Cisco ASA – 8.3 and later NAT Tutorial

Introduction

ASA 8.3 onwards brought a number of changes in how NAT is processed.
First of all NAT is built around objects, this allows for IP`s to be changed and objects to be renamed much easier than previously.
Also when configuring ACL`s the Real IP/Port address(s) are now used.

Pre 8.3

access-list acl-outside extended permit ip any host 88.88.88.120

After 8.3+

access-list acl-outside extended permit ip any host 172.16.1.220

Note : In terms of ports. If you are using port redirection then the real port is defined.

Finally NAT control has been removed.

Objects

Unlike object groups, an object is used to define a single item. Objects can then be used within ACL`s, object-groups but most importantly NAT.
There are 2 main type of objects. These are ‘network’ and ‘service’.

  • network – host, subnet or IP range
  • service – protocol/port.

Example

asa(config)# object network obj-server
asa(config-network-object)# host 192.168.1.100

Commands

Show – To show the running configuration objects the command ‘show run object’ is used.
Rename – To rename an object on the fly the command ‘object network VPN-POOL rename RA-POOL’ is used.

NAT

There are now 2 types of NAT. Auto and Manual NAT.

  • Auto NAT – Only the source is used as a match criteria when NAT`ing.
  • Manual NAT – The source and destination is used as a match criteria when NAT`ing.

Auto NAT

Auto NAT only considers the source address when performing NAT. Based on this Auto NAT is only used for Static or Dynamic NAT.
When configuring Auto NAT is is configured within an object.

Example

Below is an example of a static NAT.

asa(config)# object network obj-server
asa(config-network-object)# host 192.168.100.1 <– REAL IP
asa(config-network-object)# nat (inside,outside) static 88.88.88.1 <– MAPPED IP

After configuring this NAT and looking at the configuration we can see the configuration in 2 places ; NAT and object.

asa# show run object
object network obj-server
host 192.168.100.1

asa# show run nat
object network obj-server
nat (inside,outside) static 88.88.88.1

Manual NAT

Manual NAT considers either only the source or the source and destination address when performing NAT. Manual NAT can be used for (pretty much) all types of NAT i.e NAT exempt, policy NAT etc.

Because Manual NAT can also NAT the source and destination within a single statement it is also known as twice NAT.
Unlike Auto NAT which is configured within an object, Manual NAT is configured directly from the global configuration mode. However only objects are used within the Manual NAT rule rather then IP addresses directly.

Example

Below is an example of static NAT where only the source is considered for NAT. However this is typically done with Auto NAT.

object network obj-server-private
host 192.168.100.1
object network obj-server-public
host 88.88.88.88

nat (DMZ,outside) source static obj-server-private obj-server-public

Below shows the syntax is we wanted to consider both the source and destination. This method (twice NAT) is also used for NAT exempt (click here for article)

nat (real_ifc,mapped_ifc) source static REAL-SRC MAPPED-SRC destination static REAL-DST MAPPED-DST

TIP : I always find the best way to read these statements is from the Real Source. So from the REAL-SRC going out to the REAL-IFC.  To the MAPPED-DST.

NAT Order

NAT is order within 3 sections.

  • Section 1 – Manual NAT
  • Section 2 – Auto NAT
  • Section 3 – Manual Nat After-Auto

By default only sections 1 and 2 are used. However should you need to place a manual NAT rule after Auto NAT you can specify the keyword after-auto when configuring a Manual NAT rule to place it within Section 3.

nat (real,mapped) [after-auto] [Line#] ………

To view the order of precedence the “show nat” command is used.

Keywords

Within the AutoNAT / Manual NAT statements there are 3 keywords that are useful to know.

unidirectional – 8.3 Only – This ensured that the NAT statement was unidirectional. There is a caveat for this where it was added the configuration incorrectly when upgrading to 8.3 (CSCti36048).
route-lookup – 8.4(2)+ – This instructs the ASA to use the routing table for the egress interface rather then the interface defined within the NAT statement (i.e ‘nat (inside,outside)…. rather then use outside the ASA will do a route lookup.)
no-proxy-arp – 8.4(2)+ – This disables proxy arp for the mapped IP address within the relevant NAT statement.

Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial