Static NAT (ASA 8.3/8.4)

Posted on by Shoaib Merchant

Configuring Static NAT as a Network Object NAT/Auto NAT:

1. Create a Network Object

2. Define the Real IP

3. Create a Static NAT inside the ‘network object’ itself

ASA(config)# object network websrv_realip
ASA(config-network-object)# host 10.1.1.3
ASA(config-network-object)# nat (dmz,outside) static 2.2.2.3

— You can either use the network object name or the real IP in your access lists.

— You can only define one host per network object.

Configuring Static NAT as a Twice NAT/Manual NAT:

1. Create the required network objects that need to be referenced in the Twice NAT/Manual NAT syntax.

2. Create the Static NAT in the ‘global configuration mode’ referencing those created network objects wherever required.

// Network object ‘websrv_realip’ is already created above, so we’ll create one for its public IP.
ASA(config)# object network websrv_publicip
ASA(config-network-object)# host 2.2.2.3
ASA(config-network-object)# exit
ASA(config)# nat (dmz,outside) source static websrv_realip websrv_publicip

— This is quite self-explanatory.

Corresponding Access-Control Lists

While configuring ACLs corresponding to the NATs that you configure, make sure you use the Real-IP/Pre-translated IP in them.

Earlier:

access-list outside_access_in permit extended ip any host 2.2.2.3 log

Now:

access-list outside_access_in permit extended ip any host 10.1.1.3 log

Verification

Here’s the show nat output of the above configured translation rules:

ASA#show nat
Manual NAT Policies (Section 1)
1 (dmz) to (outside) source static websrv_realip websrv_publicip
translate_hits = 5, untranslate_hits = 0
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static websrv_realip 2.2.2.2
translate_hits = 0, untranslate_hits = 0

Both the NAT rules are meant to translate 10.1.1.3 to 2.2.2.3 while going from dmz to outside but looking at the translate_hits under Manual NAT Policies, you can confirm that it takes precedence over an Auto NAT Policy (this was explained in the earlier post) and the Static NAT configured with the Network Object NAT/Auto NAT syntax is not being used for the translation.

So, while creating translation you need to verify if there is an already existing Manual NAT that will be shadowing a translation rule created with the Network Object NAT/Auto NAT syntax.

Since Static NAT is always bidirectional, traffic from outside to dmz will also be using the same translation rule. And when that happens, the untranslate_hits counter will show the count for it.

Here’s more on NAT -> https://networkology.net/tag/nat/

Advertisements

2 thoughts on “Static NAT (ASA 8.3/8.4)

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s