1.Cisco ASA Dynamic NAT Configuration


Just like the Cisco IOS routers we can configure NAT / PAT on our Cisco ASA firewall. In this lesson I will explain how to configure dynamic NAT. If you are unsure of how NAT/PAT exactly works then I recommend to read my Introduction to NAT/PAT first.

Having said that, let’s take a look at dynamic NAT on the ASA. We will use this topology:

ASA1 Inside OutsideIn the middle we have our ASA, its E0/0 interface belongs to the inside and the e0/1 interface belongs to the outside. I’m using routers so that I have something to connect to. Let’s start with the interface first.

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown

Now we can focus on configuring dynamic NAT…

1.Dynamic NAT Configuration

The following example is for ASA 8.3 and later. First we will configure a network object that defines the pool with public IP addresses that we want to use for translation:

ASA1(config)# object network PUBLIC_POOL 
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200

As an example I’ll use the 192.168.2.100 – 200 range from the 192.168.2.0 /24 subnet that we use on the outside interface. The next step is to configure a network object for the hosts that we want to translate:

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL

The network object called “INTERNAL” specifies the subnet that we want to translate (the entire 192.168.1.0 /24) subnet and also has the NAT rule. When traffic from the inside goes to the outside, we will translate it to the public pool that we created earlier.

When all hosts on the 192.168.1.0 /24 subnet try to access the outside network we will run out of IP addresses in the public pool, if you want you can enable NAT fallback. This means that when the public pool runs out of IP addresses, we will use the IP address on the outside interface (192.168.2.254) for translation. Here’s how to do it:

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL interface

The configuration is exactly the same but I added the keyword “interface” at the end.

Let’s see if our dynamic NAT configuration is working or not. I’ll use telnet on R1 to connect to R2:

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

R1 was able to make a connection, let’s see if this traffic is translated:

ASA1# show nat

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic INTERNAL PUBLIC_POOL interface
    translate_hits = 1, untranslate_hits = 0

The show nat command shows us that some traffic from the inside to the outside has been translated. Let’s take a closer look:

ASA1# show nat detail

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic INTERNAL PUBLIC_POOL interface
    translate_hits = 1, untranslate_hits = 0
    Source - Origin: 192.168.1.0/24, Translated: 192.168.2.100-192.168.2.200, 192.168.2.254/24

If you add the keyword detail then you can see that traffic from the 192.168.1.0/24 subnet has been translated but it still doesn’t tell us exactly what source IP addresses has been translated to which IP address in the public pool. If we want to see this we need to use the show xlate command:

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.139 flags i idle 0:00:44 timeout 3:00:00

Now you can see that IP address 192.168.1.1 has been translated to 192.168.2.139. It also tells us what kind of NAT we are doing here (dynamic NAT in our example) and how long this entry has been idle.

I hope this lesson has been useful to understand dynamic NAT on the Cisco ASA firewall. If you have any questions, feel free to leave a comment!

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more