Manual Nat (twice Nat) Answers

There seems to be a large number of the subject queries in one form or another.  Having acquired an asa 5505 and using 8.43 firmware and the ADSM gui for router configuration it has not been an easy transition from other products.   I have come to understand embedded NAT objects for basic port forwarding but am at a loss on configuring twice nat or manual nat, not really ever dealing with it before, or in this manner.  
What I would like to suggest to the experts and to those with the ability to give advice to document editers is to include far more ADSM web gui examples and discussion for manual nat.   The tools are all there - in the nat rules editing page,  the display of the rules pictorially and the packet flow at the bottom of the page (and finally thru packet tracing).   What is needed is more on the actual entries on the nat editing pages and the logic and explanation of those entries.   In this forum what I would like to see is when there are responses that they include both the CLI recommended entries b AND the associated adsm web gui pics.  With good documents for reading and examples in the forum, I think there should be much less confusion allowing more attention to some very complex scenarios.   I personally feel a bit embarrassed to be asking basic questions and appreciate the responses but with improvements in docs and forum answers the number of such questions should drop.  At the very least I and others like me will get better edumecated.    To be clear am not looking for the easy cookie cutter right answers, I am looking to understand CIsco packet routing through explanations of the web gui entries. In fact, I am learning far more by trying to understand the web gui vice simply copying and entering CLI commands.  In terms of documents, for example, there should be a very thorough explanation of the relationship between "Translated Addr:" in the first NAT editing page with "Destination Inteface" in the second Advanced page .
Thanks.
Examples below of what I am talking about (note examples are simple embedded NAT object (port forwarding rules).  I can finally handle external users requiring access to internal servers. :-)  But that is just the surface.
I have added the packet tracing jpegs for further context.  There is an UNNAT lookup entry (first trace block, out of view on the pic) a concept which is missing in the documentation I've read that needs to be added but it is illuminating in how the router handles traffic.   What is also interesting is the fourth jpeg which also shows the flow designation of a packet and its handling internally (new packet or one that is associated with an existing packet (previously identified and put in an appropriate table xlate etc)).

Hi,
I've personally always preferred using CLI over GUI. Probably comes due to the fact I started with old Cisco switches and routers.
When I first used a Cisco PIX the switch from switches/routers was a bit hard. The configuration format in 6.x was totally different from the IOS. After I upgraded the first PIX to software 7.0 it was abit more familiar already. Interfaces were now configured like in the switches and routers. Also the permitting traffic through the device used access-lists.
I was just beginning to handle all the different NAT setups (atleast the ones we run into) and then came 8.3 (and 8.4) which totally changed the NAT configuration format
I still find myself configuring the NAT through CLI. I use the CLI because I like beeing able to see the whole device configuration without jumping from tab to tab and clicking drop down menus. I mostly use ASDM to edit existing configurations or something that might not be as familiar with. Though my goal usually is to learn to configure the same from the CLI after I've done it a couple of times from GUI interface.
If you're only using ASDM GUI to configure the ASA, I suggest you go "Tools -> Preferences" and from there enable the option "Preview commands before sending them to the device" This will basicly show you all configurations that you are going to apply in the CLI format. I think this preview setting is off by default.
EDIT2: One really helpfull thing is also the fact that you can get help for almost every configuration page on the ASDM GUI. I think theres almost always a direct "Help" button that opens information about the configuration page in question and clarifies all the options you have on the page. Again, as I haven't used much ASDM, I dont know if they clarify the things you are asking for.
The first 2 pictures to my understanding illustrate the configuration of a port forwarding using the "outside" interfaces address.
The first pictures Translated Address just refers that you are going to use the "outside" interfaces IP address (whatever it might be) to configure a NAT. The ASDM has a habit of giving names to IP addresses which can confuse you. The same line might as well contain an IP address in numeric format if you for example had a small public subnet at your disposal for NAT translations.
The second pictures source/destination interface just basically tells you the interfaces between which the NAT is beeing performed. Either of these can also be specified as "any".
I'll give you a couple of examples
EXAMPLE 1
The below configuration basicly tells the ASA that it will PAT all outbound (outside) traffic from the source networks defined in the object-group to the outside interface address. It also tells that the source interface can be any interface on the ASA.
So basically if you keep adding interfaces to an ASA that need (Or networks behind them) default PAT translations when they use the Internet, you can just keep adding "network-object x.x.x.x y.y.y.y" statements with the new networks under the object-group and the ASA will do PAT for them. You wont have to configure any additional NAT statements.
object-group network DEFAULT-PAT-SOURCE-NETWORKS
description Source Networks for PAT
network-object 10.10.10.0 255.255.255.0
network-object 192.168.0.0 255.255.255.0
network-object 172.16.8.0 255.255.255.0
nat (any,outside) after-auto source dynamic DEFAULT-PAT-SOURCE-NETWORKS interface
EXAMPLE 2
The below configuration basically tells the ASA that the DMZ server will be visible to other hosts behind other ASA interface with the same NAT ip of "1.2.3.4". This could apply to situations where you want to access the DMZ server with the same public IP address from both the Internet and the LAN.
This could help with situations where your LAN uses public DNS and that DNS points to the servers public IP address. With this NAT configuration even though you LAN hosts are connecting to a public IP address the device will still be accessible from the LAN since you're NATing the DMZ server towards all interfaces.
object-network DMZ-PUBLIC-STATIC
description Static Public IP for DMZ server
host 192.168.10.10
nat (dmz,any) static 1.2.3.4 dns
The UN-NAT section to my understanding just tells you  that a connection coming from outside to a NAT IP is basically forwarded to the actual lan host IP address and not the public IP the user was originally connecting to.
To be honest I don't really know how to configure well with the ASDM as I usually just use the CLI. Because of that I'm sometimes at a loss on how to configure the most simple things because I've only done them on the CLI.
Hope some of this was helpfull to you
EDIT: Didn't realize I wrote so much
- Jouni

