"The What?" - I want to breakdown network access translation (NAT) on the ASA.
It is important to understand that NAT is processed by the rule order & section. Note that in both Section 1 & 3 you can manually configure the sequence order, but in Section 2 you cannot. Section 2 sequence order is determined via the following:
Type - always static first & then dynamic
Amount of IPs contained in the object
Object network containing the same amount of IPs
For tie breaking purposes the order is decided via alphabetical order of the names
To understand more about NAT in general see here: Understanding ASA NAT
"The Why?" - NAT provides many advantages. One major advantage being the fact that we can hide an entire internal network behind one address. NAT also enables private networks to connect with the internet even if they use private IP addresses. NAT is a solution that aides in preventing the depletion of IPv4 addresses. Lastly, NAT is often a desire to increase security.
"The How?" -In this section I will demo configuring the different types of NAT on the ASA & cover how to verify translations. Before I dive into the examples, here is the simple topology used:
ASA4 is what I will use to demonstrate configuring the different NAT examples. I will utilize CSR3 & CSR4 to generate traffic via different loopbacks that I will then walkthrough how to utilize the types of NAT translations. 10.10.43.0/24 (vlan443) connects CSR3 to ASA4 inside interface. 10.10.44.0/24 (vlan 444) connects CSR4 to ASA outside interface. All routing is statically configured between the 3 nodes.
Below are the configuration examples. Note for all examples I will source traffic from CSR3 to CSR4 (inside to outside).
Remember that static NAT is a translation in which only IPs are being modified, and the correlation between pre-translation & post-translation is explicitly defined.
First, I demo static NAT using manual NAT. For this my intention was to translate CSR3 loopback0 to a fake public IP. For this I created the following objects:
As you can see in the right screenshot, the NAT statement is configured to translate CSR3 Lo0 to 188.8.131.52. To generate translations I pinged the Lo0 on CSR4 from CSR3 sourcing traffic from the respective CSR3_Lo0 object. Lastly, you can see the translate hits (7).
Next I configured the same scenario, but using Static NAT with Auto NAT. Remember in this configuration the nat statement is configured inside the object. This configuration looks like this:
You can see the NAT policy is in Section2 which is expected. Additional verification of static NAT with Auto NAT:
Static PAT are translations where both the IP & ports are being modified, and the mappings are explicitly defined. First I will demo static PAT with Auto NAT:
Below I simply define a static pat translation for all telnet traffic to translate to 2323
Below is another way to verify NAT translations. The ASA keeps an xlate table, which allows us to view records of NAT translations:
Next, static PAT with Manual NAT:
I start with defining the "real" & "mapped" objects:
Next we manually configure static NAT with manual NAT:
Remember dynamic PAT translations are when both the IP & port are being modified, and the mapping between pre-translation & post-translation attributes are dynamically decided via the ASA. A perfect example of dynamic PAT is the fact that it allows multiple internal private IP'd hosts to share one or more public IPs.
First, I demo dynamic PAT with Auto NAT:
Network object emulating a fake LAN coming from CSR3 that includes the Lo0 used earlier:
Configure the Auto NAT rule. Note: CSR3_Pub is the 184.108.40.206 object used earlier:
Note, if many in the CSR3_Net were generating traffic they would use the dynamic address with a dynamic port to differentiate connections.
Next, I cover dynamic PAT with Manual NAT:
Notice how the NAT statement is no longer within the object. Next you can see that the statement is within section 1 (manual NAT):
Dynamic NAT is similar to static NAT in the regard that only IPs are being modified. The difference is that the mappings between pre & post translations are determined via the ASA.
First, I demo Dynamic NAT with Auto NAT:
The big difference here is we configure a pool of IPs inside of an object for the ASA to dynamically assign as the "mapped" address for translation.
NAT statement inside the CSR3_Net object:
Verification of NAT the dynamic NAT with Auto NAT translations:
Via the xlate table you can see the ASA dynamically assigned 220.127.116.11:
Now, Dynamic NAT with Manual NAT:
Xlate table verification (ASA dynamically translated to 18.104.22.168):
Remember Policy NAT allows us to translate traffic based on destination. Very important note: Policy NAT is configured with manual NAT since it includes src/dst. Policy NAT cannot be configured using Auto NAT syntax.
Policy Dynamic PAT:
I first create another object to define the remote destination:
Then I define the manual NAT statement as follows:
To break down the policy NAT statement above: My source is dynamically translated from CSR3_Net to DNAT_RANGE, and then the destination is statically translated from CSR4_Lo0 to CSR4_Lo0. Note that the destination is actually being translated to itself.
Twice NAT is a unique NAT translation where we can translate both the source & destination address, AKA NAT two times.
In the example below I will use twice NAT to translate specific 443 traffic destined to fake google (CSR4_Lo0) to a fake internal web server (CSR4_Lo1).
CSR4_Lo1 and service objects:
Twice NAT statement:
Breaking down the statement: Any traffic sourced from the CSR3_Net object with a destination of CSR4_Lo0 (fake google) on port 443 translate to a dynamic source IP from DNAT_RANGE object & modify the destination to the fake internal web server (CSR4_Lo1) on 443.
This example actually utilizes several concepts:
Policy NAT is used since a decision is made on src/dst
Both src/dst IPs are translated therefore Twice NAT is in use
Src is being translated with Dynamic PAT
Dst is being translated with Static NAT
This type of NAT is actually when an address is translated to itself. Essentially not translating traffic. In these types of scenarios the "real" & "mapped" addresses are the same. See the Policy Dynamic NAT example above.
Quick manual NAT example deployed to section 3 via 'after-auto' section:
The main difference is you add the 'after-auto' as shown below. This allows us to deploy NAT statements into section 3 when regarding NAT precedence:
Deployed to section 3:
Lastly, to summarize verification/helpful commands:
Commands to verify objects:
#show run object = lists the objects as they were configured
#show run object in-line = lists objects as configured except all on same line
Commands to verify NAT:
#show run nat
#show nat detail
Additional useful commands:
To summarize I covered the different types of NAT on the Cisco ASA with several examples including both verification & configuration. Cheers!