Network Address Translation (NAT) on Cisco ASA Firewall Appliance IOS Version 9.x

December 28, 2016

IT Network

,

1. Overview

 

Network Address Translation (NAT) is mostly happen on Cisco ASA firewall. NAT Configuration on ASA is completely different from NAT configuration on Cisco router. Likewise, even different version of ASA firewall appliance have different NAT configuration, such as old version 8.4 and new version 9.x.

In this article we will talk about two ways of NAT configuration on Cisco ASA 9.x. Those two ways are Auto NAT (Network Object NAT) and Manual NAT (Twice NAT).

2. Prerequisites

 

In this tutorial, it is assumed that:

a. You have already understood the concept of NAT.
b. You already have Cisco ASAv on GNS3 VM up and running. In case that you don’t, please follow this link. Configuring Cisco ASAv QCOW2 with GNS3 VM

c. You have a well understanding of Access Control List (ACL) in Cisco ASA. You would prefer to read this link if you don’t. Access Control List (ACL) on Cisco ASA Firewall Appliance

3. Network Object, Service Object and Object Group Network, and Object Group Service

 

A network object is normally used to contain a host, a network IP address, or a range of IP addresses, and it can also use configure Auto NAT or Network Object. Object group is being used as object network and it can group object network together. Object network and object group are also used to content the protocol and port of the network services.

The following is the command syntax of object network.

object network obj_name
 host ip_addr 
object network obj_name
 subnet net_addr net_mask 
object network obj_name
 range ip_addr_1 ip_addr_2
object network obj_name 
 fqdn fully_qualified_domain_name

Example:

#object network SSH-Server
   host 10.10.10.2

The following is the command syntax of object service.

object service obj_name
 service {tcp | udp} source eq service_name/service_port

Example:

# object service Remote-SSH
     service tcp source eq 22

The following is the command syntax of object group network.

object-group network grp_name
   network-object object net_obj_name
object-group network grp_name
   network-object object host ip_address
object-group network grp_name
   network-object net_addr net_mask
object-group network grp_name
   group-object grp_obj_name

Example

#object-group network Server-Farm
   network-object 10.10.10.0 255.255.255.0

The following is the command syntax of object group service.

object-group service grp_name
service-object { tcp | udp | tcp-udp } destination eq service_name/service_port

Example

#object-group service Remote-SSH-Tellnet
   service-object tcp destination eq ssh
   service-object tcp destination eq telnet

 

4. Two Ways of NAT Implementation

 

In Cisco Adaptive Security Appliance (ASA) we can configure Network Address Translation (NAT) in two different ways. The first one is Auto NAT or Network Object NAT and the second one is Manual NAT or Twice NAT.

In each way, it is absolutely possible to configure those two types of NAT, Static NAT (Destination NAT) and Dynamic NAT (Source NAT).

No matter which way you use, There are four words you need to understand. They are “real_ip”, “real_port”, “mapped_ip”, and “mapped_port”.

  • real_ip: referring to the private IP that is assigned to the server.
  • real_port: referring to the port of service that actually running on the server.
  • mapped_ip: referring to the public IP that is accessible from internet.
  • mapped_port: referring to the port that is used for public access. Some people prefer to use real port the same as mapped port. However, some other prefer use different port between real port and mapped port for security reason or other.

One importance thing to remember is that all the mapped ports must have an allowed ACL for the real ports. For example, if you we want to NAT port 80 of a web server to port 8080 for public access, we have to create an ACL and allow port 80 to be accessible from internet.

5. Auto NAT or Network Object

 

We will use the following diagram to demonstrate Auto NAT or Network Object NAT. R1 acts as a computer in the internet. We don’t need to configure default route for it, default route in here work exactly as default gateway on a computer. R1 can access only to the public IP that is assigned to “outside” interface of Cisco ASA firewall. There are two active interfaces on Cisco ASA firewall. The “outside” interface is connected to the internet and the “inside” interface is connected to LAN. R2 acts as server which has some services running such as telnet and SSH. Default route is needed for R2. We have a subnet of public IP which is 203.200.200.0/29 with six usable IP addresses, from 203.200.200.1 to 203.200.200.6. We will test configure NAT to different public IP.

 

 

Below is the basic configuration of each device in the above diagram.