Similar Messages

  • Auto nat vs manual nat

    Some how I have ended up with multiple network objects for the same network example
    obj-192.168.1.0
    obj-192.168.1.0-1
    obj-192.168.1.0-2
    All are for the same network but have different nat statements. When I look at my NAT statements I have a bunch of manual NAT and Network object NAT rules. I'm pretty confussed on the two. Should I just have one auto nat statement for each object? Then if I need another NAT statement for the same network make it a manual nat?

    Would I be correct to presume you have updated/upgraded the ASA software from pre 8.3 to post 8.3 by letting the ASA convert the configuration by itself and not actual write the configurations yourself?
    If that is true then it would seem to me that these configurations might be the 8.3 (and later) softwares way of doing Identity NAT between your local ASA interfaces. (Which can also be done with Twice NAT / Manual NAT)
    I would for example guess that the following configuration
    object network obj-172.16.0.0-05
    subnet 172.16.0.0 255.254.0.0
    nat (inside,TM) static 172.16.0.0
    Before was this
    static (inside,TM) 172.16.0.0 172.16.0.0 netmask 255.254.0.0
    In the new software 8.3+ if you have local LAN and DMZ interfaces on the ASA which dont require NAT between them, you can simply leave out the NAT configurations. So if your purpose is to enable communication between local interfaces wihtout modifying the source or destination address then I would leave out all those NAT configurations.
    In the very basic setups you only really need to perform NAT between the local and public interfaces. The new ASA software doesnt have any "nat-control" anymore. If there is no NAT rule for the traffic incoming to the ASA then the ASA will simply pass it along without NAT.
    - Jouni

  • Identifying Manual NAT in ASDM

    Hi Everyone,
    Below is the screenshot from Cisco LEarning Website for ASA  Practice test.
    Correct answer is Manual NAT polices .
    Need to  know what should i look for in ASDM  that will tell me it is Manual NAT?
    Regards
    MAhesh
    Message was edited by: mahesh parmar

    It is manual because the screenshot shows that there are no Network Object NAT rules. So the displayed NAT rule is of type #3 in the list below.
    In ASA 8.3 or later there are 3 types of NAT rules you can add:
    1. Manual NAT before Network-object NAT
    2. Network-Object NAT (network-object NAT is also known as AutoNAT)
    3. Manual NAT after Network-object NAT.
    If you looked at the cli, it would have the keyword "after-auto" in the NAT rule.

