPs of hosts which you configure IPSec site to site VPNs..
This can be achieved by using an ACL with nat 0 policy..
access-list NONAT extended permit ip any 57.234.195.128 255.255.255.192
nat (inside) 0 access-list NONAT
1st line is just an ACL which identifies the traffic.
2nd line says if the traffic match the NONAT range coming from INSIDE source, put it in the NAT group 0, which does not do NAT..
This traffic will be added to the NAT rules section in the ASDM as "Exempt"s, which means it exempt this traffic from being NATing by the implicit NAT rule which NATs all the traffic which has not a specific NAT rule configured.. You can see the above NAT rule at the 23rd line.
Translating both Source & Destination of an Incoming Packet
In these old versions of ASAs, you have to use 2 NAT rules to do this. Refer the below illustration..
This packet is coming from inside interface and goes out to outside interface. Source of the incoming packet is 1.1.1.1 and it should be natted to 3.3.3.3 while the destination of the incoming packet which is 2.2.2.2 should be natted to 4.4.4.4
Following static rules will do the job,
static (inside,outside) 3.3.3.3 1.1.1.1
static (outside,inside) 2.2.2.2 4.4.4.4
If the TCP/UDP port (service) should be translated too, you can do it on ASDM easily.
Greate article. Keep posting such kind of information on your site.
ReplyDeleteIm really impressed by your site.
Hi there, You have done an incredible job. I'll definitely digg
it and in my view suggest to my friends. I am
sure they'll be benefited from this website.