Skip to main content

ASA Pre-8.3 to 8.3 NAT configuration examples

Static NAT/PAT

Pre-8.3 NAT
8.3 NAT
Regular Static NAT
static (inside,outside) 192.168.100.100 10.1.1.6 netmask  255.255.255.255
 object network obj-10.1.1.6
   host 10.1.1.6
   nat (inside,outside) static 192.168.100.100   
Regular Static PAT
static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255
 object network obj-10.1.1.16
   host 10.1.1.16
   nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Static Policy NAT
access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 192.168.100.100 access-list NET1
 object network obj-10.1.2.27
   host 10.1.2.27
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-10.76.5.0
   subnet 10.76.5.0 255.255.255.224
 nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100
destination static obj-10.76.5.0 obj-10.76.5.0

Pre-8.3 NAT
8.3 NAT
Regular Dynamic PAT
 nat (inside) 1 192.168.1.0 255.255.255.0
 nat (dmz) 1 10.1.1.0 255.255.255.0
 global (outside) 1
192.168.100.100
object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,outside) dynamic 192.168.100.100
Regular Dynamic PAT
 nat (inside) 1 10.1.2.0 255.255.255.0
 global (outside) 1 192.168.100.100
 global (dmz) 1 192.168.1.1
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic 192.168.100.100
 object network obj-10.1.2.0-01
   subnet 10.1.2.0 255.255.255.0
   nat (inside,dmz) dynamic 192.168.1.1
Regular Dynamic PAT-3

 nat (inside) 1 0 0
 global (outside) 1 interface
 object network obj_any
   subnet 0.0.0.0 0.0.0.0
   nat (inside,outside) dynamic interface
Dynamic Policy NAT

 object-group network og-net-src
   network-object 192.168.1.0 255.255.255.0
   network-object 192.168.2.0 255.255.255.0
 object-group network og-net-dst
   network-object 192.168.200.0 255.255.255.0
 object-group service og-ser-src
   service-object tcp gt 2000
   service-object tcp eq 1500
 access-list NET6 extended permit object-group og-ser-src
                  object-group og-net-src object-group og-net-dst
 nat (inside) 10 access-list NET6
 global (outside) 10 192.168.100.100
 object network obj-192.168.100.100
   host 192.168.100.100
 object service obj-tcp-range-2001-65535
   service tcp destination range 2001 65535
 object service obj-tcp-eq-1500
   service tcp destination eq 1500
 nat (inside,outside) source dynamic og-net-src
             obj-192.168.100.100 destination
             static og-net-dst og-net-dst
             service obj-tcp-range-2001-65535
             obj-tcp-range-2001-65535
 nat (inside,outside) source dynamic og-net-src
             obj-192.168.100.100 destination
             static og-net-dst og-net-dst
             service obj-tcp-eq-1500 obj-tcp-eq-1500
Policy Dynamic NAT (with multiple ACEs)

 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
                               192.168.1.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
                               192.168.2.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
                               192.168.3.0 255.255.255.0
 access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0
                               192.168.4.0 255.255.255.0
 nat (inside) 1 access-list ACL_NAT
 global (outside) 1 192.168.100.100
 object network obj-172.29.0.0
   subnet 172.29.0.0 255.255.0.0
 object network obj-192.168.100.100
   host 192.168.100.100
 object network obj-192.168.1.0
   subnet 192.168.1.0 255.255.255.0