  • Example of Manual NAT to implement NAT exemption

    Hi Everyone,
    Below is from Cisco LEarning Network site
    Referring to the Cisco ASA NAT configuration  below
    object network one
      subnet 10.1.1.0 255.255.255.0
    object network two
      subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) source static one one destination static two two
    Need to understand how below answer is correct?
    This is an example of Cisco ASA 8.3 manual NAT to implement NAT exemption.
    Regards
    MAhesh

    Hi Mahesh,
    Yes, the above configuration achieves a NAT0 type configuration in the new 8.3+ ASA softwares.
    In the 8.2 and older softwares we used an ACL to tell the ASA between which networks there should be no translation to the source address.
    The above configuration could correspond to the following on the 8.2 software
    access-list INSIDE-NAT0 permit ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
    nat (inside) 0 access-list INSIDE-NAT0
    And as you have already mentioned the 8.3+ format is
    object network one
      subnet 10.1.1.0 255.255.255.0
    object network two
      subnet 192.168.1.0 255.255.255.0
    nat (inside,outside) source static one one destination static two two
    In the new format you see the same things as you saw in the older format using ACL. It tells between which interfaces this NAT applies. It also tells between which source and destination networks this applies.
    Now lets look at the above "nat" statement in all of its parts
    nat = Is the actual command which starts the NAT configuration whatever NAT you were configuring
    inside = Is the source interface for the NAT as its mentioned first
    outside = Is the destination interface for the NAT its mentioned second
    source = Simply specifies that the source parameters for this NAT configuration will follow
    static = Defines that were doing a Static type of NAT
    one = Defines the real source network
    one = Defines the mapped source network
    destination = Simply specifies that the destination parameters for this NAT configuration will follow
    static = Defines that the destination is static. It can only be static
    two = Defines the mapped destination network
    two = Defines the real destination network
    And the key things to notice from the configuration.
    Both source and destination real and mapped networks are the same. This means that the source network and destination network should stay unchanged. So in essence we are doing NAT0.
    When we add the "destination static " this automatically means that the NAT will only be applied when the destination of the traffic is this network. This naturally applies in the reverse direction since the rule is bidirectional.
    I am not really sure if I explained the above in the best way I could. Hope it makes any sense
    - Jouni

  • Moving Manual NAT to section 3 (after auto nat)

    Hi All,
    We have 3 sections of NAT
    1>Manual NAT
    2>Auto NAT
    3>Manual NAt after Auto.
    Lets say on ASA  we config Manual and Auto Nat.
    Now Order of NAT  is
    1>Manual
    2>Auto
    If i move the Manual NAT  to section 3 of NAT  which is Manual NAT  after auto NAT.
    Now Order of NAT  is
    2>Auto
    3>Manual NAT  after Auto.
    Now when i try to do Process Manual NATafter auto  section number 3 it does not work as it hits Auto NAt and does not go down.
    Need to know the reason behind this?
    Regards
    MAhesh

    Also as a little side note,
    There is also difference in the ordering of the NAT configurations depending on the Section
    Section 1 and Section 3 Manual NAT rules are always gone through in the order you see them in the actual CLI configuration. So you might have 2 completely working rules BUT if they are in the wrong order it might be that other one of them is never used
    Section 2 Auto NAT rules are processed in an order that you dont usually decide yourself. The ASA puts them in order according to how they were configured.
    So in a nutshell. You can manually set the order of the Manual NAT rules but Auto NAT rules are ordered automatically by the ASA itself.
    You can see the current order of the Auto NAT rules with the command
    show nat
    - Jouni

  • Ipsec-manual, NAT-Traversal?

