There are two major kinds of NAT in 8.3+ Auto NAT and Manual NAT. Auto is done inside the object and cannot take into consideration the destination of the traffic. Manual is done in global configuration and can NAT either the source IPs and destination IPs.
The new term autoNAT is used in 8.3. Auto NAT is when the NAT command appears INSIDE the object statement on the firewall. There are two major variants of auto NAT: dynamic and static. Auto NAT is also sometimes referenced as Network Object NAT because the configuration is done within the network object.
Regular Dynamic PAT
To create a many-to-one NAT where the entire inside network is getting PATd to a single outside IP do the following.
Old 8.2 command:
nat (inside) 1 10.0.0.0 255.255.255.0 global (outside) 1 interface
New 8.3 equivalent command:
object network inside-net subnet 10.0.0.0 255.255.255.0 nat (inside,outside) dynamic interface
Note: the interface command is the 2nd interface in the nat statement, in this case the outside.
To create a one to one NAT within the object like when you have a webserver in your DMZ you can do the following NAT configuration.
object network dmz-webserver host 192.168.1.23 nat (dmz,outside) static 22.214.171.124
Please note, the
nat (inside,outside) part of these commands are a lot easier to read in 8.3. The first interface is the interface the traffic is coming into the ASA on and the second interface is the interface that this traffic is going out of the ASA on. So the command nat (dmz,outside) static 126.96.36.199 should be read as NAT the IP address 192.168.1.23 to 188.8.131.52 if the traffic is coming in on the dmz interface and going out the outside interface, or vice versa. This will not NAT traffic coming from the inside going to the DMZ, nor should it NAT the traffic coming from the DMZ going to the inside.
any interface in the NAT statement
ASA 8.3 introduces the
any interface when configuring NAT. For instance if you have a system on the DMZ that you wish to NAT not only to the outside interface, but to any interface you can use this command:
object network dmz-webserver host 192.168.1.23 nat (dmz,any) static 184.108.40.206
This makes it so users on the inside can web to 220.127.116.11 and if traffic is routed to the firewall it will NAT it to the real IP in the DMZ.
Port forwarding using Auto NAT
Suppose you have 2 web servers in your DMZ but you only have 1 IP address. You can configure port forwarding using the auto NAT feature in the following way:
object network dmz-webserver1 host 192.168.1.25 nat (dmz,outside) static interface service tcp 8000 www object network dmz-webserver2 host 192.168.1.23 nat (dmz,outside) static interface service tcp 8080 www
This will make it so if you go to the IP address of the outside interface over port 8000 it will take you to 192.168.1.25 port 80 but if you go there using port 8080 it will take you to 192.168.1.23 port 80.
Confused yet? I hope not because its about to get weird
Manual NAT or Twice NAT or Policy NAT or Reverse NAT
The limitation that Auto NAT has is that it cannot take the destination into consideration when conducting its NAT. This also of course results in it not being able to alter the destination address either. To accomplish either of these tasks you must use manual NAT.
All of these terms are identical: Manual NAT, Twice NAT, Policy NAT, Reverse NAT. Dont be confused by fancy mumbo jumbo.
Policy NAT Exemption aka NAT Zero aka No NAT
In ASA 8.3 code this is known as Policy NAT exemption. This is commonly used to not NAT traffic over a VPN tunnel.
object network inside-net subnet 10.0.0.0 255.255.255.0 object network vpn-subnets range 10.1.0.0 10.5.255.255 nat (inside,outside) source static inside-net inside-net destination static vpn-subnets vpn-subnets
Policy NAT exemption for incoming remote access VPNs
In order for a packet to come in through a firewall from a lesser security interface to a higher security interface it must have a translation and an ACL to permit it through. If you are setting up remote access VPN then the ACL is usually bypassed since its tunneled traffic. There still needs to be a translation. This is completed by doing the following (Note the order of the interfaces in the NAT statement):
object-group network OBJ-INSIDE-NETWORKS network-object 172.16.200.0 255.255.255.0 object network obj-172.16.101.0 subnet 172.16.101.0 255.255.255.0 nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS
Dynamic Policy NAT
This is when you want to specify an ACL for your NAT traffic to match on and if it matches that ACL then NAT it to something
Suppose you are trying to build a VPN tunnel to another site. The problem is that your private IP addresses are overlapping with their private IP addresses so they tell you that you MUST come from 172.27.27.27. If this was a static one to one translation it wouldnt be so hard but in this case we have many users all needing to use that IP address.
In the pre 8.3 configuration your code would look something like this:
access-list ACL-VENDOR-VPN-NAT extended permit ip 192.168.1.0 255.255.255.0 host 172.16.75.5 nat (inside) 3 access-list ACL-VENDOR-VPN-NAT global (outside) 3 172.27.27.27
In the new ASA 8.3 config the code looks like this:
object network inside-net subnet 192.168.1.0 255.255.255.0 object network vendor-vpn-nat host 172.16.75.5 object network translated-ip host 172.27.27.27 nat (inside,outside) source dynamic inside-net translated-ip destination static vendor-vpn-nat vendor-vpn-nat
Use real IPs in access-lists
In ASA version 8.3 you must specify the real IP and not the translate IP. For instance to permit your traffic to the webserver through the outside ACL you must put:
access-list ACL-OUTSIDE-IN extended permit tcp any host 192.168.1.25 eq 80
This is a major change from pre 8.3 which would specify the public or NATd IP address.
To view this configuration you must check two places to see what is being NATd.
show run object
show run nat
The command show run object in-line is sometimes useful to when using the pipe commands.
You can also see the order of NAT and number of NAT translation hit counts with:
Optional Destination keyword in manual NAT
The destination keyword and addresses in the manual NAT command is optional. This means that both of these configurations do the same work:
object network inside-net subnet 10.0.0.0 255.255.255.0 nat (inside,outside) dynamic interface ! object network inside-net subnet 10.0.0.0 255.255.255.0 nat (inside,outside) source dynamic inside-net interface
NAT order and after-auto NATing
The order of operation in NAT commands is documented here:
The NAT operation will only take place once. Once there is a match on a NAT it will stop looking down the line to see whether it needs to NAT this traffic or not. The order of operation for this is like so:
- Twice NAT statements
- Auto NAT statements
- After-Auto NAT statements
Let’s say you have a Manual or Twice NAT that you want to be considered AFTER all of the auto NATs. You can specify this by adding the after-auto keyword which would look something like this:
nat (inside,outside) after-auto source dynamic any
The description keyword can be added to the end of a manual NAT statement to keep things more organized like so:
nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS description ANYCON-NONAT
Inactive NAT statements
You may deactivate a manual NAT statement by adding the inactive keyword at the end of the statement like so:
nat (OUTSIDE,INSIDE) source static obj-172.16.101.0 obj-172.16.101.0 destination static OBJ-INSIDE-NETWORKS OBJ-INSIDE-NETWORKS inactive
Cisco Documentation on NAT for 8.3
CLI NAT configuration guide for ASA 8.3 http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/nat_overview.html
Upgrading to ASA 8.3 What you need to know https://supportforums.cisco.com/docs/DOC-12690
Video examples and tutorial https://supportforums.cisco.com/docs/DOC-12324
ASA Pre-8.3 to 8.3 NAT configuration examples https://supportforums.cisco.com/docs/DOC-9129
ASA NAT migration problems when upgrading to 8.3 ; Syslog “%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows” https://supportforums.cisco.com/docs/DOC-12569