 object network obj-192.168.2.0
   subnet 192.168.2.0 255.255.255.0


 object network obj-192.168.3.0
   subnet 192.168.3.0 255.255.255.0


 object network obj-192.168.4.0
   subnet 192.168.4.0 255.255.255.0

nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.1.0 obj-192.168.1.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.2.0 obj-192.168.2.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.3.0 obj-192.168.3.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100
             destination static obj-192.168.4.0 obj-192.168.4.0
Outside NAT
 global (inside) 1 10.1.2.30-1-10.1.2.40
 nat (dmz) 1 10.1.1.0 255.255.255.0 outside
 static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
 object network obj-10.1.2.27
   host 10.1.2.27
   nat (inside,dmz) static 10.1.1.5
 object network obj-10.1.1.0
   subnet 10.1.1.0 255.255.255.0
   nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
 object network obj-10.1.2.30-10.1.2.40
   range 10.1.2.30 10.1.2.40
NAT & Interface PAT together
 nat (inside) 1 10.1.2.0 255.255.255.0
 global (outside) 1 interface
 global (outside) 1 192.168.100.100-192.168.100.200
 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.1.2.0
   subnet 10.1.2.0 255.255.255.0
   nat (inside,outside) dynamic
            obj-192.168.100.100_192.168.100.200 interface
NAT & Interface PAT with additional PAT together
 nat (inside) 1 10.0.0.0 255.0.0.0
  global (outside) 1 192.168.100.1-192.168.100.200
  global (outside) 1 interface
  global (outside) 1 192.168.100.210
 object network obj-192.168.100.100_192.168.100.200
   range 192.168.100.100 192.168.100.200
 object network obj-10.0.0.0
   subnet 10.0.0.0 255.0.0.0
 object network second-pat
   host 192.168.100.210
 object-group network dynamic-nat-pat
   network-object object obj-192.168.100.100_192.168.100.200
   network-object object second-pat

nat (inside,outside) dynamic dynamic-nat-pat interface
Twice NAT with both source IP, Dest IP and Source port, Dest port change.
On the inside:

Source IP: 10.30.97.129
Dest IP: 10.30.97.200
Source port: 5300
Dest port: any port


On the outside:

Source IP: Interface IP
Dest IP: 172.16.1.10
Source port: 5300
Dest port: 1022
object network source-real
  host 10.30.97.129
 
object network dest-mapped
  host 10.30.97.200

object network dest-real
  host 172.16.1.10

object service inside-src-dest-port
 service tcp source eq 5300 destination range 0 65535

object service outside-src-dest-port
 service tcp source eq 5300 destination eq 1022


nat (inside,outside) after source static source-real interface destination static dest-mapped dest-real service inside-src-dest-port outside-src-dest-port



Static NAT for a Range of Ports

Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT
           (in)    (out)
10.1.1.1-------ASA-----
        --xlate-------> 10.2.2.2
Original Ports: 10000 - 10010
Translated ports: 20000 - 20010

object service ports
 service tcp source range 10000 10010

object service ports-xlate
 service tcp source range 20000 20010

object network server
 host 10.1.1.1

object network server-xlate
 host 10.2.2.2


nat (inside,outside) source static server server-xlate service ports ports-xlate


Labels:

Comments

Post a Comment

Popular posts from this blog

Basic Rules of Checkpoint Firewall

Managing the Firewall Rule Base: Explicit and Implied Rules These are the types of rules in the Rule Base: Explicit rules - Rules that you create to configure which connections the Firewall allows Implied rules - Rules that are based on settings in the Global Properties menu Implied rules allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections option allows packets that control these services: ·          Installing the security policy on a Security Gateway ·          Sending logs from a Security Gateway to the Security Management server ·          Connecting to third party applications, such as RADIUS and TACACS authentication servers Order of Rule Enforcement: Make sure that you understand the importance of the order of rule enforcement to maximize the security of the Firewall. The Firewall always enforces the first rule that matches a connection. It does not enforce later rules tha
Post a Comment
Read more

ASA TCP Connection Flags

When troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide a wealth of information about the state of TCP connections to the ASA. This information can be used to troubleshoot problems with the ASA, as well as problems elsewhere in the network. Here is the output of the show conn protocol tcp command, which shows the state of all TCP connections through the ASA. These connections can also be seen with the show conn command. ASA# show conn protocol tcp 101 in use, 5589 most used TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saAUIO TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:00:23, bytes 0, flag
Post a Comment
Read more

How to Set Up an IPSec Tunnel On PAN-OS - Palo Alto Firewalls

Set Up an IPSec Tunnel  The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel.  If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the Palo Alto Networks firewall supports route-based VPN, the default values used as Proxy-ID are source
Post a Comment
Read more