ASA Pre-8.3 and Post-8.3 NAT – Static NAT

In our previous blog, we compared a differences with dynamic NAT/PAT between pre-8.3 and post-8.3 ASA code.

Now we will do the same with a static NAT. The diagram is the same:

SNAGHTML51ff29fb

We want to allow all users from the Internet (represented by a PC) to be able to access inside server. Of course, they cannot access it via it’s real IP address of 10.100.0.23, but via some globally routed IP address that belongs to us and is routed to us, to the ASA, that is.

Let’s remember the golden rules of allowing outside users to access internal resources:

  • a static NAT entry has to be in place
  • an access list entry has to permit the access

If we start with a basic ASA config, this is what we would need to do:

  • Pre-8.3

access-list OUTSIDE_IN extended permit tcp any host 4.132.0.23 eq telnet
access-group OUTSIDE_IN in interface outside
static (inside,outside) 4.132.0.23 10.100.0.23 netmask 255.255.255.255

That’s it! As simple as that! Now, let’s verify by telnetting  from a PC to the public IP address 4.132.0.23:

PC#
PC#telnet 4.132.0.23
Trying 4.132.0.23 … Open

User Access Verification

Password:
SERVER>who
Line       User       Host(s)              Idle       Location
0 con 0                idle                 00:08:20
* 98 vty 0                idle                 00:00:00 4.132.0.2

Interface    User               Mode         Idle     Peer Address

SERVER>

  • Post-8.3

With a post-8.3 we still need an access list entry that permits required traffic, but instead putting a public or mapped IP address 4.132.0.23 as a destination, we use a real IP address 10.100.0.23. And a NAT is, of course a bit different:

object network HOST_4.132.0.23
host 4.132.0.23

object network HOST_10.100.0.23
host 10.100.0.23

nat (inside,outside) source static HOST_10.100.0.23 HOST_4.132.0.23

access-l OUTSIDE_IN permit tcp any object HOST_10.100.0.23 eq telnet
access-g OUTSIDE_IN in inter outside

First we create an object that represents a mapped or public IP address, then we do the same for real IP address and finally, we create a NAT. Static keyword is now gone, as well as global.

Do you know what is the most often used word in ASA’s config post-8.3? OBJECT Smile

Now let’s verify:

PC#
PC#telnet 4.132.0.23
Trying 4.132.0.23 … Open

User Access Verification

Password:
Password:
SERVER>who
Line       User       Host(s)              Idle       Location
0 con 0                idle                 00:05:02
* 98 vty 0                idle                 00:00:00 4.132.0.2

Interface    User               Mode         Idle     Peer Address

SERVER>

That was a simple static NAT with ASA pre and post 8.3 version of code.

Advertisements
This entry was posted in ASA, Cisco, GNS3, NAT and tagged , , , , , , . Bookmark the permalink.

One Response to ASA Pre-8.3 and Post-8.3 NAT – Static NAT

  1. Pingback: Cisco ASA port forwarding | popravak

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s