1. Overview
Network Address Translation (NAT) is mostly happen on Cisco ASA firewall. NAT Configuration on ASA is completely different from NAT configuration on Cisco router. Likewise, even different version of ASA firewall appliance have different NAT configuration, such as old version 8.4 and new version 9.x.
In this article we will talk about two ways of NAT configuration on Cisco ASA 9.x. Those two ways are Auto NAT (Network Object NAT) and Manual NAT (Twice NAT).
2. Prerequisites
In this tutorial, it is assumed that:
a. You have already understood the concept of NAT.
b. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM
c. You have a well understanding of Access Control List (ACL) in Cisco ASA. You would prefer to read this link if you don’t. Access Control List (ACL) on Cisco ASA Firewall Appliance
3. Network Object, Service Object and Object Group Network, and Object Group Service
A network object is normally used to contain a host, a network IP address, or a range of IP addresses, and it can also use configure Auto NAT or Network Object. Object group is being used as object network and it can group object network together. Object network and object group are also used to content the protocol and port of the network services.
The following is the command syntax of object network.
object network obj_name host ip_addr object network obj_name subnet net_addr net_mask object network obj_name range ip_addr_1 ip_addr_2 object network obj_name fqdn fully_qualified_domain_name
Example:
#object network SSH-Server host 10.10.10.2
The following is the command syntax of object service.
object service obj_name service {tcp | udp} source eq service_name/service_port
Example:
# object service Remote-SSH service tcp source eq 22
The following is the command syntax of object group network.
object-group network grp_name network-object object net_obj_name object-group network grp_name network-object object host ip_address object-group network grp_name network-object net_addr net_mask object-group network grp_name group-object grp_obj_name
Example
#object-group network Server-Farm network-object 10.10.10.0 255.255.255.0
The following is the command syntax of object group service.
object-group service grp_name service-object { tcp | udp | tcp-udp } destination eq service_name/service_port
Example
#object-group service Remote-SSH-Tellnet service-object tcp destination eq ssh service-object tcp destination eq telnet
4. Two Ways of NAT Implementation
In Cisco Adaptive Security Appliance (ASA) we can configure Network Address Translation (NAT) in two different ways. The first one is Auto NAT or Network Object NAT and the second one is Manual NAT or Twice NAT.
In each way, it is absolutely possible to configure those two types of NAT, Static NAT (Destination NAT) and Dynamic NAT (Source NAT).
No matter which way you use, There are four words you need to understand. They are “real_ip”, “real_port”, “mapped_ip”, and “mapped_port”.
- real_ip: referring to the private IP that is assigned to the server.
- real_port: referring to the port of service that actually running on the server.
- mapped_ip: referring to the public IP that is accessible from internet.
- mapped_port: referring to the port that is used for public access. Some people prefer to use real port the same as mapped port. However, some other prefer use different port between real port and mapped port for security reason or other.
One importance thing to remember is that all the mapped ports must have an allowed ACL for the real ports. For example, if you we want to NAT port 80 of a web server to port 8080 for public access, we have to create an ACL and allow port 80 to be accessible from internet.
5. Auto NAT or Network Object
We will use the following diagram to demonstrate Auto NAT or Network Object NAT. R1 acts as a computer in the internet. We don’t need to configure default route for it, default route in here work exactly as default gateway on a computer. R1 can access only to the public IP that is assigned to “outside” interface of Cisco ASA firewall. There are two active interfaces on Cisco ASA firewall. The “outside” interface is connected to the internet and the “inside” interface is connected to LAN. R2 acts as server which has some services running such as telnet and SSH. Default route is needed for R2. We have a subnet of public IP which is 203.200.200.0/29 with six usable IP addresses, from 203.200.200.1 to 203.200.200.6. We will test configure NAT to different public IP.
Below is the basic configuration of each device in the above diagram.
On R1:
#int f0/0 no sh ip address 203.200.200.6 255.255.255.248
On Cisco ASA:
#int g0/0 nameif outside security-level 0 ip address 203.200.200.1 255.255.255.248 #int g0/1 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 #policy-map global_policy class inspection_default inspect icmp inspect icmp error
On R2:
#int f0/0 no sh ip address 10.10.10.2 255.255.255.0 #ip route 0.0.0.0 0.0.0.0 10.10.10.1 #username netadmin privilege 15 secret 111 #enable secret 222 #line vty 0 15 login local #aaa new-model #ip domain name www.techspacekh.com #crypto key generate rsa #ip ssh version 2
Now let test ping from R1 to pubic IP of Cisco ASA and test telnet to port 23 and 22. As we can see below, we can get the successful ping result but telnet and SSH services are not accessible.
Let also test ping from R2 to R1 which located in the internet. As in the result below, R1 cannot access to internet now.
5.1 Static NAT or Destination NAT
5.1.1 NAT Translated to IP of Outside Interface
The following is the command syntax.
object network obj_name host ip_addr nat [(private_int,public_int)] static interface {tcp | udp} real_port mapped_port
Now let start configure NAT for port 23 and 22 to be accessible from the internet.
#object network R2-Telnet host 10.10.10.2 nat (inside,outside) static interface service tcp telnet telnet #object network R2-SSH host 10.10.10.2 nat (inside,outside) static interface service tcp ssh ssh
After we apply NAT configuration, we need to create an access-list to allow the real_ports to be accessible from internet.
#access-list outside-access-inside extended permit tcp any host 10.10.10.2 eq telnet #access-list outside-access-inside extended permit tcp any host 10.10.10.2 eq ssh #access-group outside-access-inside in interface outside
Now let try telnet port 23 and 22 to IP 203.200.200.1 which is the public IP of Cisco ASA “outside” interface. We should get a successful result as the following.