    Is there a way in IOS to enabled NAT-Traversal (ESP-UDP) for manually keyed IPsec tunnels?
    Thus far, it looks to me like IKE is required for the NAT detection.
    In Linux, I can manually create ESP-UDP SA's, I was hoping to be able to do the same in IOS.

    It allows ipsec to work through nat?
    How did your last post turn out?

  • Manual NAT to override Auto NAT

    Hi, i've an ASA with this relevant config:
    ASA Version 9.1(1)
    interface Ethernet0/0
    nameif outside
    security-level 0
    ip address 1.1.1.1 255.255.255.248
    object network obj-192.168.2.20
    host 192.168.2.20
    object network obj-1.1.1.2
    host 1.1.1.2
    access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp
    access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3
    access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4
    access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https
    object network obj-192.168.2.20
    nat (inside,outside) static obj-1.1.1.2
    Now i have to allow access to a web server from a specific Internet Address  2.2.2.2.
    Both web server and all other inbound access are made via a different IP Address 1.1.1.2
    I'm having some problems configuring this second item, and I need help.
    Which is the best way  to overcame this problem.
    TIA
    FR

    Hello Fran,
    Not sure what you mean:
    I mean you already have the policies in place for this:
    object network obj-192.168.2.20
    nat (inside,outside) static obj-1.1.1.2
    access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq smtp
    access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq pop3
    access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq imap4
    access-list OUT_IN extended permit tcp any4 host 192.168.2.20 eq https
    Now i have to allow access to a web server from a specific Internet Address  2.2.2.2.
    Both web server and all other inbound access are made via a different IP Address 1.1.1.2
    So now a user on the outside 2.2.2.2 will be accessing your webserver,
    Is your server 192.168.2.20 and also what do you mean by
    Both web server and all other inbound access are made via a different IP Address 1.1.1.2
    For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
    Any question contact me at [email protected]
    Cheers,
    Julio Carvajal Segura

  • Importing Computer Manually Appears Twice? Since SP1

    Hi,
    I am trying to setup some new machines on the system. I have manually imported the computer and mac address. These machine are in AD. I then PXE boot them and image no problems.
    Since going to SP1 if i do the above 2 of the same machines appear in SCCM. I think one is from the manual import and the other from the disovery.
    Why is it doing this please?
    Thanks

    Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?
    Garth Jones | My blogs: Enhansoft and
    Old Blog site | Twitter:
    @GarthMJ

  • Dynamic PAT and Static NAT issue ASA 5515

    Hi All,
    Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
    - Bhal

    Hi,
    I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
    The very basic configured for Static NAT and Default PAT I would do in the following way
    object network STATIC
    host
    nat (inside,outside) static dns
    object-group network DEFAULT-PAT-SOURCE
    network-object
    nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
    The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
    This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
    You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
    https://supportforums.cisco.com/docs/DOC-31116
    Hope this helps
    - Jouni

  • Policy NAT 8.6(1)2 Windows Server Cluster

    We have 2 email servers in a cluster on the network.  I have the cluster IP address configured for Object static NAT.  This works great for email coming into our organization.  However, when either of these 2 email servers send mail, they send using their configured IP address which is different from the cluster IP address.  Thus, the NAT'd address is different than for incoming.  It hasn't been an issue to this point, but I would like to be able to send SMTP from either server and have it NAT to the same IP used for the cluster IP.  This way, any reverse DNS lookups on the internet would show a consistent IP to name mapping for our mail servers.  I've attached a diagram.  If there is a way to force the cluster servers to use the cluster address on the Windows server side, that could be an option as well.
    Thanks,
    Andrew

