3.Cisco ASA PAT Configuration



In previous lessons I explained how to configure Dynamic NAT or Dynamic NAT with a DMZ on your Cisco ASA Firewall. In this lesson you will learn how to configure PAT. Here’s the topology I will use:

ASA1 Inside Outside

We have an INSIDE and OUTSIDE interface and we will use PAT to translate traffic from our hosts on the INSIDE that want to reach the OUTSIDE. R1 and R2 are only used to generate traffic. This is the basic ASA configuration that I will use:

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown

Now let’s configure PAT…

1.PAT Configuration

Configuring PAT is quite straight forward, the example below is for ASA 8.3 or higher. We will configure a network object for this:

ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253

This tells our firewall to translate traffic from the 192.168.1.0 /24 subnet headed towards the OUTSIDE to IP address 192.168.2.253. If you configure the IP address like this then it has to be an IP address that is not in use on the interface. For example, when I try to use 192.168.2.254 (that’s the IP address on the OUTSIDE interface) then I will get an error:

ASA1(config-network-object)#  nat (INSIDE,OUTSIDE) dynamic 192.168.2.254
ERROR: Address 192.168.2.254 overlaps with OUTSIDE interface address.
ERROR: NAT Policy is not downloaded

Of course there’s another way to use the IP address on the OUTSIDE interface but I just wanted to show you what happens when you try to configure the IP address like this. Let’s first try if PAT works…I’ll generate some traffic from R1:

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

Let’s see if this traffic was translated or not:

ASA1# show xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/49065 to OUTSIDE:192.168.2.253/49065 flags ri idle 0:00:18 timeout 0:00:30

Excellent…it has been translated from 192.168.1.1 to 192.168.2.253, just as we configured. Now let me show you how you can use the IP address on your OUTSIDE interface for PAT:

ASA1(config)# object network INSIDE_TO_OUTSIDE
ASA1(config-network-object)#  nat (INSIDE,OUTSIDE) dynamic interface

Instead of specifying the IP address you need to use the keyword “interface”. It’s a good idea to do this when you get a dynamic IP address from your ISP. Let’s see if this works…

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open
ASA1# show xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/26187 to OUTSIDE:192.168.2.254/26187 flags ri idle 0:00:07 timeout 0:00:30

There we go, traffic from R1 has been translated to 192.168.2.254.

I hope this example has been useful, if you have any questions feel free to leave a comment!

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more