How to Configure NAT in Cisco ASA Firewall

< All Topics

Steps to configure NAT in Cisco ASA Firewall

  • Define Network Object
  • Define Service Object
  • NAT Rule
  • Access Control List (ACL)

Network Objects

A network object can contain a host, a network IP address, or a range of IP addresses, a fully qualified domain name (FQDN). You can also enable NAT rules on the object

Network Object for Single Host – 10.10.10.100

object network HOST-10.10.10.100
	host 10.10.10.100

Network Object for Subnet – 10.10.10.0/24

object network LAN-10.10.10.0
	subnet 10.10.10.0 255.255.255.0 

Network Object Group is used to group multiple network objects together

object-group network OG-LAN
	network-object object HOST-10.10.10.100

Service Objects

Service objects and groups identify protocols and ports.

Create a Service Group – OGS-Internet-Access contain of http, https & domain for Outbound Access

object-group service OGS-Internet_Access
  service-object tcp destination eq http
  service-object tcp destination eq https
  service-object udp destination eq domain

Create a Service Group – OGS-HOST-10.10.10.100 contain of TCP3389 & TCP80 for Inbound Access

object-group service OGS-HOST-10.10.10.100
 service-object tcp destination eq 3389
 service-object tcp destination eq www

NAT Rules

Outbound NAT

Dynamic NAT for inside users on a private network (10.10.10.0/24) to outside Interface IP Address when they access Internet

object network LAN-10.10.10.0
 nat (inside, outside) dynamic interface

Add a default NAT rule for any users from inside interface to access Internet with outside interface IP Address.

Refer to this link for more detail information

nat (inside,outside) after-auto source dynamic any interface

Show the NAT translation table with show xlate type dynamic

Two inside hosts (10.10.10.100 & 10.10.10.20) are accessing Internet via Outside Interface IP (192.168.1.8)

asa(config)# sh xlate type dynamic
22 in use, 149 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

TCP PAT from inside-3:10.10.10.100/60755 to outside:192.168.1.8/60755 flags ri idle 0:00:06 timeout 0:00:30
TCP PAT from inside-3:10.10.10.100/60754 to outside:192.168.1.8/60754 flags ri idle 0:00:06 timeout 0:00:30
UDP PAT from inside-3:10.10.10.20/44789 to outside:192.168.1.8/44789 flags ri idle 0:00:02 timeout 0:00:30
TCP PAT from inside-3:10.10.10.20/53524 to outside:192.168.1.8/53524 flags ri idle 0:00:02 timeout 0:00:30

Inbound NAT

Static 1 to 1 NAT

It allows both IP addresses and port number translations from the inside to the outside traffic and the outside to the inside traffic.

Static 1 to 1 NAT is used to ensure that outgoing traffic is always mapped to the static public IP Address assigned instead of the outside interface of Firewall.

Create a Network Object for Internal Server (10.10.10.30), External IP (192.168.1.7) and Static NAT (1 To 1) for 10.10.10.30 – 192.168.1.7

object network HOST-10.10.10.30
 host 10.10.10.30

object network PIP-192.168.1.7
 host 192.168.1.7

object network HOST-10.10.10.30
 nat (inside-3, outside) static PIP-192.168.1.7

Verify with show xlate type static

asa(config)# sh xlate type static
6 in use, 7 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net

NAT from inside-3:10.10.10.30 to outside:192.168.1.7
    flags s idle 0:00:21 timeout 0:00:00

Static PAT

Port Address Translation (PAT), is an extension to network address translation (NAT) that permits multiple devices on a local area network (LAN) to be mapped to a single public IP address. The goal of PAT is to conserve IP addresses.

Create a Network Object for Internal Host (10.10.10.100) and External IP (192.168.1.9)

object network HOST-10.10.10.100
 host 10.10.10.100

object network PIP-192.168.1.9
 host 192.168.1.9

Create Service Object and PAT rules

service-object tcp source eq www
service-object tcp source eq 3389

nat (inside,outside) source static HOST-10.10.10.100 PIP-192.168.1.9 service TCP80 TCP80
nat (inside,outside) source static HOST-10.10.10.100 PIP-192.168.1.9 service TCP3389 TCP3389

Verify with show xlate type static

asa(config)# sh xlate type static
6 in use, 7 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from inside-3:10.10.10.100 80-80 to outside:192.168.1.9 80-80
    flags srT idle 4:31:59 timeout 0:00:00
TCP PAT from inside-3:10.10.10.100 3389-3389 to outside:192.168.1.9 3389-3389
    flags srT idle 4:33:33 timeout 0:00:00

Access Control List (ACL)

Inbound ACL

ACL to permit External to HOST-10.10.10.100 for Services defined in OGS-HOST-10.10.10.100

access-list outside_access_in extended permit object-group OGS-HOST-10.10.10.100 any object HOST-10.10.10.100

Apply the ACL to outside interface

access-group outside_access_in in interface outside

Verify with show access-list

asa(config)# sh access-list

access-list outside_access_in line 1 extended permit object-group OGS-HOST-10.10.10.100 any object HOST-10.10.10.100 (hitcnt=4) 0xe25ea7c9
  access-list outside_access_in line 1 extended permit tcp any host 10.10.10.100 eq 3389 (hitcnt=2) 0xf30ea6da
  access-list outside_access_in line 1 extended permit tcp any host 10.10.10.100 eq www (hitcnt=2) 0x0011ae22

Outbound ACL

Create an ACL to allow full access from inside to outside

access-list inside_access_in extended permit ip any any

Create a restricted ACL to allow users from 10.10.10.0/24 segment to access to Internet for services defined in OGS-Internet_Access only

access-list inside_access_in extended permit object-group OGS-Internet_Access object LAN-10.10.10.0 any

Apply the inbound ACL to inside Interface

access-group inside_access_in in interface inside

Reference Links

  1. Cisco ASA Series CLI Configuration Guide, 9.0

  2. NAT Examples and Reference

Previous Email Alert with Office 365 in FortiOS 6.4
Next How to Import SSL Certificate to Palo alto Firewall
Table of Contents