ASA Pre-8.3 and Post-8.3 NAT – Dynamic NAT/PAT

I like short blogs. When reading a long one, when I reach the bottom, I forget what was at the beginning. This one will be short.

I would like to demonstrate the differences in configuring dynamic NAT for Internet access between versions pre-8.3 and post-8.3. The 8.3 version radically changed the way of configuring NAT.

So in this first and simple example we want to allow our users out, using both versions of code. First, the old code. Here is the topology:

SNAGHTML5125bd02

We want to allow all internal users to access the Internet. Well, this picture is kinda reversed, because usually inside users are depicted as PCs and outside hosts as servers, but we will use this diagram later with a static NAT, so I guess it will do.

  • Pre-8.3

Here is the basic ASA config without NAT:

!
hostname ASA802
domain-name popravak.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 4.132.0.1 255.255.255.252
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 10.100.0.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/5
shutdown
no nameif
no security-level
no ip address
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot config disk0:/.private/startup-config
ftp mode passive
dns server-group DefaultDNS
domain-name popravak.com
pager lines 24
no logging message 402128
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
!

Now if we try to  telnet to PC on the Internet, we would fail. In fact as NAT-Control is off in lab environment we would be successful:

SERVER#
SERVER#telnet 4.132.0.2
Trying 4.132.0.2 … Open

User Access Verification

Password:
PC>
PC>who
Line       User       Host(s)              Idle       Location
0 con 0                idle                 00:30:55
* 98 vty 0                idle                 00:00:00 10.100.0.23

Interface    User               Mode         Idle     Peer Address

PC>

But in real life, server’s IP 10.100.0.23 would not make out to a PC, because it is a RFC1918 private address, so NAT is required. This is achieved by turning on a NAT-Control.

ASA802#
ASA802# conf t
ASA802(config)# nat-control
ASA802(config)# end
ASA802#

Now our telnet should fail, so we need to set up a simple dynamic NAT policy:

ASA802(config)#
ASA802(config)# nat (inside) 1 0 0
ASA802(config)# global (outside) 1 4.132.0.23
INFO: Global 4.132.0.23 will be Port Address Translated
ASA802(config)#

First line says that anything coming from inside should be NATed, and second line says into what address the inside addresses should be NATed, but only if a destination  is somewhere out the outside interface, not DMZ or something like that. In our case everything from inside should be NATed to IP address 4.132.0.23. Let’s try our connectivity now:

SERVER#
SERVER#telnet 4.132.0.2
Trying 4.132.0.2 … Open

User Access Verification

Password:
PC>who
Line       User       Host(s)              Idle       Location
0 con 0                idle                 00:43:59
* 98 vty 0                idle                 00:00:00 4.132.0.23

Interface    User               Mode         Idle     Peer Address

PC>

And now we are NATed as expected and able to access the Internet.

  • Post-8.3

The initial configuration is almost the same, so we will start with NAT configuration. This is very different than in previous versions. First, we need to create an object. This will represent a NAT/PAT address or a pool of addresses that will be used as NAT/PAT addresses. After that, we create a NAT itself:

ASA842#
ASA842# show run object
object network HOST_4.132.0.23
host 4.132.0.23

ASA842#
ASA842# show run nat
nat (inside,outside) source dynamic any HOST_4.132.0.23
ASA842#

That’s it! Now tell me which way you like more Smile Please note “any” in a NAT statement. It is sort of a “0 0” in pre-8.3 version. Now, does this work?

SERVER#
SERVER#telnet 4.132.0.2
Trying 4.132.0.2 … Open

User Access Verification

Password:
PC>who
Line       User       Host(s)              Idle       Location
0 con 0                idle                 00:18:17
* 98 vty 0                idle                 00:00:00 4.132.0.23

Interface    User               Mode         Idle     Peer Address

PC>

Ok, that was the most simple (and perhaps the most used) version of NAT. I will continue to explore the differences between two NATs in future blogs.

Advertisements
This entry was posted in ASA, GNS3, NAT and tagged , , , . Bookmark the permalink.

One Response to ASA Pre-8.3 and Post-8.3 NAT – Dynamic NAT/PAT

  1. sam says:

    Thank you that was great but the complexity when you want to allow inside from outside when you are limited to one public addess and want to direct to different port, for example port 80 to server 1 port 21 for server and so on.
    Also when you decided to nat source nat from outside to give it an internal IP.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s