Configuring ASA NAT

"The What?" - I want to breakdown network access translation (NAT) on the ASA.


It is important to understand that NAT is processed by the rule order & section. Note that in both Section 1 & 3 you can manually configure the sequence order, but in Section 2 you cannot. Section 2 sequence order is determined via the following:

  • Type - always static first & then dynamic

  • Amount of IPs contained in the object

  • Object network containing the same amount of IPs

  • For tie breaking purposes the order is decided via alphabetical order of the names

To understand more about NAT in general see here: Understanding ASA NAT


"The Why?" - NAT provides many advantages. One major advantage being the fact that we can hide an entire internal network behind one address. NAT also enables private networks to connect with the internet even if they use private IP addresses. NAT is a solution that aides in preventing the depletion of IPv4 addresses. Lastly, NAT is often a desire to increase security.


"The How?" -In this section I will demo configuring the different types of NAT on the ASA & cover how to verify translations. Before I dive into the examples, here is the simple topology used:


ASA4 is what I will use to demonstrate configuring the different NAT examples. I will utilize CSR3 & CSR4 to generate traffic via different loopbacks that I will then walkthrough how to utilize the types of NAT translations. 10.10.43.0/24 (vlan443) connects CSR3 to ASA4 inside interface. 10.10.44.0/24 (vlan 444) connects CSR4 to ASA outside interface. All routing is statically configured between the 3 nodes.







Below are the configuration examples. Note for all examples I will source traffic from CSR3 to CSR4 (inside to outside).


Static NAT:

Remember that static NAT is a translation in which only IPs are being modified, and the correlation between pre-translation & post-translation is explicitly defined.


First, I demo static NAT using manual NAT. For this my intention was to translate CSR3 loopback0 to a fake public IP. For this I created the following objects:






As you can see in the right screenshot, the NAT statement is configured to translate CSR3 Lo0 to 1.1.1.1. To generate translations I pinged the Lo0 on CSR4 from CSR3 sourcing traffic from the respective CSR3_Lo0 object. Lastly, you can see the translate hits (7).


Next I configured the same scenario, but using Static NAT with Auto NAT. Remember in this configuration the nat statement is configured inside the object. This configuration looks like this:

You can see the NAT policy is in Section2 which is expected. Additional verification of static NAT with Auto NAT:


Static PAT:

Static PAT are translations where both the IP & ports are being modified, and the mappings are explicitly defined. First I will demo static PAT with Auto NAT:

Below I simply define a static pat translation for all telnet traffic to translate to 2323

Below is another way to verify NAT translations. The ASA keeps an xlate table, which allows us to view records of NAT translations:

Next, static PAT with Manual NAT:

I start with defining the "real" & "mapped" objects:

Next we manually configure static NAT with manual NAT:


Dynamic PAT:

Remember dynamic PAT translations are when both the IP & port are being modified, and the mapping between pre-translation & post-translation attributes are dynamically decided via the ASA. A perfect example of dynamic PAT is the fact that it allows multiple internal private IP'd hosts to share one or more public IPs.


First, I demo dynamic PAT with Auto NAT:

Network object emulating a fake LAN coming from CSR3 that includes the Lo0 used earlier:

Configure the Auto NAT rule. Note: CSR3_Pub is the 1.1.1.1 object used earlier:

Verify translations:

Note, if many in the CSR3_Net were generating traffic they would use the dynamic address with a dynamic port to differentiate connections.

Next, I cover dynamic PAT with Manual NAT:

Notice how the NAT statement is no longer within the object. Next you can see that the statement is within section 1 (manual NAT):


Dynamic NAT:

Dynamic NAT is similar to static NAT in the regard that only IPs are being modified. The difference is that the mappings between pre & post translations are determined via the ASA.


First, I demo Dynamic NAT with Auto NAT:

The big difference here is we configure a pool of IPs inside of an object for the ASA to dynamically assign as the "mapped" address for translation.

NAT statement inside the CSR3_Net object:

Verification of NAT the dynamic NAT with Auto NAT translations:

Via the xlate table you can see the ASA dynamically assigned 1.1.1.3:


Now, Dynamic NAT with Manual NAT:

NAT statement:

Xlate table verification (ASA dynamically translated to 1.1.1.4):


Policy NAT:

Remember Policy NAT allows us to translate traffic based on destination. Very important note: Policy NAT is configured with manual NAT since it includes src/dst. Policy NAT cannot be configured using Auto NAT syntax.


Policy Dynamic PAT:

I first create another object to define the remote destination:

Then I define the manual NAT statement as follows:

To break down the policy NAT statement above: My source is dynamically translated from CSR3_Net to DNAT_RANGE, and then the destination is statically translated from CSR4_Lo0 to CSR4_Lo0. Note that the destination is actually being translated to itself.


Verification:


Twice NAT:

Twice NAT is a unique NAT translation where we can translate both the source & destination address, AKA NAT two times.

In the example below I will use twice NAT to translate specific 443 traffic destined to fake google (CSR4_Lo0) to a fake internal web server (CSR4_Lo1).


CSR4_Lo1 and service objects:


Twice NAT statement:

Breaking down the statement: Any traffic sourced from the CSR3_Net object with a destination of CSR4_Lo0 (fake google) on port 443 translate to a dynamic source IP from DNAT_RANGE object & modify the destination to the fake internal web server (CSR4_Lo1) on 443.


This example actually utilizes several concepts:

  • Policy NAT is used since a decision is made on src/dst

  • Both src/dst IPs are translated therefore Twice NAT is in use

  • Src is being translated with Dynamic PAT

  • Dst is being translated with Static NAT

Identity NAT:

This type of NAT is actually when an address is translated to itself. Essentially not translating traffic. In these types of scenarios the "real" & "mapped" addresses are the same. See the Policy Dynamic NAT example above.


Quick manual NAT example deployed to section 3 via 'after-auto' section:

The main difference is you add the 'after-auto' as shown below. This allows us to deploy NAT statements into section 3 when regarding NAT precedence:

Deployed to section 3:

Lastly, to summarize verification/helpful commands:

Commands to verify objects:

#show run object = lists the objects as they were configured

#show run object in-line = lists objects as configured except all on same line


Commands to verify NAT:

#show run nat

#show nat detail


Additional useful commands:

#show xlate

#show conn


To summarize I covered the different types of NAT on the Cisco ASA with several examples including both verification & configuration. Cheers!

0 comments

Recent Posts

See All

Email Security - Breaking Down DKIM & DMARC

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it

Email Security - Breaking Down SPF

In the post I want to breakdown & cover SPF in more detail. Especially as I continue to embark on the email security journey/track. before beginning, here is another brief overview of what SPF entai

Understanding FTD Multi-Instance Capability Mode

In this post I want to cover running the multi-instance capability with Firepower Threat Detection (FTD). This capability lets you run containers that use a batch of resources of the security module/