You are on page 1of 11

Configuring Manual NAT on Cisco ASA 8.

3 and Later
Posted on Novem ber 11, 2012 by Derrick

In this post, I’m going to walk through the configuration of Manual NAT on Cisco 8.3 and later. In my previous post, I walked through the configuration of Auto NAT on the ASA. I’ll use the same topology that I left off with in my previous post to demonstrate Manual NAT:

What is Manual NAT and why is it necessary? Manual NAT is the configuration of a NAT rule using nat statements while not configuring directly under an object within the ASA. It’s necessary because the ASA’s Auto NAT on ly allows the configuration of NAT based on the source address and not the destination. In some cases, you may want to use a different mapped address depending on where the destination is. This is mostly common with VPN connections. Other use cases may be if you have a partner network that will only allow

8 object network DMZ-WWWSERVER nat (dmz. The inside subnet will be translated to the IP address of 181.traffic from you coming from a specific address or addresses.44 object network DMZ-WWWSERVER host 172. In the following example.181. you’d want to use Manual NAT. Here’s a look at our current configuration: ASA-8dot4(config)# sh run object object network PUB-ADDRESSES range 181.181.255.3.181.10.13 when it tries to reach the remote server 144.10.255.16.181. All other connections from the inside subnet will use the Auto NAT rule currently configured (Dynamic PAT) and be translated accordingly.outside) static 181.181.9 .outside) static 181.10.0.0 255.1.10.181.181.6 object network INSIDE-SUBNET subnet 10.181.181. In this case.4 181.22 ASA-8dot4(config)# sh run nat ! object network INSIDE-SUBNET nat (inside. we’re going to configure our INSIDE network to use Manual NAT.0 object network DMZ-FTPSERVER host 172.16.outside) dynamic interface object network DMZ-FTPSERVER nat (dmz.181.

10. We’ll use 181.8 translate_hits = 0.9/32 2 (dmz) to (outside) source static DMZ-FTPSERVER 181.181. Translated: 181. notice the Auto NAT rules are in “(Section 2)” of the “ show nat detail“.8/32 3 (inside) to (outside) source dynamic INSIDE-SUBNET interface translate_hits = 39.ASA-8dot4(config)# sh nat detail Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static DMZ-WWWSERVER 181. Section 1 of the “ show nat detail ” will be seen once we configure Manual NAT.0. we first create a network object for the destination address: ASA-8dot4(config)# object network PARTNER-SERVER ASA-8dot4(config-network-object)# host 144. Translated: 181.10.181.9 translate_hits = 0.181.13: . untranslate_hits = 1 Source .1/28 ASA-8dot4(config)# In the display above.16.10.1 81. untranslate_hits = 4 Source .181.181.181. untranslate_hits = 0 Source .0/24.3. Translated: 181.181.10.Origin: 172.16.1 ASA-8dot4(config-network-object)# exit ASA-8dot4(config)# Next we configure an object for the address in which our Inside subnet will be translated to.181.181.44/32. Manual NAT rules are placed in Section 1 of the NAT table unless specified by using the “ after-auto ” keyword.Origin: 172.181.181.Origin: 10. To configure Manual NAT.22/32.

9 ASA-8dot4(config)# We can now take a look at our NAT Table: ASA-8dot4(config)# sh nat detail Manual NAT Policies (Section 1) 1 (inside) to (outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER .ASA-8dot4(config)# object network TRANSLATED-IP ASA-8dot4(config-network-object)# host 181.13 ASA-8dot4(config-network-object)# exit ASA-8dot4(config)# We now configure our manual NAT rule: ASA-8dot4(config)# nat (inside.181.outside) dynamic interface object network DMZ-FTPSERVER nat (dmz.181.outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER ! object network INSIDE-SUBNET nat (inside.outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER ASA-8dot4(config)# sh run nat nat (inside.181.outside) static 181.181.181.181.8 object network DMZ-WWWSERVER nat (dmz.outside) static 181.

untranslate_hits = 4 Source .translate_hits = 0.3.13/32 Destination .181.181.Origin: 144.0/24.1/32 Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static DMZ-WWWSERVER 181.181.3.0. untranslate_hits = 1 Source .44/32.8/32 3 (inside) to (outside) source dynamic INSIDE-SUBNET interface translate_hits = 39.181. we notice that we now have a rule in Section 1 of the NAT table.181.16. .0.181.22/32.0. Translated: 181. Translated: 181.Origin: 172.10.1 Type escape sequence to abort.9/32 2 (dmz) to (outside) source static DMZ-FTPSERVER 181.3. We will now test it by first pinging the PARTNER-SERVER (144.181.10.10.10.1/32.8 translate_hits = 0. Translated: 181.Origin: 10.181.Origin: 172. Also notice there are no translated_hits up to this point.1/28 ASA-8dot4(config)# In the display above.9 translate_hits = 0. untranslate_hits = 0 Source .181. PC1# PC1#ping 144. Translated: 181.181.181.10.1) and then we’ll attempt to telnet to the server from PC1.181.16.10.0/24. Translated: 144.0.Origin: 10. untranslate_hits = 0 Source .3.

Sending 5.3.3.13 Location Interface User Mode Idle Peer Address .1.0.13. round-trip min/avg/max = 16/25/52 ms PC1#telnet 144..181. 100-byte ICMP Echos to 144.0. Open User Access Verification Username: networkingnut Password: INTERNET#sh tcp brief TCB 6573C444 Local Address 144.32572 (state) ESTAB INTERNET#who Line 0 con 0 * 98 vty 0 User Host(s) idle networking idle Idle 00:00:39 00:00:00 181.1.181.3.0..181.1 Trying 144.3. timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5).1 .0.23 Foreign Address 181.181.