    Hi,
    The actual NAT configuration used depends on how your Dynamic PAT rule for all the users of the network is configured at the moment. Mainly is it Auto NAT or Manual NAT.
    Though naturally I can give you an example that includes both Dynamic PAT for all users and Dynamic PAT for the Mail servers and the Static NAT for incoming mail.
    MAIL SERVER STATIC NAT
    object network MAIL-SERVER
    host 10.0.0.1
    nat (inside,outside) static 10.10.10.140
    The above configuration is the basic Static NAT configuration for a host using Auto NAT / Network Object NAT. It could be done with Manual NAT / Twice NAT also but I prefer Auto NAT / Network Object NAT
    MAIL SERVER DYNAMIC PAT
    object-group network MAIL-PAT-SOURCE
    network-object host 10.0.0.1
    network-object host 10.0.0.2
    network-object host 10.0.0.3
    object network MAIL-SERVER-PUBLIC
    host 10.10.10.140
    nat (inside,outside) after-auto source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
    The above is a normal Dynamic PAT configuration (no Policy elements involved).
    The key thing to notice here is that we are entering this to the ASA before the next Dynamic PAT that catches all the rest of the source IP address. One thing to notice also is that its a Section 3 NAT rule (the lowest priority) so that it wont override any other NAT rules like the above Static NAT.
    I you had your existing Dynamic PAT for all users already with a similiar configuration than last configuration example then you would have to add a line number to the NAT configuration like this
    nat (inside,outside) after-auto 1 source dynamic MAIL-PAT-SOURCE MAIL-SERVER-PUBLIC
    DEFAULT DYNAMIC PAT FOR USERS
    nat (inside,outside) after-auto source dynamic any interface
    The above is just an Dynamic PAT configuration that catches all source addresses from behind the "inside" interface and does Dynamic PAT for them when connecting to networks behind "outside". As this is inserted to the configuration after the above command it will be at a lower priority and wont apply for the 3 source hosts we specified above.
    I wonder if I made this out to be more complicated than it needs to be
    I guess the easiest way to determine the configuration you will need/want would be to see the current NAT configuration on the ASA
    Hope this helps
    Please do remember to mark a reply as the correct answer if it answered your question.
    Feel free to ask more if needed
    - Jouni

