Configuring Static NAT as a Network Object NAT/Auto NAT:
1. Create a Network Object
2. Define the Real IP
3. Create a Static NAT inside the ‘network object’ itself
ASA(config)# object network websrv_realip ASA(config-network-object)# host 10.1.1.3 ASA(config-network-object)# nat (dmz,outside) static 2.2.2.3
— You can either use the network object name or the real IP in your access lists.
— You can only define one host per network object.
Configuring Static NAT as a Twice NAT/Manual NAT:
1. Create the required network objects that need to be referenced in the Twice NAT/Manual NAT syntax.
2. Create the Static NAT in the ‘global configuration mode’ referencing those created network objects wherever required.
// Network object ‘websrv_realip’ is already created above, so we’ll create one for its public IP.ASA(config)# object network websrv_publicip ASA(config-network-object)# host 2.2.2.3 ASA(config-network-object)# exit ASA(config)# nat (dmz,outside) source static websrv_realip websrv_publicip
— This is quite self-explanatory.
Corresponding Access-Control Lists
While configuring ACLs corresponding to the NATs that you configure, make sure you use the Real-IP/Pre-translated IP in them.
Earlier:
access-list outside_access_in permit extended ip any host 2.2.2.3 log
Now:
access-list outside_access_in permit extended ip any host 10.1.1.3 log
Verification
Here’s the show nat output of the above configured translation rules:
ASA#show nat Manual NAT Policies (Section 1) 1 (dmz) to (outside) source static websrv_realip websrv_publicip translate_hits = 5, untranslate_hits = 0 Auto NAT Policies (Section 2) 1 (dmz) to (outside) source static websrv_realip 2.2.2.2 translate_hits = 0, untranslate_hits = 0
Both the NAT rules are meant to translate 10.1.1.3 to 2.2.2.3 while going from dmz to outside but looking at the translate_hits under Manual NAT Policies, you can confirm that it takes precedence over an Auto NAT Policy (this was explained in the earlier post) and the Static NAT configured with the Network Object NAT/Auto NAT syntax is not being used for the translation.
So, while creating translation you need to verify if there is an already existing Manual NAT that will be shadowing a translation rule created with the Network Object NAT/Auto NAT syntax.
Since Static NAT is always bidirectional, traffic from outside to dmz will also be using the same translation rule. And when that happens, the untranslate_hits counter will show the count for it.
Here’s more on NAT -> https://networkology.net/tag/nat/
very good post
Thanks
good one