5.1.2 NAT Translated to IP in Subnet with Outside Interface
NAT can also translated to any public IP with the same subnet mask with “outside” interface. In our case the “outside” interface of Cisco ASA is configured with subnet of 203.200.200.0/29 which there are 6 IP addresses available from 203.200.200.1 to 203.200.200.6. The command syntax is very similar to above NAT configuration.
object network obj_name host ip_addr nat [(private_int,public_int)] static mapped_ip service {tcp | udp} real_port mapped_port
Now let try configure NAT port 23 and 22 to IP 203.200.200.2.
#object network Obj-203.200.200.2 host Obj-203.200.200.2 #object network R2-Telnet-02 host 10.10.10.2 nat (inside,outside) static Obj-203.200.200.2 service tcp telnet telnet #object network R2-SSH-02 host 10.10.10.2 nat (inside,outside) static Obj-203.200.200.2 service tcp telnet telnet
Now let test the result by telnet port 23 and 22 to IP 203.200.200.2. We should get the following result.
5.1.3 NAT Translate to Non-original Port
It is also possible to hide the real port from public access by translate it another different port instead. Now let configure NAT to translate real port 23 to mapped port 2323.
#object network R2-Telnet-02 nat (inside,outside) static Obj-203.200.200.2 service tcp telnet 2323
OK, let test telnet port 2323 to IP 203.200.200.2.
5.2 Dynamic NAT or Source NAT
5.2.1 NAT Translated to IP of Outside Interface
The following is the command syntax for configuring dynamic NAT to translate to the public IP that is assigned to the interface “outside”.
object network obj_name subnet net_addr net_mask nat [(private_int,public_int)] dynamic interface
Let create dynamic NAT now for R2 to be able to access to the internet.
#object network Dynamic-NAT subnet 10.10.10.0 255.255.255.0 nat (inside,outside) dynamic interface
Now R2 should be able to ping any public IP that is active on internet. In our case, let ping to R1 IP.
5.2.2 NAT Translated to IP in Subnet with Outside Interface
The following is the command syntax for configuring dynamic NAT to translate to any of public IP in the same subnet with interface “outside”.
object network obj_name host net_addr net_mask nat [(private_int,public_int)] dynamic mapped_ip
In some case, we might need configure NAT to translate to any other public IP with same subnet with “outside” interface of Cisco ASA.
#object network Dynamic-NAT no nat (inside,outside) dynamic interface nat (inside,outside) dynamic Obj-203.200.200.2
Let try to ping from R2 to R1 again. It should still be able to ping.
Verify that it is translated to the new public IP with the following command.
# sh nat
6. Manual NAT or Twice NAT
We will still keep using the same network diagram but will use another different way of NAT configuration on Cisco ASA firewall appliance, called manual NAT or twice NAT.
6.1 Static NAT or Destination NAT
6.1.1 NAT Translated to IP of Outside Interface
The following is the command syntax.
nat [(private_int,public_int)] source static real_ip interface service service-obj_real_port service_obj_mapped_port
Now let apply our service object knowledge to create SSH service object.
# object service svc-telnet service tcp source eq telnet
NAT configuration in our network diagram is look as the following.
nat (inside,outside) source static R2-Telnet interface service svc-telnet svc-telnet
Test NAT configuring by execute telnet command to public IP of Cisco ASA.
6.1.2 NAT Translated to IP in Subnet with Outside Interface
The following is the command syntax.
nat [(private_int,public_int)] source static real_ip mapped_ip service service-obj_real_port service_obj_mapped_port
OK, now let try in configure NAT for SSH access. Let use public IP 203.200.200.3 as the mapped IP.
#object service svc-ssh service tcp source eq ssh #object network Obj-203.200.200.3 host 203.200.200.3 #nat (inside,outside) source static R2-SSH Obj-203.200.200.3 service svc-ssh svc-ssh
Let see if it works by test access SSH to IP 203.200.200.3.
6.1.3 NAT Translate to Non-original Port
Let try to configure NAT for SSH access to the mapped port which is not the same as SSH standard port. Let use port 2222 for this test now.
#object service svc-mapped-ssh service tcp source eq 2222 #nat (inside,outside) source static R2-SSH Obj-203.200.200.3 service svc-ssh svc-mapped-ssh
Test the result by execute command telnet port 2222 to the mapped IP 203.200.200.3.
6.2 Dynamic NAT or Source NAT
6.2.1 NAT Translated to IP of Outside Interface
Here is the command syntax.
nat [(private_int,public_int)] source dynamic any interface
OK, now let try to configure dynamic NAT which use public IP for “outside” interface as the mapped IP for all hosts inside LAN to be able to access to the internet.
#nat (inside,outside) source dynamic any interface
Test access to the internet from R2 by ping to host in the internet. In our test let ping to R1 IP.
6.2.2 NAT Translated to IP in Subnet with Outside Interface
The command syntax is something as below.
nat [(private_int,public_int)] source dynamic any mapped_ip
Let configure dynamic NAT which use public IP in the same subnet with “outside” interface as the mapped IP. Let choose IP 203.200.200.4 for now.
#no nat (inside,outside) source dynamic any interface #object network Obj-203.200.200.4 host 203.200.200.4 #nat (inside,outside) source dynamic any Obj-203.200.200.4
Test ping again and R2 should still be able to ping R1 on the internet.
Verify that it is being NATed to the IP 203.200.200.4.
7. Verify NAT Configuration
The following are very useful commands to verify your NAT configuration.
#sh run nat #sh nat #sh nat detail #sh conn #sh xlate #sh run object service #sh run object network
8. Conclusion
That is all what I want to say today. Hopefully, you can understand and be able to start configuring NAT by choosing one of two ways above that you like. It is really awesome, right? If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them. Thank you and have a great day.