Wednesday, May 25, 2011

Cisco ASA 8.3 - No NAT / NAT Exemption

As we all know Ciso`s new ASA version 8.3 brings massive changes in NAT. This article describes and explains how NAT exemption (no NAT) is now configured.

Below provides examples of both pre and post 8.3 no NAT configurations.

Example Details

  • Local LAN - 192.168.0.0/24
  • Remote LAN - 172.168.0.0/24
  • Traffic is arriving on the inside interface and leaving the outside interface.

Pre 8.3

Pre 8.3 a access-list was configured to define the source network and destination network. This access-list is then referenced in a NAT 0 statement to ensure all traffic traveling from the local LAN to the remote LAN is not NAT`d.

access-list NO-NAT permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.255.0
nat (inside) 0 access-list NO-NAT

Post 8.3

Within 8.3 and later the networks are defined as objects via the use of object groups. These object groups are then referenced within the NAT statement to define both the pre and post NAT (real / mapped) addresses.

object network LOCAL_LAN
subnet 192.168.0.0 255.255.0.0

object network REMOTE_LAN
subnet 172.16.0.0 255.255.0.0

nat (inside,outside) source static LOCAL_LAN LOCAL_LAN destination static REMOTE_LAN REMOTE_LAN
To make things clearer you can see the structure of the NAT statement below.
nat (real interface,mapped interface) source static [real_object] [mapped_object] destination static [real_object] [mapped_object]

Posted by at 1 comment:

ASA 8.3 - How to configure NAT

As you will have heard (and if not you will do soon) the new ASA 8.3 brings massive changes. The main change is the way in which the ASA handles NAT. Rather the configuring NAT at purley the interface level NAT is now configured within network objects.

That way in which is now configured is :

  1. Create a network object.
  2. Within this object define the Real IP/Network to be translated.
  3. Also within this object you can use the the nat commands to specifiy whether the translation will be dynamic or static.

Examples

Configuring Dynamic NAT

The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of outside addresses 2.2.2.1-2.2.2.10:

1.hostname(config)# object network my-range-obj
2.hostname(config-network-object)# range 2.2.2.1 2.2.2.10
3.hostname(config)# object network my-inside-net
4.hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
5.hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj

Dynamic PAT (Hide NAT)

The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 2.2.2.2:

1.hostname(config)# object network my-inside-net
2.hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
3.hostname(config-network-object)# nat (inside,outside) dynamic 2.2.2.2

The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:

1.hostname(config)# object network my-inside-net
2.hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
3.hostname(config-network-object)# nat (inside,outside) dynamic interface

Configuring Static NAT or Static NAT with Port Translation

The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.

1.hostname(config)# object network my-host-obj1
2.hostname(config-network-object)# host 1.1.1.1
3.hostname(config-network-object)# nat (inside,outside) static 2.2.2.2 dns

The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.

1.hostname(config)# object network my-mapped-obj
2.hostname(config-network-object)# host 2.2.2.2
3.hostname(config-network-object)# object network my-host-obj1
4.hostname(config-network-object)# host 1.1.1.1
5.hostname(config-network-object)# nat (inside,outside) static my-mapped-obj

The following example configures static NAT with port translation for 1.1.1.1 at TCP port 21 to the outside interface at port 2121.

1.hostname(config)# object network my-ftp-server
2.hostname(config-network-object)# host 1.1.1.1
3.hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121
Posted by at No comments:
Subscribe to: Posts (Atom)