ASA Double Nat in 8.4+

by Tony Mattke on September 28, 2012



Recently I was faced with an issue outside my normal expertise… those of you that know me realize I am anything but a security engineer. But in reality, you must always expand your horizons. One of the projects I’m working on involves migrating between two edge networks. Obviously, for a time there has to be traffic using both networks while you migrate services from one network to the other. This creates an issue from services that may be NAT’d from the inside of the network, where as the current (read: old) default route takes them out a different connection..
In order to solve this, you need to either change the default route, which may not be possible, or start NAT’ing the source address of your traffic. It took me a bit of time to get the details worked out, so I wanted to share what I found out.

Plain Jane Static NAT

Since 8.3, NAT has changed quite a bit. The most obvious change is the use of Object groups pretty much everywhere. In some ways, this simplifies the config. In others, not so much. Basic static NAT takes the form of a single object group that defines the inside host, and the static NAT statement.

object network SERVER
  host 10.72.14.29
  nat (OUTSIDE,INSIDE) static 12.98.16.42

NAT + PAT

The biggest thing that kept giving me issues was that I was attempting to reuse the normal static NAT config, and build a separate PAT config for the source address. Once I realized I was being a tool, the solution came rather quickly. This NAT statement is configured in the same manner as Identity NAT, used to prevent address translations to certain destinations. First you define two object groups, one for the NAT address, and one for the real inside address of the server.

object network SERVER_NAT
  host 12.98.16.42
!
object network SERVER_INSIDE
  host 10.72.14.29
!
nat (OUTSIDE,INSIDE) source dynamic any interface destination static SERVER_NAT SERVER_INSIDE

Next comes this slighly confusing NAT statement…

nat (OUTSIDE,INSIDE) — this is familiar, should make sense to most of us.

source dynamic any interface — this states that our source address is using dynamic NAT/PAT, the traffic could originate from anywhere, and should be NAT’d to the interface it leaves the firewall on. This is the key to our source NAT/PAT configuration…

destination static SERVER_NAT SERVER_INSIDE — finally, this just states the our destination is a static NAT statement, translating our object group SERVER_NAT, to the address in the object group SERVER_INSIDE.

fin

So, hopefully this makes sense… if not, please remember that RouterJockey.com provides no warranties or promises and that you’re just as hopelessly screwed as I am. Thanks for stopping by!

About the author:

Tony Mattke is a network engineer for a financial institution in Indiana. In the past he has worked for ISPs, data centers, networking manufacturers, and the occasional enterprise. For feedback, please leave a comment on the article in question. For everything else including fan mail or death threats, contact him via twitter.

{ 5 comments… read them below or add one }

peter September 28, 2012 at 2:10 pm

Hi Tony!

Your viewers may find my blog post on ASA NAT Useful too, it takes a while to get used to but its good! http://www.ccierants.com/2012/06/asa-84-nat-mostl

Reply

felix001 January 5, 2013 at 4:46 pm

Hey, great article you may also find this article useful as well if you are trying to learn 8.3 onwards…
http://www.fir3net.com/Cisco-ASA/cisco-asa-83-nat

Reply

Andrew Davis March 9, 2013 at 10:15 pm

good read and I really enjoyed the "fin", hahhaa. I do stuff like that all the time :).

Reply

travel to morocco May 6, 2013 at 1:03 pm

great tips, thank you for the informations

Reply

Bhikshuk June 11, 2013 at 1:32 am

Please, explain the term of nat (OUTSIDE,INSIDE) .. I forgot it any tried so much..please explain in brief…is traffic coming from outside to inside or inside to outside…

Reply

Leave a Comment

Previous post:

Next post: