ASA Pre-8.3 To 8.3 NAT Configuration Examples Firewalling Cisco Support Community

Login | Register
Search
Language: English
English
(Japanese)
Espaol (Spanish)
Portugus (Portuguese)
P (Russian)
(Chinese)
Contact Us
Help
Follow Us
Twitter
Google +
LinkedIn
Newsletter
Instagram
YouTube
Facebook
Directory
Network Infrastructure
WAN, Routing and Switching
LAN, Switching and Routing
Network Management
Remote Access
Optical Networking
Getting Started with LANs
IPv6 Integration and Transition
EEM Scripting
Other Subjects
Security
VPN
Security Management
Firewalling
Intrusion Prevention Systems/IDS
AAA, Identity and NAC
Physical Security
MARS
Email Security
Web Security
Other Subjects
Service Providers
Metro
MPLS
Voice Over IP
XR OS and Platforms
Video
Other Subjects
Collaboration, Voice and Video
IP Telephony
Video Over IP
Jabber Clients
Unified Communications Applications
TelePresence
Digital Media System
Contact Center
Conferencing
UC Migrations
Other Subjects
Wireless - Mobility
Security and Network Management
Wireless IP Voice and Video
Getting Started with Wireless
WLCCA
Other Subjects
Services
Cisco ServiceGrid
Connected Analytics
Smart Call Home
Smart Net Total Care
Operations Exchange
Mobile Applications
Cisco Proximity
Cisco Technical Support
Online Tools and Resources
Cisco Bug Discussions
Technical Documentation Ideas
Cisco CLI Analyzer
Support Community Help
Data Center
Application Centric Infrastructure
Application Networking
Intelligent Automation
Server Networking
Storage Networking
Unified Computing
Wide Area Application Services (WAAS)
Other Subjects
Small Business
Network Storage
Routers
Security
Surveillance
Switches
Voice and Conferencing
Wireless
Solutions and Architectures
Borderless Networks
Collaboration
Cisco User Groups
Seattle Cisco User Group (SEACUG)
Silicon Valley Cisco User Group (SVCUG)
Southern California Cisco User Group (SCCUG)
Cisco Certifications
Cisco.com Idea Center
Cisco Cafe
Expert Corner
Top Contributors
Leaderboards
Cisco Live! Events
Events
Community Corner
Awards & Recognition
Behind the Scenes
Feedback Forum
Cisco Press Caf
Cisco On Demand
Support & Downloads
Community Resources
Security Alerts
Security Alerts
News
News
Video
Cisco Support YouTube
Cisco YouTube
Blogs
Technical Documentation
Cisco
Products
Products
Services
Services
Solutions
Solutions
Global Support Numbers
Cisco Support Community

Directory
Network
Infrastructure
Security
VPN
Security Management
WAN, Routing and Switching
Firewalling
LAN, Switching and Routing
Intrusion Prevention
Network Management
Systems/IDS
Remote Access
Optical Networking
Physical Security
Getting Started with LANs
MARS
IPv6 Integration and Transition
Email Security
Wireless
- Mobility
EEM Scripting
Web Security
Services
Other Subjects
Other Subjects
Security and Network
Management
Wireless IP Voice and Video
Getting Started with Wireless
WLCCA
Mobile
Other Subjects
Applications
Cisco Proximity
Data
Center
Service
Providers
Metro
MPLS
Voice Over IP
XR OS and Platforms
Video
Collaboration,
Voice
Other Subjects
and
Video
IP Telephony
Video Over IP
Jabber Clients
Cisco ServiceGrid
Unified Communications Applications
Compliance Management and Configuration
TelePresence
Service
Digital Media System
Connected Analytics
Contact
Center
Customer Premises Equipment (CPE)
Support
Data Virtualization Software (CIS) Conferencing
Online
Tools and
UC Migrations
Partner Support Service
Other Subjects
Smart Call Home
Resources
Smart Care
Smart Net Total Care
Cisco Bug Discussions
Application Centric Infrastructure Operations Exchange
Technical Documentation Ideas
Application Networking
CiscoBusiness
CLI Analyzer
Small
Solutions
and
Intelligent Automation
Support Community Help
Server Networking
Architectures
Network Storage
Storage Networking
Routers
Unified Computing
Borderless Networks
Security
Cisco
User
Groups
Wide Area Application Services
Collaboration
Surveillance
(WAAS)
Cisco
Switches
Seattle
Cisco
User
Group
(SEACUG)
Other Subjects
Voice and
Silicon Valley Cisco User Group (SVCUG)
Certifications
Cisco.com Idea
Conferencing
Southern California Cisco User Group
Cisco
Wireless
(SCCUG)
Expert Corner
Center
Cafe
Top Contributors
Leaderboards
Cisco Live! Events
Cisco Technical Support
Events
Community Corner
Awards & Recognition
Behind the Scenes

