Have a Question?
< All Topics
Print

How to Configure NAT in Cisco ASA Firewall

Posted
Updated
ByYongKW

Steps to configure NAT in Cisco ASA Firewall

  • Define Network Object
  • Define Service Object
  • NAT Rule
  • Access Control List (ACL)

Network Objects

A network object can contain a host, a network IP address, or a range of IP addresses, a fully qualified domain name (FQDN). You can also enable NAT rules on the object

Network Object for Single Host – 10.10.10.100

object network HOST-10.10.10.100
	host 10.10.10.100

Network Object for Subnet – 10.10.10.0/24

object network LAN-10.10.10.0
	subnet 10.10.10.0 255.255.255.0

Network Object Group is used to group multiple network objects together

object-group network OG-LAN
	network-object object HOST-10.10.10.100

Service Objects

Service objects and groups identify protocols and ports.

Create a Service Group – OGS-Internet-Access contain of http, https & domain for Outbound Access

object-group service OGS-Internet_Access
  service-object tcp destination eq http
  service-object tcp destination eq https
  service-object udp destination eq domain

Create a Service Group – OGS-HOST-10.10.10.100 contain of TCP3389 & TCP80 for Inbound Access

object-group service OGS-HOST-10.10.10.100
 service-object tcp destination eq 3389
 service-object tcp destination eq www

NAT Rules

Outbound NAT

Dynamic NAT for inside users on a private network (10.10.10.0/24) to outside Interface IP Address when they access Internet

object network LAN-10.10.10.0
 nat (inside, outside) dynamic interface

Add a default NAT rule for any users from inside interface to access Internet with outside interface IP Address.

Refer to this link for more detail information

nat (inside,outside) after-auto source dynamic any interface

Show the NAT translation table with show xlate type dynamic

Two inside hosts (10.10.10.100 & 10.10.10.20) are accessing Internet via Outside Interface IP (192.168.1.8)

asa(config)# sh xlate type dynamic
22 in use, 149 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

TCP PAT from inside-3:10.10.10.100/60755 to outside:192.168.1.8/60755 flags ri idle 0:00:06 timeout 0:00:30
TCP PAT from inside-3:10.10.10.100/60754 to outside:192.168.1.8/60754 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:10.10.10.20/44789 to outside:192.168.1.8/44789 flags ri idle 0:00:02 timeout 0:00:30
TCP PAT from inside-3:10.10.10.20/53524 to outside:192.168.1.8/53524 flags ri idle 0:00:02 timeout 0:00:30

Inbound NAT

Static 1 to 1 NAT

It allows both IP addresses and port number translations from the inside to the outside traffic and the outside to the inside traffic.

Static 1 to 1 NAT is used to ensure that outgoing traffic is always mapped to the static public IP Address assigned instead of the outside interface of Firewall.

Create a Network Object for Internal Server (10.10.10.30), External IP (192.168.1.7) and Static NAT (1 To 1) for 10.10.10.30 – 192.168.1.7

object network HOST-10.10.10.30
 host 10.10.10.30

object network PIP-192.168.1.7
 host 192.168.1.7

object network HOST-10.10.10.30
 nat (inside-3, outside) static PIP-192.168.1.7

Verify with show xlate type static

asa(config)# sh xlate type static
6 in use, 7 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

NAT from inside-3:10.10.10.30 to outside:192.168.1.7
    flags s idle 0:00:21 timeout 0:00:00

Static PAT

Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.

Create a Network Object for Internal Host (10.10.10.100) and External IP (192.168.1.9)

object network HOST-10.10.10.100
 host 10.10.10.100

object network PIP-192.168.1.9
 host 192.168.1.9

Create Service Object and PAT rules

service-object tcp source eq www
service-object tcp source eq 3389

nat (inside,outside) source static HOST-10.10.10.100 PIP-192.168.1.9 service TCP80 TCP80
nat (inside,outside) source static HOST-10.10.10.100 PIP-192.168.1.9 service TCP3389 TCP3389

Verify with show xlate type static

asa(config)# sh xlate type static
6 in use, 7 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from inside-3:10.10.10.100 80-80 to outside:192.168.1.9 80-80
    flags srT idle 4:31:59 timeout 0:00:00
TCP PAT from inside-3:10.10.10.100 3389-3389 to outside:192.168.1.9 3389-3389
    flags srT idle 4:33:33 timeout 0:00:00

Access Control List (ACL)

Inbound ACL

ACL to permit External to HOST-10.10.10.100 for Services defined in OGS-HOST-10.10.10.100

access-list outside_access_in extended permit object-group OGS-HOST-10.10.10.100 any object HOST-10.10.10.100

Apply the ACL to outside interface

access-group outside_access_in in interface outside

Verify with show access-list

asa(config)# sh access-list

access-list outside_access_in line 1 extended permit object-group OGS-HOST-10.10.10.100 any object HOST-10.10.10.100 (hitcnt=4) 0xe25ea7c9
  access-list outside_access_in line 1 extended permit tcp any host 10.10.10.100 eq 3389 (hitcnt=2) 0xf30ea6da
  access-list outside_access_in line 1 extended permit tcp any host 10.10.10.100 eq www (hitcnt=2) 0x0011ae22

Outbound ACL

Create an ACL to allow full access from inside to outside

access-list inside_access_in extended permit ip any any

Create a restricted ACL to allow users from 10.10.10.0/24 segment to access to Internet for services defined in OGS-Internet_Access only

access-list inside_access_in extended permit object-group OGS-Internet_Access object LAN-10.10.10.0 any

Apply the inbound ACL to inside Interface

access-group inside_access_in in interface inside

Reference Links

  1. Cisco ASA Series CLI Configuration Guide, 9.0

  2. NAT Examples and Reference

Table of Contents
Scroll to Top