ASA Double Nat in 8.4+

Recently I was faced with an issue outside my normal expertise… those of you that know me realize I am anything but a security engineer. But in reality, you must always expand your horizons. One of the projects I’m working on involves migrating between two edge networks. Obviously, for a time there has to be traffic using both networks while you migrate services from one network to the other. This creates an issue from services that may be NAT’d from the inside of the network, where as the current (read: old) default route takes them out a different connection..
In order to solve this, you need to either change the default route, which may not be possible, or start NAT’ing the source address of your traffic. It took me a bit of time to get the details worked out, so I wanted to share what I found out.

Plain Jane Static NAT

Since 8.3, NAT has changed quite a bit. The most obvious change is the use of Object groups pretty much everywhere. In some ways, this simplifies the config. In others, not so much. Basic static NAT takes the form of a single object group that defines the inside host, and the static NAT statement.

object network SERVER
  host 10.72.14.29
  nat (OUTSIDE,INSIDE) static 12.98.16.42

NAT + PAT

The biggest thing that kept giving me issues was that I was attempting to reuse the normal static NAT config, and build a separate PAT config for the source address. Once I realized I was being a tool, the solution came rather quickly. This NAT statement is configured in the same manner as Identity NAT, used to prevent address translations to certain destinations. First you define two object groups, one for the NAT address, and one for the real inside address of the server.

object network SERVER_NAT
  host 12.98.16.42
!
object network SERVER_INSIDE
  host 10.72.14.29
!
nat (OUTSIDE,INSIDE) source dynamic any interface destination static SERVER_NAT SERVER_INSIDE

Next comes this slighly confusing NAT statement…

nat (OUTSIDE,INSIDE) — this is familiar, should make sense to most of us.

source dynamic any interface — this states that our source address is using dynamic NAT/PAT, the traffic could originate from anywhere, and should be NAT’d to the interface it leaves the firewall on. This is the key to our source NAT/PAT configuration…

destination static SERVER_NAT SERVER_INSIDE — finally, this just states the our destination is a static NAT statement, translating our object group SERVER_NAT, to the address in the object group SERVER_INSIDE.

fin

So, hopefully this makes sense… if not, please remember that RouterJockey.com provides no warranties or promises and that you’re just as hopelessly screwed as I am. Thanks for stopping by!

Network engineer currently servicing the enterprise data center market. I started working on networks in the ’90s and still feel like that was just a few years ago. Jack of all trades, master of none; I love to learn about everything. Feel free to ask me about photography, woodworking, nhra, watches, or 3x Gold ETFs — For feedback, please leave a comment on the article in question, and I’ll gladly moderate it several weeks later. For everything else including fan mail or death threats, contact him via twitter.
  • http://www.ccierants.com peter

    Hi Tony!

    Your viewers may find my blog post on ASA NAT Useful too, it takes a while to get used to but its good! http://www.ccierants.com/2012/06/asa-84-nat-mostl

  • felix001

    Hey, great article you may also find this article useful as well if you are trying to learn 8.3 onwards…
    http://www.fir3net.com/Cisco-ASA/cisco-asa-83-nat

  • Andrew Davis

    good read and I really enjoyed the "fin", hahhaa. I do stuff like that all the time :).

  • travel to morocco

    great tips, thank you for the informations

  • Bhikshuk

    Please, explain the term of nat (OUTSIDE,INSIDE) .. I forgot it any tried so much..please explain in brief…is traffic coming from outside to inside or inside to outside…