Feedback Forum
Cisco Press Caf
Cisco On Demand
Support & Downloads
Search
Home
Additional Communities
Cisco Ready
Community Corner
Data Center
Mobile Applications
Network Infrastructure
Wireless - Mobility
Service Providers
Collaboration, Voice and Video
Small Business Support Community
Security
Solutions and Architectures
Services
Top Contributors
Cisco User Groups
On Demand
Online Tools and Resources
Private
/
Security
Cisco Threat Awareness Service
Sourcefire
VPN
Firewalling
Intrusion Prevention Systems/IDS
Physical Security
Security Management
MARS
Email Security
Web Security
Other Security Subjects
/
Firewalling
Language: English
English
(Japanese)
Espaol (Spanish)
Portugus (Portuguese)
P (Russian)
(Chinese)
Contact Us
Help
Follow Us
Twitter
Google +
LinkedIn
Newsletter
Instagram
YouTube
Facebook
ASA Pre-8.3 to 8.3 NAT configuration examples

Document
Sat, 07/09/2016 - 05:16
Magnus Mortensen 6 years ago
Static NAT/PAT
Pre-8.3 NAT
8.3 NAT
Regular Static NAT

object network obj-10.1.1.6
host 10.1.1.6
nat (inside,outside) static 192.168.100.100
static (inside,outside) 192.168.100.100 10.1.1.6 netmask

255.255.255.255
Regular Static PAT
static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask
255.255.255.255

host 10.1.1.16
nat (inside,outside) static 192.168.100.100 service tcp 8080 www
Static Policy NAT

access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
static (inside,outside) 192.168.100.100 access-list NET1
host 10.1.2.27
host 192.168.100.100
subnet 10.76.5.0 255.255.255.224
nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100
destination static obj-10.76.5.0 obj-10.76.5.0
Pre-8.3 NAT
Regular Dynamic PAT
nat (inside) 1 192.168.1.0 255.255.255.0
nat (dmz) 1 10.1.1.0 255.255.255.0
global (outside) 1
192.168.100.100
8.3 NAT
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic 192.168.100.100
subnet 10.1.1.0 255.255.255.0
nat (dmz,outside) dynamic 192.168.100.100
Regular Dynamic PAT
nat (inside) 1 10.1.2.0 255.255.255.0

global (outside) 1 192.168.100.100
global (dmz) 1 192.168.1.1

subnet 10.1.2.0 255.255.255.0
nat (inside,outside) dynamic 192.168.100.100
object network obj-10.1.2.0-01
subnet 10.1.2.0 255.255.255.0
nat (inside,dmz) dynamic 192.168.1.1
Regular Dynamic PAT-3

object network obj_any
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic interface
nat (inside) 1 0 0
global (outside) 1 interface
Dynamic Policy NAT

host 192.168.100.100
object service obj-tcp-range-2001-65535

service tcp destination range 2001 65535
object service obj-tcp-eq-1500
object-group network og-net-src
service tcp destination eq 1500
network-object 192.168.1.0 255.255.255.0
nat (inside,outside) source dynamic og-net-src
network-object 192.168.2.0 255.255.255.0
obj-192.168.100.100 destination
object-group network og-net-dst
static og-net-dst og-net-dst
network-object 192.168.200.0 255.255.255.0
service obj-tcp-range-2001-65535
object-group service og-ser-src
obj-tcp-range-2001-65535
service-object tcp gt 2000
nat (inside,outside) source dynamic og-net-src
service-object tcp eq 1500
obj-192.168.100.100 destination
access-list NET6 extended permit object-group og-ser-src
object-group og-net-src object-group og-net-dst static og-net-dst og-net-dst

service obj-tcp-eq-1500 obj-tcp-eq-1500
nat (inside) 10 access-list NET6
global (outside) 10 192.168.100.100

subnet 172.29.0.0 255.255.0.0
host 192.168.100.100
subnet 192.168.1.0 255.255.255.0
Policy Dynamic NAT (with multiple ACEs)

subnet 192.168.2.0 255.255.255.0
access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0

