In this article, we will take a look at how to configure different types of NAT on the Cisco ASA post 8.4 software code. Accompanying this post is a video demonstration covering what has been discussed in this article.
We will cover the following types of NAT:
Before jumping into the demonstrations I will explain the purpose of each type of NAT on the Cisco ASA.
Overview of NAT
NAT addresses can be defined as the following:
Inside local address: This is the IP address that is assigned to a host on the inside of a network. The inside local address is most certainly bound to fall within the RFC 1918 reserved private IP address spaces.
Inside global address: This is a globally routable IP address (public IP address) that can represent one or more inside local IP addresses to the outside world.
Outside local address: This is the IP address of an outside host as it appears to the inside network.
Outside global address: This is the IP address that is assigned to a host or hosts on the outside network. The outside global address is allocated from a globally routable address or network space (public IP address).
On the ASA NAT can be applied in one of two ways; using Object NAT or Twice (manual) NAT. Cisco recommends using Object NAT where possible unless the extra features of twice NAT such as changing the destination address is required.
ASA NAT Considerations
When configuring Object NAT there are a few considerations that must be taken into account; some of these are:
Object NAT cannot be configured under Object Groups however they can be referred to when configuring twice NAT
NAT is supported for both Routed and Transparent mode deployments
Object networks and groups can only include IPv4 or IPv6 addresses and cannot have both
As per the NAT order of operation, Twice NAT rules will be considered before Object NAT (shown below)
ASA NAT Order of Operation
The order of operation is important when thinking about using NAT on your ASA because other configured rules could override other rules. The ASA NAT order of operation follows a top-down approach, meaning that the ASA will look at the NAT rules configured at the top and work its way to the bottom until a match is found.
Twice NAT rules are always matched first in section 1, followed by Object NAT in section 2 and lastly, more generic Twice NAT rules in section 3.
It is best practice to ensure that the most important NAT rules are placed first before generic rules.
In terms of Object NAT, there are a few considerations to mention when more than one NAT rule exists:
• The number of real IP addresses are assessed first, the object with the smallest IP addresses will be assessed before an object with the largest addresses
• If an object has the same number of IP addresses, the lowest IP address is assessed first i.e. 10.0.0.1 before 10.0.1.1
• If an object has the same address used then the object name is assessed in alphabetical order i.e. ‘ABC’ will be assessed before ‘ADZ’
Static NAT will create a fixed translation between a real IP and a mapped (NAT) IP address. Static NAT on the ASA will also allow a bidirectional flow between both source and destination only if an ACL permits.
The following image shows a static NAT translation whereby the real source address (inside local) host is translated to the mapped source address (inside global). The destination address is also translated on this occasion.
An example of the static NAT configuration is shown below using Object NAT:
ciscoasa(config)# show nat detail Auto NAT Policies (Section 2) 1 (inside) to (outside) source static VPC3 VPC3-Mapped translate_hits = 10, untranslate_hits = 5 Source – Origin: 192.168.10.10/32, Translated: 220.127.116.11/32
Dynamic NAT will translate a group of RFC 1918 addresses to a pool of mapped (NAT) IP addresses that are routable. The NAT pool will often contain fewer IP addresses than the RFC 1918 addresses that need to be translated. When an inside host is translated, one routable address from the pool of addresses is used for that connection. Once the connection is torn down, the routable address is returned back to the pool so that other back to the inside local hosts can make use of it when required. The inside local host does not keep the public IP address and therefore connections cannot be initiated to the inside local host.
An example of dynamic NAT configuration is shown below:
Identity NAT is a form of network address translation that will translate an IP address to itself, basically bypassing NAT. One particular use case for this is when you have an internal server that makes use NAT but you don’t want the server to use NAT when communicating with other internal hosts.
An example of dynamic PAT configuration is shown below: