NAT In ASA

Benefits of NAT as follows :

  • Using this we can translate private to public for using in internet
  • NAT hides the real address from other network, So attacker cannot learn the real address of a host.
  • We can resolve ip routing problems, Such as overlapping network/address.

NAT Priority : 

  1. NAT Exemption
  2. Static Identity NAT
  3. Static / Static Policy NAT/PAT
  4. Dynamic Policy NAT/PAT
  5. Identity NAT
  6. Dynamic NAT
  7. Dynamic PAT

Version : 8.2 or 8.3 and below

Static NAT : It creates a fixed translation of real address to mapped address. It is bidirectional in nature.

ASA(config)# static (real int,mapped int) <mapped ip> <real ip> netmask <subnet>

Note : If you remove a static command, existing connection that use the translation are not affected. To remove these connection enter the clear local host commands.

Scenario if there is overlapping network :

  • Translate 192.168.100.0/24 on the inside to 10.1.2.0, when it accesses the DMZ by entering the following commands.

ASA(config)# static (inside,dmz) 10.1.2.0 192.168.100.0 netmask 255.255.255.0

  • Translate 192.168.100.0/24 on the DMZ to 10.1.2.0, when it accesses the inside by entering the following commands.

ASA(config)# static (inside,dmz) 10.1.3.0 192.168.100.0 netmask 255.255.255.0

  • Config the following static route so that traffic to the dmz network can be routed correctly by the ASA.

ASA(config)#route dmz 192.168.100.0 255.255.255.128 10.1.1.2

Static PAT :

ASA(config)# static (real int, mapped int) <tcp/udp> <mapped ip> <mapped ports> <real ip> <real ports>

Policy NAT : It enables you to identify real address for address translation by specifying the source and destination address in an extended access-list.

Static Policy NAT :

Syntax : ASA(config)#nat (real int) 0 access-list <access-list name>

Identity NAT : (nat 0 command)

 It is used to bypass the NAT-control rule. When we use ID. 0 configuration NAT translation (Source ip address to be translated it means that packet matched that rule will not translated). NAT 0 evaluated before any other NAT statements any. We don’t need any global statement of ID 0.

This is the kind of NAT is useful in case of VPN config where is a need to not translate packets which are subjected to be going through the VPN tunnel.

For Identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access-list allows it)

Syntax : ASA(config)#nat (real int) 0 <real ip/subnet> <mask>

Static Identity NAT : It enables you to specify the int on which you want to allow the real address to appear. For Eg. you can use static identity NAT for an inside address. When it access the outside int and the dest is a server A. But use a normal translation when accessing the outside Server B.

Syntax : ASA(config)#nat (real int,mapped int) <real ip/subnet> <real ip/subnet> <mask>

NAT Exemption : It allows both translated and remote host to initiate connections. Like identity you do not limit translations for a specific hosts on specific int. You must use NAT Exemption for connection through all interface. However as it enables you to specify the real and destn address when determining the real address to translate, It has greater control using NAT Exemption.

Syntax : ASA(config)#nat (real int) 0 access-list <access-list name>

PAT : PAT translates multiple real address to a single mapped ip address. Specifically the security appliance translates the real address and source (real socket) to be mapped address and a unique port above 1024 (mapped socket).

  • Static PAT : In Internal Servers
  • Dynamic PAT : In Internal Users

Dynamic PAT : It translates a group of real address to a pool of mapped address that are routable on the destination network. It is unidirectional. The mapped pool may be fewer address than the real group.

  • Syntax : ASA(config)#nat (real int) <nat-id> <real ip/subnet> <mask>
  • Syntax : ASA(config)#global (mapped int) <nat-id> <Ip1-Ip2>

Version : 8.4 and Above

  • NAT Control is not there.
  • No static or Global commands
  • Piggybacked option such as max connection, Tcp seq No, Randomization, embryonic connection are migrated to MPF.

Type of NAT in 8.4 + 

  1. Auto NAT (Object NAT)
  2. Manual NAT (Twice NAT)

NAT Priority : 

  1. Manual NAT : Configuration Order
  2. Auto NAT : Higher Prefix Length
  3. Manual After Auto NAT : Configuration Order

Static NAT :

  • ASA(config)#object network <name>
  • ASA(config)#host <local-ip>
  • ASA(config)#nat (real int,mapped int) static <mapped Ip>

Static PAT :

  • ASA(config)#object network <name>
  • ASA(config)#host <local-ip>
  • ASA(config)#nat (real int,mapped int) static <mapped Ip> service <protocol> <real port> <mapped port>

Dynamic NAT :

  • ASA(config)#object network <pool_name>
  • ASA(config)#range <ipaddress1-ipaddress2>
  • ASA(config)#object network <name>
  • ASA(config)#subnet <local-ip> <mask>
  • ASA(config)#nat (real int,mapped int) dynamic <pool_name>

Dynamic PAT :

  • ASA(config)#object network <name>
  • ASA(config)#subnet <local-ip> <mask>
  • ASA(config)#nat (real int,mapped int) dynamic <interface>

Manual NAT :

  • Can translate Source and Destination
  • Policy Based NAT is permitted
  • Configured in global config mode

Syntax for Static Rules :

ASA(Config)#nat (real int, mapped int) source static <real obj> <mapped obj> destination static <real obj> <mapped obj 2> service <real svc obj> <mapped svc obj>

Syntax for Dynamic Rules :

ASA(Config)#nat (real int, mapped int) source dynamic <real obj> <mapped obj> destination dynamic <real obj> <mapped obj 2> service <real svc obj> <mapped svc obj>

Was this article helpful?

Yes No

Related Articles

Leave A Comment?