192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.4.0 255.255.255.0
nat (inside) 1 access-list ACL_NAT
global (outside) 1 192.168.100.100

subnet 192.168.3.0 255.255.255.0
Outside NAT
global (inside) 1 10.1.2.30-1-10.1.2.40
nat (dmz) 1 10.1.1.0 255.255.255.0 outside
static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
NAT & Interface PAT together

nat (inside) 1 10.1.2.0 255.255.255.0
global (outside) 1 192.168.100.100-192.168.100.200
NAT & Interface PAT with additional PAT together

subnet 192.168.4.0 255.255.255.0
nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100

host 10.1.2.27
nat (inside,dmz) static 10.1.1.5
subnet 10.1.1.0 255.255.255.0
nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
object network obj-10.1.2.30-10.1.2.40
range 10.1.2.30 10.1.2.40
object network obj-192.168.100.100_192.168.100.200

range 192.168.100.100 192.168.100.200
subnet 10.1.2.0 255.255.255.0
nat (inside,outside) dynamic
obj-192.168.100.100_192.168.100.200 interface
object network obj-192.168.100.100_192.168.100.200

range 192.168.100.100 192.168.100.200
subnet 10.0.0.0 255.0.0.0
object network second-pat
host 192.168.100.210
object-group network dynamic-nat-pat
network-object object obj-192.168.100.100_192.168.100.200
network-object object second-pat
global (outside) 1 192.168.100.210
nat (inside,outside) dynamic dynamic-nat-pat interface
nat (inside) 1 10.0.0.0 255.0.0.0
global (outside) 1 192.168.100.1-192.168.100.200
Twice NAT with both source IP, Dest IP and Source port, Dest port
change.
On the inside:
Source IP: 10.30.97.129

Dest IP: 10.30.97.200
object network source-real

host 10.30.97.129
Source port: 5300
object network dest-mapped

host 10.30.97.200
Dest port: any port
object network dest-real

host 172.16.1.10
object service inside-src-dest-port

service tcp source eq 5300 destination range 0 65535
On the outside:
object service outside-src-dest-port

service tcp source eq 5300 destination eq 1022
nat (inside,outside) after source static source-real interface destination static
Source IP: Interface IP

Dest IP: 172.16.1.10
Source port: 5300
Dest port: 1022
(in) (out)
10.1.1.1-------ASA---- --xlate-------> 10.2.2.2
Original Ports: 10000 - 10010
Translated ports: 20000 - 20010
object service ports
Static NAT for a Range of Ports
service tcp source range 10000 10010
Not Possible - Need to write multiple Statements or perform a

Static one-to-one NAT.
object service ports-xlate

service tcp source range 20000 20010
object network server
host 10.1.1.1
object network server-xlate

host 10.2.2.2
nat (inside,outside) source static server server-xlate service ports ports-xlate
Rating
Overall Rating: 5 (16 ratings)
Log in or register to post comments

Share:
Comments
Collapse all
Recent replies first
hdashnau 6 years ago
Very nice doc Magnus!

See More
haider.rizwan 6 months ago
Hi,
I have Cisco ASA 5505 running 9.2(4).
how to setup UDP port forwarding ranging from 36,000 to 59,999 ?
please advise. thank you.
See More
Guddu Prasad 6 months ago
Hi Rizwan,
Try the below syntax.
object service udp-port
service udp source range 36000 59999
Object network realip
host 192.168.x.x
Object network mapip
Host 182.x.x.x
nat (inside,outside) source static realip mapip service udp-port udp-port
Also apply the acl to allow the traffic.
See More
Hi Gaddu,
Thank you for the reply. can you please advise on ACL so i can test them all and will update you on this?
Bundle of thanks.
Real IP: 192.168.1.207
WAN IP: 182.152.34.98
I have tried above command but i used mapped IP as WAN IP and got following error. ( i have PPPoE with single WAN IP)
ERROR: Address 182.152.34.98 overlaps with outside interface address.
ERROR: NAT Policy is not downloaded
See More
Guddu Prasad 6 months ago
Hi Rizwan,
Try this nat statement becauseyou are trying open ports on interface.
nat (inside,outside) source static realip interfaceservice udp-port udp-port
Acl:
access-list ouside permit udp any host 192.168.1.207 range 36000 59999
Thanks
Guddu
See More
Cisco Adaptive Security Appliance Software Version 8.4(3)

Configuration:
object service udp-port
service udp source range 36000 59999
object network expresswayLAN
host 192.168.1.207
access-list outside_in extended permit udp any host 192.168.1.207 range 36000 59999
nat (inside,outside) source static expresswayLAN interface service udp-port udp-port
access-group outside_in in interface outside
ASA# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source static expresswayLAN interface service udp-port udp-port
translate_hits = 0, untranslate_hits = 61
Please help where i am missing to translate these ports?
thank you so much

See More
anyone? please help to fix for forwarding issue. thanks in advance.

See More
Anyone who can help to fix the above issue?

See More
whanson 6 years ago
good stuff. confusing at best but does someone have an example nat (inside) 0 nonat?
thx
See More
Praveena Shanubhogue 6 years ago
you might be looking for this:

https://supportforums.cisco.com/docs/DOC-11639
See More
Muhammad Bilal ... 9 months ago
Read thisCisco ASA Firewall NAT Types & Examples

See More
Vindemiatrix 6 years ago

I've tried following this guide but I'm still having trouble no-natting VPN clients per https://supportforums.cisco.com/message/3168125
See More
gobito156 5 years ago

Pretty please can you help before I totally loose it.
i have followed all the tutorial including the Video by Jay, I ended up with a one of my DMZ Servers working as expected and the second one
has no access in or out. both dmzs are accessible from inside whoever the one that dont work can take as long as a 20 seconds for ssh
connection prompt Any ideas?
object network inside-net
subnet 192.168.1.0 255.255.255.0
object network dmz-fbsd-bart
host 192.168.2.2
object network dmz-fbsd-ithcy
host 192.168.2.4
access-list outside_in extended permit ip any host 192.168.2.4
access-list outside_in extended permit ip any host 192.168.2.2
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool vpn_pool 192.168.1.20-192.168.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
!
object network inside-net
object network dmz-fbsd-bart
nat (dmz,any) static XXX.XXX.XXX.71

object network dmz-fbsd-ithcy
nat (dmz,any) static XXX.XXX.XXX.73
access-group outside_in in interface outside
route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.1 1
Thanks in advance,
Eren
See More
tahequivoice 5 years ago
How would I convert an ACL based natting that takes the incoming packet and translates it to the inside IP of the ASA so the inside server will
respond when it uses a different default route?
access-list Outside-Web-Nat permit icmp any host x.x.x.x
access-list Outside-Web-Nat permit tcp any host x.x.x.x eq 443
global (inside) 2 interface
nat (outside) 2 access-list Outside-Web-Nat outside
static (inside,outside) x.x.x.x 10.192.63.9 netmask 255.255.255.255
See More
Hi There,
You will get a quicker response if you post it in Dicussions section fyi (
https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions)
As far as your query is concerned:
Access-list based NAT in pre-8.3 is now Double-nat in 8.3 and later. (Policy based NAT)
I would do the following:
object net any
subnet 0.0.0.0 0.0.0.0
object net Web-Server-Trans
host x.x.x.x
object net Web-Server-Orig
host 10.192.63.9
nat (outside,inside) source dynamic any interface dest static Web-Server-Trans Web-Server-Orig
As far as allowing when to nat (tcp 443, icmp), put that in outside interface access-list
Let me know if this works fine for you.
Regards,
Praveen
See More
jyotirmoy11 4 years ago

Hi All,
I have a issue with NAT in ASA 5580 firewal.
1. I have one web server on DMZ zone in ASA firewall with private ip address. Web application is running on webserver, and I can access this
web application with private ip address from web server itself, But I am not able to access web application with public NATed ip
address(NATED in ASA firewall) from web server itself.
2. From the outside of the firewall the web server application is accessible with public ip address.
I have configured static NAT in ASA firewall as belowstatic (INSIDE,OUTSIDE) 169.1.123.28 10.179.124.24 netmask 255.255.255.255
access-list test2 extended permit ip host 10.179.126.138 any
static (INSIDE,OUTSIDE) 10.179.126.138 access-list test2
Can any body help me in this issue
Reg
Jyotirmoy
See More
jbigrow 4 years ago

Hi Folks
I have a new asa5550 with 8.3 on it
I don't want to NAT at all. I want the inside IP's going out. They are globlly routable addresses
do I need to do anything to support this in routed mode on the asa?
thanks
See More
No, by default nat-control os disabled.

-- Praveen
See More
jbigrow 4 years ago

so it will just work as is with the ACL's for the global addreses on both sides of the firewall. I.E internet to inside
inside to internet. since everything is a routable address? we used to use the static (inside, outside) in the older pixes
which just mapped the routable inside to the outside
thats great
thanks
See More
Andrew Meyer 4 years ago

I'm a little confused still by the 8.4 configuration of things. Here is how I have my network setup:
Inside = 10.150.1.0 / 255.255.255.0
External = dynamic
I have an email server that I want to open up port 25 from the outside to the inside.
Here is what I have in my code so far:
object network Email
subnet 10.150.1.0 255.255.255.0
object network Mail_Server_WWW
host 10.150.1.60
object service SMTP
service tcp source eq smtp
object network smtp
host 10.150.1.60
access-list incoming extended permit tcp any object Mail_Server_WWW eq www
nat (inside,any) source static Subnet_ASM_Local Subnet_ASM_Local destination static VPN_Remote_Subnets VPN_Remote_Subnets
!
object network obj_any-01
object network Email
nat (inside,outside) static interface service tcp smtp smtp

object network Mail_Server_WWW
nat (inside,outside) static interface service tcp www www
object network smtp
nat (outside,inside) static Email service tcp smtp smtp
What am I missing??
See More
CSCO11979396 3 years ago

Thank you, very helpful
See More
wangzhenzhen 3 years ago

Thanks for your nice doc!
See More
WEERAKOO69BA 3 years ago
Hi It's nice,
That means this is the way we have to configure NAT for 8.3 and above???//Pre-8.3 commands will not accept for the same???Hope I am
correct??
Thanks
See More
David White 3 years ago
Yes, that is correct.

See More
darshan288shah 3 years ago

Hi,
I am using ASA5505 with version a 8.3(2) and having problem with the nat configuration.
inside ip - 192.168.1.1/255.255.255.0
outside ip - 10.127.225.10/255.255.255.0
we have TCP10042 as service port thru' which we are passing data from inside network to outside network.
We have Client_server as 10.127.226.21/24
our DataServer as 192.168.1.3/ 24
we want to send the data from dataServer to Client server thru' port no. 10042.
We did following settings in the ASA thru' ASDM but facing problem that no any nating actually takes place.
Object network Client_Server
host 10.127.226.21
Object network DataServer
host 192.168.1.3
Object service TCP_10042
Service tcp source range 1 65535 destination eq 10042
Object network Firewall_Outside
host 10.127.225.10
object network DataServer(192.168.1.3)
nat (inside, outside) static interface service tcp 10042 10042
object network Firewall_outside (10.l27.225.10)
nat (outside, inside) static DataServer(192.168.1.3) service tcp 10042 10042
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list outside_access_in extended permit tcp any any
access-list outside_access_in extended permit ip any any
access-group inside_access_in in interface inside
access-group inside_access_out out interface inside
access-group outside_access_in in interface outside
access-group global_access global
but still we are getting problem for NAT rules.

Also when we tried with Packet Transfer check point and found that "Access List - denied due to Implicit rule
Please help how we have to transfer data thru' Firewall.
See More
Jouni Forss 3 years ago
Hi Darshan Shah,
Please post this question on the Discussion area of the CSC and not in a document
You will find the Firewall section of the forums here

https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions
- Jouni
See More
petr.hofmann 3 years ago

Hello guys,
I am trying to use your NAT conversion table, but I cant solve it... Can anyone please help me? My old config is following:
access-list outside_1_cryptomap extended permit ip 192.168.1.0 255.255.255.0 any
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 host 192.168.0.0
access-list 101 extended permit icmp any any echo
access-list 101 extended permit icmp any any echo-reply
access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
access-list outside_1_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound_1
nat (inside) 101 0.0.0.0 0.0.0.0
access-group 101 in interface outside
See More
Jouni Forss 3 years ago
Hi Petr,
As in the previous reply above, I would suggest that you also post this question on the Discussions section rather than in this Document.
https://supportforums.cisco.com/community/netpro/security/firewall?view=discussions
- Jouni
See More
Hi Petr,
You only have two NAT rules:
1) nat (inside) 0 access-list inside_nat0_outbound_1
Which says: Do not NAT traffic matching access-list inside_nat0_outbound_1 - which is:
access-list inside_nat0_outbound_1 extended permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0
This translates into the following NAT rule:
object network ServerReal
subnet 192.168.1.0 255.255.255.0
object network RemoteSite
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) source static ServerReal ServerReal destination static RemoteSite RemoteSite
2) global (outside) 101 interface

nat (inside) 101 0.0.0.0 0.0.0.0
Which says, "PAT all inside traffic to the outside interface IP address"
This will be changed to the following:
object network any
subnet 0.0.0.0 0.0.0.0
Hope this helps!

David.
See More
odysiuos117 3 years ago
Could someone describe a static nat in PLAIN ENGLISH for me ?

for instance, allowong external access to internal web server (10.1.1.6)
object network obj-WEB-SVR
host 10.1.1.6
nat(inside,outside) static 192.168.100.100
what does the statement say ?
THX
See More
The statement says that there is a Web-Server at 10.1.1.6 on the "inside" and it is statically being translated to 192.168.100.100 on the "outside"
See More
In this case the outside user is supposed to initiate the request to the inside web-server, not vice versa.
Still that work ?
See More
This is a bi-directional nat statement. So yes, outside user can initiate a connection request to 192.168.100.100 which will then get untranslated
to 10.1.1.6 on the inside interface.
PS: We need to allow access to real ip address in the access-list on the outside interface i.e. "permit <protocol> any host 10.1.1.6")
See More
Obvious, thank you!

See More
sandman42 3 years ago

One question:
I have a 8.2 nat that says:
nat (inside) 1 0.0.0.0 0.0.0.0
This should translate in a 8.4.1:
object network OBJ_GENERIC_ALL
subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic OBJ_GENERIC_ALL
but this give me an error with the caret pointing to the "d" of "dynamic".
What's wrong??????
See More
I see a problem with the statement:

nat (inside,outside) dynamic OBJ_GENERIC_ALL
an ip-address/network-based object should follow the 'dynamic' keyword.

In your case, i see the statement should have been:
object network OBJ_GENERIC_ALL
See More
sandman42 3 years ago

I've added a
nat (inside,outside) after-auto source dynamic any interface
and now it works.
Thanks anyway
See More
Mahesh Deshpande 3 years ago

Mahesh Deshpande
Well thank you Mr.
Poonguzhali Sankar
It has helped me a lot................

See More
vijay1926 3 years ago

I've been having thoughts about this for a while. We know that PAT uses TCP/UDP port numbers to distinguish between inside hosts via a
mapping table for private IPs, internal/external ports and all that stuff, all happen so that the return packets from outside (despite having the
same destination IP) will remap and reach the correct inside host.
Now how can ping/icmp replies route back to the inside while we know ICMP is not at the TCP/UDP level, so it does NOT use port numbers at
all? Any idea? May be I'm missing some thing.
Practically, I'm behind PAT and I can always ping outside.
See More
Hi Vijay,
The ICMP ID can be used to associate inside Requests with Responses across PAT translations.
Sincerely,
David.
See More
moyeed.faraaz1 2 years ago

The Ip address access from the outside on the dmz has to be a public address., isnt it ?
See More
Ramakrishnan V 2 years ago

I have a question on 8.3 Static PAT;
I correctly Translated Destination as said in the tablecolum though it s not work, presume that we need say in object, protocol and service. If
you endorse my point please correct the same in the tabular column.
ASA(config)# sh cap capin
2 packets captured
1: 11:32:02.950054 10.0.0.10.13493 > 1.1.1.2.2300: S 565689259:565689259(0) win 4128 <mss 536>
2: 11:32:02.973078 1.1.1.2.2300 > 10.0.0.10.13493: R 1813852826:1813852826(0) ack 565689260 win 0
2 packets shown
ASA(config)# sh cap capout
2 packets captured
1: 11:32:02.950252 10.0.0.10.13493 > 1.1.1.2.2300: S 1349629680:1349629680(0) win 4128 <mss 536>
2: 11:32:02.973002 1.1.1.2.2300 > 10.0.0.10.13493: R 0:0(0) ack 1349629681 win 0
2 packets shown
ASA(config)# sh nat
Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source static MYR1 192.168.1.100 service tcp 2300 telnet
translate_hits = 0, untranslate_hits = 0
See More
yaheeeee123 2 years ago

Dear Magnus Mortensen,
I have original NAT configuration in Router as below (Part 1).