181.181. In addition.181.10.0.16.10.181.11 to 181.10.13. Translated: 181.13: ASA-8dot4(config)# sh nat detail Manual NAT Policies (Section 1) 1 (inside) to (outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER translate_hits = 6.181.181.Origin: 10. we were able to telnet to the “Partner Server” and perform a few commands to prove that we were connecting via the IP address 181.181.9 translate_hits = 0.181.0/24.0.Origin: 172. Translated: 144.181.1/32. We can take a look from the ASA to see the translated hits went from 0 to 6 (5 hits for the ping and 1 hit for the telnet session).13/32 Destination .9/32 2 (dmz) to (outside) source static DMZ-FTPSERVER 181.181. we were successful with our ping.10.0.181.3.1/32 Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static DMZ-WWWSERVER 181. We can also take a look at our translation table that shows the translation from the inside host 10.Origin: 144.3. untranslate_hits = 0 Source .INTERNET# INTERNET#exit [Connection to 144.3.8 . Translated: 181.181.10.22/32. untranslate_hits = 1 Source .1 closed by foreign host] PC1# As you can see from the above display.

8 flags s idle 173:12:15 timeout 0:00:00 TCP PAT from inside:10. Translated: 181. s .11) will be translated using our Dynamic PAT rule in place when going to any other address aside from our Partner Server: PC1# PC1#telnet 144.181.16.8/32 3 (inside) to (outside) source dynamic INSIDE-SUBNET interface translate_hits = 39.13/32572 flags ri idle 0:00:08 timeout 0:00:30 ASA-8dot4(config)# Our next test for Manual NAT is to verify that the inside host (10.9 flags s idle 173:27:07 timeout 0:00:00 NAT from dmz:172.Origin: 10.181. r .0/24. I .181.181.1/28 ASA-8dot4(config)# sh xlate 3 in use.10.10.2.static.16.11/22628 to outside:181.10.44/32.181.10.181. untranslate_hits = 4 Source .0.dynamic.0.181.16.translate_hits = 0.10.2.10.22 to outside:181.DNS.10. Translated: 181.portmap.identity. T . 5 most used Flags: D .181.10. i .. untranslate_hits = 0 Source .44 to outside:181.1 .181.10. Open .twice NAT from dmz:172.181.1 Trying 144..Origin: 172.

1 closed by foreign host] PC1# As you can see from the display above.181.23 Foreign Address 181.3.any) after-auto source dynamic INSIDE-SUBNET NEW-TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER ASA-8dot4(config)# sh run nat nat (inside.32572 181.0.14 ASA-8dot4(config-network-object)# exit ASA-8dot4(config)# nat (inside.1.15854 (state) TIMEWAIT ESTAB INTERNET#exit [Connection to 144.181.0.1.181. I’ll show an example of adding a Manual NAT rule to Section 3 of the NAT table: ASA-8dot4(config)# object network NEW-TRANSLATED-IP ASA-8dot4(config-network-object)# host 181.23 144. the ESTAB connection is the translation from our Dynamic PAT rule. Lastly.1.13.2.181.0.2.181.User Access Verification Username: networkingnut Password: INTERNET#sh tcp brief TCB 6565CEBC 6573C444 Local Address 144.181.outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER .

10.181.outside) static 181.181.1/32 Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static DMZ-WWWSERVER 181.181.3.9 ! nat (inside.181.0.0.10.outside) static 181.3.181. Translated: 181.181.1/32.16.181. Translated: 144.10.Origin: 172.outside) dynamic interface object network DMZ-FTPSERVER nat (dmz. untranslate_hits = 1 Source .9/32 . untranslate_hits = 0 Source .13/32 Destination .8 object network DMZ-WWWSERVER nat (dmz.181.Origin: 10.! object network INSIDE-SUBNET nat (inside.22/32.181.Origin: 144.0/24.any) after-auto source dynamic INSIDE-SUBNET NEW-TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER ASA-8dot4(config)# sh nat detail Manual NAT Policies (Section 1) 1 (inside) to (outside) source dynamic INSIDE-SUBNET TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER translate_hits = 7.181. Translated: 181.9 translate_hits = 0.

Translated: 144.net/configuring-manual-nat-on-cisco-asa8-3-andlater/#sthash.10. Translated: 181.0.0.181.16. Translated: 181.1/28 Manual NAT Policies (Section 3) 1 (inside) to (any) source dynamic INSIDE-SUBNET NEW-TRANSLATED-IP destination static PARTNER-SERVER PARTNER-SERVER translate_hits = 0.PAlGhmgf.See more at: http://www.181.3.10.181.8 translate_hits = 0.Origin: 172.181.Origin: 144.Origin: 10.10.1/32.10.0/24.3.181.14/32 Destination .dpuf . untranslate_hits = 0 Source .networkingnut.1/32 ASA-8dot4(config)# .10.181.Origin: 10.44/32.8/32 3 (inside) to (outside) source dynamic INSIDE-SUBNET interface translate_hits = 40.181.0/24.181.2 (dmz) to (outside) source static DMZ-FTPSERVER 181. untranslate_hits = 4 Source . untranslate_hits = 0 Source . Translated: 181.