  • Multiple NAT to network

    I am trying to do the following on an ASA 5505 with Security Plus licensing.
    public IP ASA  private IP ASA
    199.185.3.25 <-------192.168.1.254
                      ^
                      |--------192.168.2.254
                      ^
                      |-------- 192.168.3.254
    I want the 192.168.1.0/24 and 192.168.2.0/24 to NAT to the internet. 
    I can get the first subnet to work.  I can get hosts on each of the two subnets ping each other.  However, if I try to ping an external site 4.2.2.2., the first subnet works, the second one does not. 
    I am enclosing the running-configuration from IOS 8.4.  Any insights as to what I'm missing to get the second network to be able to send and receive packets to an internet connection?
    =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.01.05 21:03:36 =~=~=~=~=~=~=~=~=~=~=~=
    sh run
    : Saved
    ASA Version 8.4(6)
    hostname INFOASA01
    names
    interface Ethernet0/0
    interface Ethernet0/1
    switchport access vlan 4
    interface Ethernet0/2
    switchport access vlan 5
    interface Ethernet0/3
    switchport access vlan 2
    interface Ethernet0/4
    switchport access vlan 2
    interface Ethernet0/5
    switchport access vlan 2
    interface Ethernet0/6
    switchport access vlan 2
    interface Ethernet0/7
    switchport access vlan 2
    interface Vlan1
    nameif outside
    security-level 25
    pppoe client vpdn group PPP
    ip address pppoe setroute
    interface Vlan2
    nameif inside
    security-level 75
    ip address 192.168.1.254 255.255.255.0
    interface Vlan3
    description Wireless
    shutdown
    no nameif
    no security-level
    no ip address
    interface Vlan4
    description home-network
    nameif inside-46
    security-level 50
    ip address 192.168.3.224 255.255.255.0
    interface Vlan5
    nameif inside5
    security-level 75
    ip address 192.168.2.254 255.255.255.0
    interface Vlan98
    description VPN client
    no nameif
    security-level 90
    ip address 192.168.98.254 255.255.255.0
    interface Vlan99
    no nameif
    no security-level
    no ip address
    ftp mode passive
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object network obj_any
    subnet 0.0.0.0 0.0.0.0
    object network obj_25
    host 192.168.1.249
    object network obj_143
    host 192.168.1.249
    object network obj_1677
    host 192.168.1.249
    object network obj_444
    host 192.168.1.249
    object network obj_443
    host 192.168.1.246
    object network obj_22
    host 192.168.1.249
    object network obj_21
    host 192.168.1.247
    object network obj_8009
    host 192.168.1.249
    object network obj_39833
    host 192.168.1.88
    access-list smtp extended permit tcp any host 66.18.210.142 eq smtp
    access-list smtp extended permit tcp any host 192.168.1.249 eq smtp
    access-list smtp extended permit tcp any host 192.168.1.249 eq imap4
    access-list smtp extended permit tcp any host 192.168.1.249 eq 1677
    access-list smtp extended permit tcp any host 192.168.1.249 eq https
    access-list smtp extended permit tcp any host 192.168.1.246 eq https
    access-list smtp extended permit tcp any host 192.168.1.247 eq ftp
    access-list smtp extended permit tcp any host 192.168.1.249 eq ssh
    access-list smtp extended permit tcp any host 192.168.1.249 eq 8009
    access-list smtp extended permit tcp any host 192.168.1.88 eq 3389
    no pager
    logging asdm informational
    mtu outside 1460
    mtu inside 1500
    mtu inside-46 1500
    mtu inside5 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    no arp permit-nonconnected
    object network obj_any
    nat (inside,outside) dynamic interface
    object network obj_25
    nat (inside,outside) static interface service tcp smtp smtp
    object network obj_143
    nat (inside,outside) static interface service tcp imap4 imap4
    object network obj_1677
    nat (inside,outside) static interface service tcp 1677 1677
    object network obj_444
    nat (inside,outside) static interface service tcp https 444
    object network obj_443
    nat (inside,outside) static interface service tcp https https
    object network obj_22
    nat (inside,outside) static interface service tcp ssh 40022
    object network obj_21
    nat (inside,outside) static interface service tcp ftp ftp
    object network obj_8009
    nat (inside,outside) static interface service tcp 8009 8009
    object network obj_39833
    nat (inside,outside) static interface service tcp 3389 39833
    access-group smtp in interface outside
    timeout xlate 3:00:00
    timeout pat-xlate 0:00:30
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    user-identity default-domain LOCAL
    aaa authentication ssh console LOCAL
    snmp-server location Home1
    snmp-server contact network admin
    snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
    telnet timeout 3
    ssh 192.168.1.0 255.255.255.0 inside
    ssh timeout 15
    ssh key-exchange group dh-group1-sha1
    console timeout 0
    vpdn group PPP request dialout pppoe
    vpdn group PPP localname **********************
    vpdn group PPP ppp authentication chap
    vpdn username *********.com password ***** store-local
    dhcpd auto_config inside
    threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    username ***** password ******* encrypted privilege 15
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    no call-home reporting anonymous
    Cryptochecksum:d2e31f51f0af551900f9fb8b5dd3ea72
    : end
    INFOASA01(config)# packet-tracer input inside5 tcp 192.168.2.200 12345 4.2.2.2 12345
    Phase: 1
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 2
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 3
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 5605, packet dispatched to next module
    Result:
    input-interface: inside5
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    INFOASA01(config)#packet-tracer input inside5 tcp 192.168.1.200 12345 4.2.2.2 12345
    Phase: 1
    Type: ACCESS-LIST
    Subtype:
    Result: ALLOW
    Config:
    Implicit Rule
    Additional Information:
    MAC Access list
    Phase: 2
    Type: ROUTE-LOOKUP
    Subtype: input
    Result: ALLOW
    Config:
    Additional Information:
    in   0.0.0.0         0.0.0.0         outside
    Phase: 3
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 4
    Type: NAT
    Subtype:
    Result: ALLOW
    Config:
    object network obj_any
    nat (inside,outside) dynamic interface
    Additional Information:
    Dynamic translate 192.168.1.200/12345 to 199.185.3.25/12345
    Phase: 5
    Type: IP-OPTIONS
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    Phase: 6
    Type: FLOW-CREATION
    Subtype:
    Result: ALLOW
    Config:
    Additional Information:
    New flow created with id 5633, packet dispatched to next module
    Result:
    input-interface: inside
    input-status: up
    input-line-status: up
    output-interface: outside
    output-status: up
    output-line-status: up
    Action: allow
    INFOASA01(config)# icmp    debug icmp tra
    debug icmp trace enabled at level 1
    INFOASA01(config)# ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=0 len=56
    ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=1 len=56
    ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=2 len=56
    ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=3 len=56
    ICMP echo request from inside5:192.168.2.200 to outside:4.2.2.2 ID=46593 seq=4 len=56
    b ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=140 len=32
    ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
    ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=140 len=32
    ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
    ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=141 len=32
    ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
    ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=141 len=32
    ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
    ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=142 len=32
    ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
    ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=142 len=32
    ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
    ICMP echo request from inside:192.168.1.88 to outside:4.2.2.2 ID=1 seq=143 len=32
    ICMP echo request translating inside:192.168.1.88 to outside:199.185.3.25
    ICMP echo reply from outside:4.2.2.2 to inside:199.185.3.25 ID=1 seq=143 len=32
    ICMP echo reply untranslating outside:199.185.3.25 to inside:192.168.1.88
    no debug icmp tra
    debug icmp trace disabled.
    INFOASA01(config)#