And I would like to migrate this NAT configuration to ASA (Part 2).
Could you please tell me if the below ASA commands are correct?
Million thanks.
Part 1 - Router#
ip access-list extended NATUSERS
permit ip 1.1.1.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 1.1.2.0 0.0.0.255 2.2.2.0 0.0.0.255
permit ip 1.1.3.0 0.0.0.255 2.2.2.0 0.0.0.255
ip nat pool NATPool 3.3.3.1 3.3.3.254 netmask 255.255.255.0

ip nat inside source list NATUSERS pool NATPool overload
Part 2 ASA (Version 8.3)#

object network Src-1
subnet 1.1.1.0 255.255.255.0

subnet 1.1.2.0 255.255.255.0

subnet 1.1.3.0 255.255.255.0
object network Src-Trans

range 3.3.3.1 3.3.3.254
object network Dest-2.2.2.0

subnet 2.2.2.0 255.255.255.0
object-group network Src-123

network-object object Src-1
nat (inside,outside) source dynamic Src-123 Src-Trans destination static Dest-2.2.2.0 Dest-2.2.2.0
Million thanks.
Regards,
Don
See More
expertadvisor20151 about a year ago
To scale the performance of firewalls and to provide high reliability, Cisco has a new feature called ITD. Please see ITD (Intelligent Traffic
Director) White Paper.
ITD Provides CAPEX and OPEX Savings for Customers

ITD (Intelligent Traffic Director) is a hardware based multi-Tbps Layer 4 load-balancing, traffic steering and clustering solution on Nexus
5K/6K/7K series of switches. It supports IP-stickiness, resiliency, NAT, (EFT), VIP, health monitoring, sophisticated failure handling policies,
N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS.
See More
thomas.a about a year ago

I have apre-8.3 NAT question. How would this config look like in ASA 9.1(6)?
nat (inside) 0 access-list nonat
nat (inside) 1 lan 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 vpn 255.255.255.0
static (inside,outside) tcp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) udp interface 55530 192.168.100.250 55530 netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.100.7 smtp netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.100.7 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.100.7 https netmask 255.255.255.255

See More
Vibhor Amrodia about a year ago
Hi Thomas,
Would you be able to open a separate post for your query ?
Thanks and Regards,
Vibhor Amrodia
See More
thomas.a about a year ago

I have posted a unique discussion on Cisco Support Community with the tiltle "Pre-8.3 NAT to 8.3+ NAT configuration on ASA 5505".
See More
Alex Mac 5 months ago

*
See More
pravinpatil17 12 months ago

Hi,
Many thanks for this post. Have question How to configureTwice NAT with both source IP, Dest IP and Source port, Dest port change - in pre 8.3 version. I have 8.2 ASA version.
Plz assist with same example as below. Many thanks for this post
Twice NAT with both source IP, Dest IP and Source port, Dest port change.
On the inside:
Source IP: 10.30.97.129
Dest IP: 10.30.97.200
Source port: 5300
Dest port: any port

On the outside:
Source IP: Interface IP
Dest IP: 172.16.1.10
Source port: 5300
Dest port: 1022
See More
Alex Mac 5 months ago

Hi everybody,
that's a wonderful doc, thanks. I have just one question for the section NAT & Interface PAT with additional PAT together.
Before that, just a quick review of the pre-8.3 rules to be sure I understand them: in short any connection from the net 10.0.0.0/8 leaving the
interface outside is first NAT'ed (source and dest port are kept) with an IP addr in the range 192.168.100.1-192.168.100.200 then the sorce
address of the 201th connection will be NAT'ed using the interface IP address and the src port of course will be changed. Then when all the
ports of the address of the outside interface will be taken src-port-translation will be done by using the IP address 192.168.100.210 (again the
original src-port will be changed). I think the order of global statements is important and hence
global (outside) 1 192.168.100.1-192.168.100.200
global (outside) 1 192.168.100.210
will do the same but the PAT will be done first by using 192.168.100.210 and then by using the outside's interface address.
Now my questions:
the object
subnet 10.0.0.0 255.0.0.0
is defined but not used anywhere in the subsequent statements of the same section for 8.3 version and later. In the 8.3 rules I'm missing how
the address of the outside interface will be used to do PAT and how the NAT statement is restricted to the network 10.0.0.0/8.
Is it really necessary to define it or do any of the subsequent statements miss to use it? And if it not necessary how does the post-8.3 rules
accomplish the nat goal of pre-8.3 written on the left column?
Could somebody help here please?
Thanks, Alex
See More
1
2
next
Actions
Login or Register to take actions
This Document
Posted May 12, 2010 at 9:06 AM
Updated March 21, 2014 at 1:29 PM
By Magnus Mortensen
Stats:
Comments: 51
Overall Rating: 5
Views:
332923 Contributors:
Shares:
20
32
Tags: nat, pat, upgrade, firewall, asa, tac, asa_8.3

+
Follow
Shortcut
Abuse
PDF
Related Content
Show
- Any -
Discussion
WAN redundancy using PBR with 2 PPPoE dialer interface
victoriusmarcapilado
6 days 6 hours ago
21 views
Discussion
Cisco RV320 IPSec VPN Tunnel NAT
pplc123@aol.com
1 week 6 days ago
12 views
Discussion
Video Conferencing and Browsing traffic over Internet
vimal vikraman
3 weeks 2 days ago
0 views
Discussion
NAT on router series 4300 (Cisco router 4331)
jankoboltar
3 weeks 3 days ago
0 views
Discussion
Policing and NAT
Faisal Mehmood
1 month 1 week ago
0 views
Trending Topics - Firewalling

Cisco ASDM
Cisco ASDM Launcher
Cisco ASA NAT
Can ping but not browse
Failed to locate egress interface
DHCP Relay
Palo Alto Firewall vs ASA
Information For
Small Business
Midsize Business
Executives
Home
Service Provider
Industries
Contacts
Contact Cisco
News & Alerts
Newsroom
Blogs
Field Notices
Security Advisories
Technology Trends
Cloud
IPv6
Mobility
Open Network Environment
Trustworthy Systems
Support
Downloads
Documentation
Communities
Developer Network
Learning Network
Support Community
Video Portal
About Cisco
Investor Relations
Corporate Social Responsibility
Environmental Sustainability
Tomorrow Starts Here
Career Opportunities
Programs
Cisco Designated VIP Program
Cisco Powerered
Financing Options
Terms & Conditions
Privacy Statement
Cookie Policy
Trademarks of Cisco Systems, Inc.

ASA Pre-8.3 To 8.3 NAT Configuration Examples Firewalling Cisco Support Community

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ASA Pre-8.3 To 8.3 NAT Configuration Examples Firewalling Cisco Support Community

Uploaded by

Copyright:

Available Formats

Login | Register

Cisco Support Community

Behind the Scenes

ASA Pre-8.3 to 8.3 NAT configuration examples

Magnus Mortensen 6 years ago

Regular Static NAT

static (inside,outside) 192.168.100.100 10.1.1.6 netmask

object network obj-10.1.1.16

object network obj-10.1.2.27

Static Policy NAT

Regular Dynamic PAT

nat (inside) 1 10.1.2.0 255.255.255.0

object network obj-10.1.2.0

Regular Dynamic PAT-3

Dynamic Policy NAT

object network obj-192.168.100.100

object service obj-tcp-range-2001-65535

object-group og-net-src object-group og-net-dst static og-net-dst og-net-dst

object network obj-172.29.0.0

Policy Dynamic NAT (with multiple ACEs)

object network obj-192.168.2.0

access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0

object network obj-192.168.3.0

NAT & Interface PAT together

NAT & Interface PAT with additional PAT together

object network obj-192.168.4.0

nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100

object network obj-192.168.100.100_192.168.100.200

global (outside) 1 interface

object network obj-192.168.100.100_192.168.100.200

global (outside) 1 192.168.100.210

nat (inside,outside) dynamic dynamic-nat-pat interface

nat (inside) 1 10.0.0.0 255.0.0.0

global (outside) 1 192.168.100.1-192.168.100.200

Source IP: 10.30.97.129

object network source-real

Source port: 5300

object network dest-mapped

Dest port: any port

object network dest-real

object service inside-src-dest-port

object service outside-src-dest-port

nat (inside,outside) after source static source-real interface destination static

Source IP: Interface IP

object service ports

Static NAT for a Range of Ports

service tcp source range 10000 10010

Not Possible - Need to write multiple Statements or perform a

object service ports-xlate

object network server-xlate

Overall Rating: 5 (16 ratings)

Log in or register to post comments

Recent replies first

hdashnau 6 years ago

Very nice doc Magnus!

haider.rizwan 6 months ago

Guddu Prasad 6 months ago

haider.rizwan 6 months ago

Guddu Prasad 6 months ago

haider.rizwan 6 months ago

Cisco Adaptive Security Appliance Software Version 8.4(3)

thank you so much

haider.rizwan 6 months ago