On R1:

#int f0/0
  no sh
  ip address 203.200.200.6 255.255.255.248

On Cisco ASA:

#int g0/0
   nameif outside
   security-level 0
   ip address 203.200.200.1 255.255.255.248
#int g0/1
   nameif inside
   security-level 100
   ip address 10.10.10.1 255.255.255.0
#policy-map global_policy
   class inspection_default
     inspect icmp
     inspect icmp error

On R2:

#int f0/0
    no sh
    ip address 10.10.10.2 255.255.255.0
#ip route 0.0.0.0 0.0.0.0 10.10.10.1

#username netadmin privilege 15 secret 111
#enable secret 222
#line vty 0 15
   login local
#aaa new-model

#ip domain name www.techspacekh.com
#crypto key generate rsa
#ip ssh version 2


Now let test ping from R1 to pubic IP of Cisco ASA and test telnet to port 23 and 22. As we can see below, we can get the successful ping result but telnet and SSH services are not accessible.

Let also test ping from R2 to R1 which located in the internet. As in the result below, R1 cannot access to internet now.

5.1 Static NAT or Destination NAT

5.1.1 NAT Translated to IP of Outside Interface

 

The following is the command syntax.

object network obj_name
  host ip_addr 
  nat [(private_int,public_int)] static interface {tcp | udp} real_port mapped_port

Now let start configure NAT for port 23 and 22 to be accessible from the internet.

#object network R2-Telnet
  host 10.10.10.2
  nat (inside,outside) static interface service tcp telnet telnet
#object network R2-SSH
  host 10.10.10.2
  nat (inside,outside) static interface service tcp ssh ssh

After we apply NAT configuration, we need to create an access-list to allow the real_ports to be accessible from internet.

#access-list outside-access-inside extended permit tcp any host 10.10.10.2 eq telnet
#access-list outside-access-inside extended permit tcp any host 10.10.10.2 eq ssh
#access-group outside-access-inside in interface outside

Now let try telnet port 23 and 22 to IP 203.200.200.1 which is the public IP of Cisco ASA “outside” interface. We should get a successful result as the following.

5.1.2 NAT Translated to IP in Subnet with Outside Interface

 

NAT can also translated to any public IP with the same subnet mask with “outside” interface. In our case the “outside” interface of Cisco ASA is configured with subnet of 203.200.200.0/29 which there are 6 IP addresses available from 203.200.200.1 to 203.200.200.6. The command syntax is very similar to above NAT configuration.

object network obj_name
  host ip_addr 
  nat [(private_int,public_int)] static mapped_ip service {tcp | udp} real_port mapped_port

Now let try configure NAT port 23 and 22 to IP 203.200.200.2.

#object network Obj-203.200.200.2
   host Obj-203.200.200.2
#object network R2-Telnet-02
   host 10.10.10.2
   nat (inside,outside) static Obj-203.200.200.2 service tcp telnet telnet
#object network R2-SSH-02
   host 10.10.10.2
   nat (inside,outside) static Obj-203.200.200.2 service tcp telnet telnet

Now let test the result by telnet port 23 and 22 to IP 203.200.200.2. We should get the following result.

5.1.3 NAT Translate to Non-original Port

 

It is also possible to hide the real port from public access by translate it another different port instead. Now let configure NAT to translate real port 23 to mapped port 2323.

#object network R2-Telnet-02
   nat (inside,outside) static Obj-203.200.200.2 service tcp telnet 2323

OK, let test telnet port 2323 to IP 203.200.200.2.

5.2 Dynamic NAT or Source NAT

5.2.1 NAT Translated to IP of Outside Interface

 

The following is the command syntax for configuring dynamic NAT to translate to the public IP that is assigned to the interface “outside”.



object network obj_name
  subnet net_addr net_mask
  nat [(private_int,public_int)] dynamic interface




Let create dynamic NAT now for R2 to be able to access to the internet.




#object network Dynamic-NAT
   subnet 10.10.10.0 255.255.255.0
   nat (inside,outside) dynamic interface




Now R2 should be able to ping any public IP that is active on internet. In our case, let ping to R1 IP.