    Hello Paul,
    Yes, there is a order within the NAT on 8.3 and higher
    1) Manual Nat or Twice Nat
    2) Object Nat (the one being used here)
    3) After-Auto Nat
    Inside the Object-Nat the order will be done automatically by the firewall taking place the static entries and more specific.
    So if you enter that command you will be translating only the subnet within the obj_any 5 from the inside5 to the outside.
    Hope I was clear hehe
    Looking for some Networking Assistance? 
    Contact me directly at [email protected]
    I will fix your problem ASAP.
    Cheers,
    Julio Carvajal Segura
    http://laguiadelnetworking.com

  • Nat (inside,outside) static 200.x.x.x

    Hi Everyone,
    Say we have webserver which has internal IP of 172.16.10.10
    If we need outside users from internet who need to access the webserver on IP say  200.x.x.x
    We can config the NAT as below also
    nat (inside,outside) static 200.x.x.x
    Regards
    Mahesh

    Hi Mahesh,
    I would usually configure a normal Static NAT as Network Object NAT
    You first configure a "object network " under which you configure the source IP for the NAT configuration with the "host" command. Finally you enter the "nat" command inside/under the "object network ".
    object network STATIC
    host 172.16.10.10
    nat (inside,outside) static 200.x.x.x
    Depending on how the rest of the NAT configuration is built, some other NAT rule might override this but personally I have not had problem with configuring Static NAT this way.
    You also have an option to configure the NAT in the following way
    object network SERVER-REAL
    host 172.16.10.10
    object network SERVER-MAPPED
    host 200.x.x.x
    nat (inside,outside) source static SERVER-REAL SERVER-MAPPED
    As you can see the difference from the first way I mentioned is the fact that we use Manual NAT / Twice NAT to configure this Static NAT. We create 2 "object network " which define the real and the mapped IP address. We then use those objects in the actual "nat" configuration.
    The difference with the above 2 NAT configurations is that the Network Object NAT s on lower priorty in the ASA NAT rules compared to the above Manual NAT.
    - Jouni

  • Port Forwarding without nat

    Hello,
    I have a setup where i need users accessing 10.6.17.10:80 or 10.6.17.80:443 to be directed to 10.6.17.10:4443.
    10.6.17.10 is a server behind an interface called "application"
    requests will be coming from "outside" interface or i want this to work regardless of the source interface (any)
    this outside interface is local, i mean source ip addresses will all be private, we're talking within the network.
    my configuration is as below:
    object network A10-Lync
     host 10.6.17.10
     nat (Application,any) static A10-Lync service tcp https 4443

