asa5505 configure NAT

lon21 · September 2011

Guys,

I need to configure NAT on a ASA5505 to only nat the .4.0 ip address range.

would the command be nat (inside) 1 192.168.4.0 255.255.255.0 or would it be
nat (inside) 1 192.168.4.0 0.0.0.255

Thanks

ColbyG · September 2011

the first one

lon21 · September 2011

ColbyG wrote: »

the first one

Thanks also,

What the difference between route 0.0.0.0 0.0.0.0 ip address to the nat (global) 1 interface 1?

Thanks

ColbyG · September 2011

One is a static route and the other is a PAT statement.

lon21 · September 2011

ColbyG wrote: »

One is a static route and the other is a PAT statement.

If i have nat route in my asa do I need a static route.

networker050184 · September 2011

NAT isn't a route. So, you are still going to want a route.

lon21 · September 2011

The asa already has one route but I want a certain ip address who use only a certain route.

Chipsch · September 2011

So you mean you have a default route lets say and you want to route a more specific subnet or host elsewhere? i.e.

route 0.0.0.0 0.0.0.0 outside
route 10.10.10.10 255.255.255.255 dmz1

There are a number of ways you can do it really, even via a dynamic routing protocol if you would like. Personally though i try to keep routing to a minimum on firewalls since that isn't what they were built for.

lon21 · September 2011

I have one outside line and the ISP has given me two ip address. One to the internet and other to my data centre.

I want to be able to route only traffic from a inside host of 192.168.4.1 to the data centre ip.

What I thought was to create a new nat rule.

nat (inside) 2 192.168.4.1 255.255.255.255
global (outside) 2 "data centre ip"

lon21 · September 2011

Guys,

My outside interface has two ip address 192.168.0.1 and 0.4.

My internal device are given ip address form dhcp from the asa.

I want only the 192.168.2.3 device to send all traffic to 192.168.0.4, I've created a specific NAT rule, I've tried to test it via a ping but all traffic is not doing through.

Here my ASA lab config...

ASA-New-York# show running-config
: Saved
:
ASA Version 8.0(3)
!
hostname ASA-New-York
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Vlan1
nameif outside
security-level 0
ip address dhcp setroute
!
interface Vlan2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
no nameif
no security-level
no ip address
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 3
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
boot system disk0:/asa802-k8.bin
ftp mode passive
dns domain-lookup outside
dns domain-lookup inside
dns server-group DefaultDNS
name-server 8.8.8.8
access-list IP_Inside extended permit ip any any
access-list IP_Outside extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-611.bin
no asdm history enable
arp timeout 14400
global (outside) 2 192.168.0.4
global (outside) 1 interface
nat (inside) 2 192.168.2.3 255.255.255.255
nat (inside) 1 192.168.2.0 255.255.255.0
access-group IP_Outside in interface outside
access-group IP_Inside in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd option 3 ip 192.168.2.1
!
dhcpd address 192.168.2.3-192.168.2.5 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
!
!
prompt hostname context

instant000 · September 2011

pings don't work by default.

Use the [B]show interface[/B] command to ensure that the security appliance is connected to the network and is passing traffic. The address of the specified [I]if_name[/I] is used as the source address of the ping.  
  If you want internal hosts to ping external hosts, you must do one of the following: 
  &#8226;[IMG]http://www.cisco.com/en/US/i/templates/blank.gif[/IMG]Create an ICMP [B]access-list[/B] command for an echo reply; for example, to give ping access to all hosts, use the [B]access-list acl_grp permit icmp any any[/B] command and bind the [B]access-list[/B] command to the interface that you want to test using the [B]access-group[/B] command. 
  &#8226;[IMG]http://www.cisco.com/en/US/i/templates/blank.gif[/IMG]Configure the ICMP inspection engine using the [B]inspect icmp[/B] command. For example, adding the [B]inspect icmp[/B] command to the [B]class default_inspection[/B]  class for the global service policy allows echo replies through the  security appliance for echo requests initiated by internal hosts. 
  You can also perform an extended ping, which allows you to enter the keywords one line at a time. 
  If you are pinging through the security appliance between hosts or routers, but the pings are not successful, use the [COLOR=Black][B]capture [/B][/COLOR]command to monitor the success of the ping.  
  The security appliance [COLOR=Black][B]ping[/B][/COLOR]  command does not require an interface name. If you do not specify an  interface name, the security appliance checks the routing table to find  the address that you specify. You can specify an interface name to  indicate through which interface the ICMP echo requests are sent.  
 [B] Examples [/B]