5.2.2 NAT Translated to IP in Subnet with Outside Interface


 


The following is the command syntax for configuring dynamic NAT to translate to any of public IP in the same subnet with interface “outside”.




object network obj_name
  host net_addr net_mask
  nat [(private_int,public_int)] dynamic mapped_ip




In some case, we might need configure NAT to translate to any other public IP with same subnet with “outside” interface of Cisco ASA.




#object network Dynamic-NAT
     no nat (inside,outside) dynamic interface
     nat (inside,outside) dynamic Obj-203.200.200.2




Let try to ping from R2 to R1 again. It should still be able to ping.




Verify that it is translated to the new public IP with the following command.




# sh nat






6. Manual NAT or Twice NAT


 


We will still keep using the same network diagram but will use another different way of NAT configuration on Cisco ASA firewall appliance, called manual NAT or twice NAT.




 


6.1 Static NAT or Destination NAT


6.1.1 NAT Translated to IP of Outside Interface


 


The following is the command syntax.




nat [(private_int,public_int)] source static real_ip interface service service-obj_real_port service_obj_mapped_port




Now let apply our service object knowledge to create SSH service object.




# object service svc-telnet
    service tcp source eq telnet




NAT configuration in our network diagram is look as the following.




nat (inside,outside) source static R2-Telnet interface service svc-telnet svc-telnet




Test NAT configuring by execute telnet command to public IP of Cisco ASA.




6.1.2 NAT Translated to IP in Subnet with Outside Interface


 


The following is the command syntax.




nat [(private_int,public_int)] source static real_ip mapped_ip service service-obj_real_port service_obj_mapped_port




OK, now let try in configure NAT for SSH access. Let use public IP 203.200.200.3 as the mapped IP.




#object service svc-ssh
   service tcp source eq ssh
#object network Obj-203.200.200.3
   host 203.200.200.3
#nat (inside,outside) source static R2-SSH Obj-203.200.200.3 service svc-ssh svc-ssh




Let see if it works by test access SSH to IP 203.200.200.3.




6.1.3 NAT Translate to Non-original Port


 


Let try to configure NAT for SSH access to the mapped port which is not the same as SSH standard port. Let use port 2222 for this test now.




#object service svc-mapped-ssh
    service tcp source eq 2222
#nat (inside,outside) source static R2-SSH Obj-203.200.200.3 service svc-ssh svc-mapped-ssh




Test the result by execute command telnet port 2222 to the mapped IP 203.200.200.3.




6.2 Dynamic NAT or Source NAT


6.2.1 NAT Translated to IP of Outside Interface


 


Here is the command syntax.




nat [(private_int,public_int)] source dynamic any interface




OK, now let try to configure dynamic NAT which use public IP for “outside” interface as the mapped IP for all hosts inside LAN to be able to access to the internet.




#nat (inside,outside) source dynamic any interface




Test access to the internet from R2 by ping to host in the internet. In our test let ping to R1 IP.




 


6.2.2 NAT Translated to IP in Subnet with Outside Interface


 


The command syntax is something as below.




nat [(private_int,public_int)] source dynamic any mapped_ip




Let configure dynamic NAT which use public IP in the same subnet with “outside” interface as the mapped IP. Let choose IP 203.200.200.4 for now.




#no nat (inside,outside) source dynamic any interface
#object network Obj-203.200.200.4
   host 203.200.200.4
#nat (inside,outside) source dynamic any Obj-203.200.200.4




Test ping again and R2 should still be able to ping R1 on the internet.




Verify that it is being NATed to the IP 203.200.200.4.




7. Verify NAT Configuration


 


The following are very useful commands to verify your NAT configuration.




#sh run nat
#sh nat
#sh nat detail
#sh conn
#sh xlate
#sh run object service
#sh run object network




8. Conclusion


 


That is all what I want to say today. Hopefully, you can understand and be able to start configuring NAT by choosing one of two ways above that you like. It is really awesome, right? If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them. Thank you and have a great day.







Comments
 comments


Related posts:




IPSec VPN Site-to-Site Form

Configuring Site-to-Site IPSec IKEv2 VPN Between Cisco ASA Firewalls IOS Version 9.x

Configuring Site-to-Site IPSec IKEv2 and IKEv1 VPN On a Single Cisco ASA Firewalls Running IOS Version 9.x

Configuring Fail Over IPSec Site-to-site VPN With Dual WAN Links and IP SLA on Cisco ASA Firewall 9.x