Cisco ASA Dynamic NAT Example (Post version 8.3)

posted 10 Jul 2015, 08:45 by Tristan Self   [ updated 13 Jul 2015, 08:29 ]
Okay a basic example with a Cisco ASA for the NAT rules. Lets say there is PC1 on the inside network that you want to have internet access. The IP address 192.168.1.100 can't just connect to the Internet using that IP address as its not routable, so instead we need to translate it. 

In this example the PC1 is going to be translated from the IP address 192.168.1.100 to 210.123.243.12 (the IP address of the outside interface of the Cisco ASA firewall), to make its outgoing connection. On the way back in the translation is made in reverse, so the traffic coming back from the webhost goes back to 201.123.243.12, a dynamic translation is in place (in memory) on the firewall that translates this back to the original IP address 192.168.1.100.

Now thats fine for one PC but what about a whole network of PCs sharing one IP address, you can't have this for each you'd run out of IP addresses on the outside interface. So instead, you add a port number (hence the dynamic NAT or PAT, port address translation), this ensures that each individual translation can be uniquely idenified by a port number so that it can find its way back. Right lets go through that example above again with PAT.

PC1 is going to be translated from the IP address 192.168.1.100 to 210.123.243.12:1234 (the IP address of the outside interface of the Cisco ASA firewall), to make its outgoing connection. On the way back in the translation is made in reverse, so the traffic coming back from the webhost goes back to 201.123.243.12:1234, a dynamic translation is in place (in memory) on the firewall that translates this back to the original IP address 192.168.1.100.

PC1 (192.168.1.100/24) -----> 192.168.1.1/24 (inside) <-----> ASA Firewall <-----> 201.123.243.12/27 (outside) --------> WebHost 84.12.45.124/28

NAT RULE

Okay so how do you configure this, well you create a network object for the internal range (i.e. the range PC1 is in) so 192.168.1.0/24, then you put the NAT rule within it so something like this:

 object network inside-network
    subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) dynamic interface
!

Okay so what does this mean? Well you create the object network inside-network then say its the subnet 192.168.1.0/24. At this point you then apply the dynamic NAT (PAT) rule to the network object that says any traffic hitting the inside is translated to the outside using dynamic NAT (PAT) on the firewall's outside interface IP address. Of course here if you have more than 1 IP address on the outside firewall port you could use one of these in the rules instead.

inside-network = the internal network object name

subnet 192.168.1.0 255.255.255.0 = the subnet definition

nat (inside,outside) = the source interface (i.e. inside) and the destination interface (i.e. outside) of the translation

dynamic = specifies that this is a dynamic NAT rule as opposed to a static NAT rule.

interface = specifies to use the outside interface's IP address 201.123.243.12 in this example, here you could substitute a specific IP address if you didn't want to use the firewall's interface IP.

ACL RULE

You'll also need an access control list rule to allow this out, so a quick example that would allow port 80 HTTP out to any IPv4 address on the internet would be something like this:

 access-list acl-in extended permit tcp object inside-network any4 eq 80

acl-in =  Means the ACL on the inside firewall (so traffic coming into the inside interface going to the outside or dmz interfaces).

tcp = Means the type of traffic TCP or UDP, in this case TCP for TCP/80 HTTP.

inside-network = Means the source network or host (as an object in this case).

any4 = Means the destination network or host (in our case this is any host on the Internet).

80 = Means the destination port on the remote host (in our case HTTP port TCP/80).


Pre version 8.3

Create the pool for the outside interface:
 global (outside) 1 interface

Now create the dynamic NAT (PAT) rule for all inside traffic to the outside

nat (inside) 1 192.168.1.0 255.255.255.0

This is all you need from a NAT point of view, now you can create an ACL to allow out the traffic.
Comments