    Hi Murali,
    Your answer is very close, but not complete.  I'm very familiar with the NAT Rule Order.  I didn't think that was the problem.  The actual problem is how Object NATs and Twice NATs are implemented.  I didn't realize once a Twice NAT (manual nat) is matched no other rules are checked. Here is the information at this Link under How source and destination NAT is implemented.  I was under the impression that Twice NAT were processed the same way Object NATs were.
    So that was the problem, but what is the solution?  That is for Cisco to allow parameters in nat statements.  Otherwise we have to create 6 objects and two different nat statements in order to get this working.  If they would allow parameters for port numbers, we would only use 3 object (like i have) and two nat statements.  The other reason why Cisco needs to allow this, is because how ugly a "working" statement looks.
    How to Port Forward to Hosts without a return route:
    nat (outside,inside) source dynamic any NATTED_IP_OBJECT destination static interface SERVER1_OBJ service TCP_801_OBJ TCP_80_OBJ
    Real.  Translated.
    Confused?!?  You should be...  I know what i'm trying to do is a very rare objective.  That is get packets to a few hosts that do not have a return route (or default Gateway).  But I personally wrote this statement just 2 days ago and it still doesn't look right, but it works.  :) And works without translating all source IPs on traffic to hosts that do have a return route (aka NORMAL setup..  haha).
    I hope someone finds this helpful.  About 40 mins to find a working statement. 

  • Static NAT Question - Public to Inside ASA 9.1x

    Hi All.. I'm having  hard time wrapping my head around the post 8.2 nat statements, please help.
    I have a DMZ server that has a list of ports that need to be accessible from the outside from specific IP addresses (this is a video streaming relay server).  It also need to be able to push the stream to a specific IP address as well.  I can do identity nat, and it'll go out and I see it's using IP, but obviously traffic doesn't get in... I can use sample web server nat's I've found and it works for the web management port, 8088, but I can't figure out how to map multiple ports to it:
    Remote Public IP's: 77.88.99.11
    Local Public IP: 12.12.12.1
    Ports required:
    object-group service srvgp-stream-remote
     service-object tcp destination eq www
     service-object tcp destination eq https
     service-object tcp destionation eq 8088
     service-object tcp destination eq 1935
     service-object udp destination range 6970 9999
     service-object udp destination range 30000 65000
     service-object udp destination eq 554
    I can get this to work:
    object network server-external-ip
     host 12.12.12.1
    object network webserver
     host 192.168.1.100
     nat (dmz,outside) static server-external-ip service tcp 8088 8088
    access-list acl-outside extended permit tcp host 77.88.99.11 object AngelEye eq 8088
    But again, I have no idea how I would do such a thing with a list of required ports? I don't see that's an option in the syntax.  Additionally, would this  provide an 'identity nat' in case the server had to send info out to the public ip via these same ports or do you require a seperate identity nat to do this to the same public ip addresses?
    Any help is greatly appreciated.

    With that many ports, you should use the public IP exclusively for the Webserver:
    object network webserver
    host 192.168.1.100
    nat (dmz,outside) static server-external-ip
    If it's not possible to use that IP only for that server, you can configure manual-nat for these ports:
    nat (dmz,outside) source static webserver server-external-ip service srvgp-stream-remote srvgp-stream-remote

  • Problems getting static NAT to work between two internal lans

    Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
    Manual NAT Policies (Section 1)
    1 (office) to (inside) source static inside-office inside-office   destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
        translate_hits = 0, untranslate_hits = 3
    2 (inside) to (office) source static inside-ld5 inside-ld5   destination static inside-office inside-office no-proxy-arp route-lookup
        translate_hits = 0, untranslate_hits = 0
    interface GigabitEthernet0/0
    nameif inside-ld5
    security-level 100
    ip address 10.20.15.2 255.255.255.0
    interface GigabitEthernet0/6
    nameif office
    security-level 100
    ip address 10.20.11.9 255.255.255.0
    object network inside-ld5
    subnet 10.20.15.0 255.255.255.0
    object network inside-office
    subnet 10.20.11.0 255.255.255.0
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
    nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup

    Hi Kevin,
    because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
    Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
    Best Regards,
    Jan

Maybe you are looking for