  The following example shows how to determine if other IP addresses are visible from the security appliance: 
  hostname# [B]ping 171.69.38.1 [/B] 
 Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms  


  The following example specifies a host using a DNS name: 
  hostname# [B]ping www.example.com [/B] 
 Sending 5, 100-byte ICMP Echos to www.example.com, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms  


  The following is an example of an extended ping: 
  hostname# ping  
 Interface: outside  
 Target IP address: [B]171.69.38.1 [/B] 
 Repeat count: [5]  
 Datagram size: [100]  
 Timeout in seconds: [2]  
 Extended commands [n]:  
 Sweep range of sizes [n]:  
 Sending 5, 100-byte ICMP Echos to 171.69.38.1, timeout is 2 seconds:  
 !!!!!  
 Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Source: Cisco Security Appliance Command Reference, Version 8.0 - packet-tracer -- pwd [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

instant000 · September 2011

lon21 wrote: »

Guys,

My outside interface has two ip address 192.168.0.1 and 0.4.

My internal device are given ip address form dhcp from the asa.

I want only the 192.168.2.3 device to send all traffic to 192.168.0.4, I've created a specific NAT rule, I've tried to test it via a ping but all traffic is not doing through.

Here my ASA lab config...

global (outside) 2 192.168.0.4
global (outside) 1 interface
nat (inside) 2 192.168.2.3 255.255.255.255
nat (inside) 1 192.168.2.0 255.255.255.0

I just noticed that your translations overlap.

(that is, 192.168.2.3/32, falls within 192.168.2.0/24)

Can you please adjust this?

We get this at work sometimes, and it causes inconsistent traffic issues.(the every-other-packet syndrome)

If you set up a debug for your NAT, it might help you to see what's going on.

Without a diagram to look at, I'm only guessing, at this point.

instant000 · September 2011

well, we don't technically get this exactly, as we tend to use "statics" and get a similar problem when they overlap, which is the only reason I suggested investigating that, to see if changing them to not overlap helped you.

lon21 · September 2011

instant000 wrote: »

I just noticed that your translations overlap.

(that is, 192.168.2.3/32, falls within 192.168.2.0/24)

Can you please adjust this?

We get this at work sometimes, and it causes inconsistent traffic issues.(the every-other-packet syndrome)

If you set up a debug for your NAT, it might help you to see what's going on.

Without a diagram to look at, I'm only guessing, at this point.

How would I configure this?

As I want the 2.3 to go out one ip address but all the other host to go out another?

When you use static can it do PAT And NAT?

instant000 · September 2011

lon21 wrote: »

How would I configure this?

As I want the 2.3 to go out one ip address but all the other host to go out another?

When you use static can it do PAT And NAT?

According to this document, your configuration is just fine, apparently.

In dynamic NAT, the more specific statement is the one that takes precedence when you use the same interface on global.

nat (inside) 1 10.0.0.0 255.0.0.0
nat (inside) 2 10.1.0.0 255.255.0.0
global (outside) 1 172.16.1.1
global (outside) 2 192.168.1.1

source: PIX/ASA 7.x and FWSM: NAT and PAT Statements - Cisco Systems

but, things do change between versions, so...

Still, I would like to see a diagram, and a debug of your NAT, to get an idea of what you're doing.

also, if you could do a packet-trace, that would be helpful, also, as it could show what should hapen, when you send the traffic through. At a minimum, if you could do that, it'd be awesome.

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/p_72.html#wp1724426

pardon the formatting.

instant000 · September 2011

Remember, I'm still not clear on what your problem is.

What protocol/source/destination are you testing, and what is your result?

Also, what does your diagram look like?

Thanks!

asa5505 configure NAT

Comments