How to Configure NAT in Cisco ASA Firewall
Steps to configure NAT in Cisco ASA Firewall
- Define Network Object
- Define Service Object
- NAT Rule
- Access Control List (ACL)
Network Objects
A network object can contain a host, a network IP address, or a range of IP addresses, a fully qualified domain name (FQDN). You can also enable NAT rules on the object
Network Object for Single Host – 10.10.10.100
object network HOST-10.10.10.100
host 10.10.10.100
Network Object for Subnet – 10.10.10.0/24
object network LAN-10.10.10.0
subnet 10.10.10.0 255.255.255.0
Network Object Group is used to group multiple network objects together
object-group network OG-LAN
network-object object HOST-10.10.10.100
Service Objects
Service objects and groups identify protocols and ports.
Create a Service Group – OGS-Internet-Access contain of http, https & domain for Outbound Access
object-group service OGS-Internet_Access
service-object tcp destination eq http
service-object tcp destination eq https
service-object udp destination eq domain
Create a Service Group – OGS-HOST-10.10.10.100 contain of TCP3389 & TCP80 for Inbound Access
object-group service OGS-HOST-10.10.10.100
service-object tcp destination eq 3389
service-object tcp destination eq www
NAT Rules
Outbound NAT
Dynamic NAT for inside users on a private network (10.10.10.0/24) to outside Interface IP Address when they access Internet
object network LAN-10.10.10.0
nat (inside, outside) dynamic interface
Add a default NAT rule for any users from inside interface to access Internet with outside interface IP Address.
Refer to this link for more detail information
nat (inside,outside) after-auto source dynamic any interface
Show the NAT translation table with show xlate type dynamic
Two inside hosts (10.10.10.100 & 10.10.10.20) are accessing Internet via Outside Interface IP (192.168.1.8)
asa(config)# sh xlate type dynamic
22 in use, 149 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from inside-3:10.10.10.100/60755 to outside:192.168.1.8/60755 flags ri idle 0:00:06 timeout 0:00:30
TCP PAT from inside-3:10.10.10.100/60754 to outside:192.168.1.8/60754 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:10.10.10.20/44789 to outside:192.168.1.8/44789 flags ri idle 0:00:02 timeout 0:00:30
TCP PAT from inside-3:10.10.10.20/53524 to outside:192.168.1.8/53524 flags ri idle 0:00:02 timeout 0:00:30
Inbound NAT
Static 1 to 1 NAT
It allows both IP addresses and port number translations from the inside to the outside traffic and the outside to the inside traffic.
Static 1 to 1 NAT is used to ensure that outgoing traffic is always mapped to the static public IP Address assigned instead of the outside interface of Firewall.
Create a Network Object for Internal Server (10.10.10.30), External IP (192.168.1.7) and Static NAT (1 To 1) for 10.10.10.30 – 192.168.1.7
object network HOST-10.10.10.30
host 10.10.10.30
object network PIP-192.168.1.7
host 192.168.1.7
object network HOST-10.10.10.30
nat (inside-3, outside) static PIP-192.168.1.7
Verify with show xlate type static
asa(config)# sh xlate type static
6 in use, 7 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from inside-3:10.10.10.30 to outside:192.168.1.7
flags s idle 0:00:21 timeout 0:00:00
Static PAT
Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.
Create a Network Object for Internal Host (10.10.10.100) and External IP (192.168.1.9)
object network HOST-10.10.10.100
host 10.10.10.100
object network PIP-192.168.1.9
host 192.168.1.9
Create Service Object and PAT rules
service-object tcp source eq www
service-object tcp source eq 3389
nat (inside,outside) source static HOST-10.10.10.100 PIP-192.168.1.9 service TCP80 TCP80
nat (inside,outside) source static HOST-10.10.10.100 PIP-192.168.1.9 service TCP3389 TCP3389
Verify with show xlate type static
asa(config)# sh xlate type static
6 in use, 7 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from inside-3:10.10.10.100 80-80 to outside:192.168.1.9 80-80
flags srT idle 4:31:59 timeout 0:00:00
TCP PAT from inside-3:10.10.10.100 3389-3389 to outside:192.168.1.9 3389-3389
flags srT idle 4:33:33 timeout 0:00:00
Access Control List (ACL)
Inbound ACL
ACL to permit External to HOST-10.10.10.100 for Services defined in OGS-HOST-10.10.10.100
access-list outside_access_in extended permit object-group OGS-HOST-10.10.10.100 any object HOST-10.10.10.100
Apply the ACL to outside interface
access-group outside_access_in in interface outside
Verify with show access-list
asa(config)# sh access-list
access-list outside_access_in line 1 extended permit object-group OGS-HOST-10.10.10.100 any object HOST-10.10.10.100 (hitcnt=4) 0xe25ea7c9
access-list outside_access_in line 1 extended permit tcp any host 10.10.10.100 eq 3389 (hitcnt=2) 0xf30ea6da
access-list outside_access_in line 1 extended permit tcp any host 10.10.10.100 eq www (hitcnt=2) 0x0011ae22
Outbound ACL
Create an ACL to allow full access from inside to outside
access-list inside_access_in extended permit ip any any
Create a restricted ACL to allow users from 10.10.10.0/24 segment to access to Internet for services defined in OGS-Internet_Access only
access-list inside_access_in extended permit object-group OGS-Internet_Access object LAN-10.10.10.0 any
Apply the inbound ACL to inside Interface
access-group inside_access_in in interface inside
Reference Links