NAT configuration is always something that draws a lot of attention. NAT can perform lots of different functions in many different configurations. That being said, it can be complex to understand at first. However, I think its probably more important to understand NAT than any other function on the ASA’s. If you don’t fully understand the concept you can get yourself in a lot of trouble real fast. So lets get right into it and look at a couple of scenarios and examples. In this post I’m going to talk about the most common NAT configurations. In upcoming posts we’ll talk about NAT DMZ configurations and policy NAT.
The standard 5505 overload
I call this the ‘standard’ because its pretty typical to see on a 5505 box. The client usually has 1 external IP and has a couple of services with a single subnet behind it. Nothing too special here.
ASA(config)# global (outside) 1 interface
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
So, what does this mean? Lets break it down.
The Global Command
global – Indicates that we are defining a global address pool. This can either be a pool of addresses or a single IP that’s being overloaded through the use of PAT
(outside) – The item in the parenthesis is the interface we are defining the pool on. In this case, its the outside interface
1 – Specifies the ID of the pool, this will be matched up against the internal NAT pool
interface – The interface keyword specifies that PAT is being used with the IP defined on the interface. PAT (also referred to as overload) uses a single external IP address for all of the clients in the NAT pool. To make the distinction clear, NAT usually means that you are using a pool of IP’s and PAT usually means you are using one external IP.
The Nat command
nat – The NAT command is what you use to associate a network with a pool of global addresses
(inside) – The item in the parenthesis is the interface in which the NAT network exists. In this case its going to be on the inside interface
1 – This number is what is used to pair the global and NAT statements together. In other words, global pool 1 will be used with NAT network 1.
0.0.0.0 0.0.0.0 – Translates to mean all networks. If there is only a single internal subnet that requires translation this could just as easily read something like ‘192.168.127.0 255.255.255.0’.
Summary
This configuration PATs all of the internal traffic heading out to the public network to the single IP address defined on the external interface.
Defining an actual NAT pool
Lets take the same scenario as above but define a real pool of IP’s for inside clients to NAT to.
ASA(config)# global (outside) 1 <Begin Range>-<End Range>
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
This configuration is exactly the same as above save the fact that we defined a range of IPs for NAT to use. In this scenario, users that were heading out to the public network would use one of the actual IPs defined within the range rather than all using the same IP in an overloaded configuration.
Putting them together.
We’ve reviewed two options for basic NAT at this point. One using NAT overload and one defining a NAT pool. These are the classic NAT/PAT examples and they both work equally well in different scenarios. However option 2 has a gotcha attached to it. Lets say that you have 30 users and 20 IPs defined in your NAT pool. What happens when the 21st users attempts to make a NAT request? Nothing. Since you are out of IP addresses there isn’t one for that user to use. The best practice is to define a single NAT overload in addition to the range of IPs. That way, if the NAT pool fills up, subsequent users can start using PAT. An example is shown below.
ASA(config)# global (outside) 1 <Begin Range>-<End Range – 1>
ASA(config)# global (outside) 1 <End Range>
ASA(config)# nat (inside) 1 0.0.0.0 0.0.0.0
The ASA will evaluate any range definitions prior to moving to PAT on the single IP. So here we took the last IP in the range and defined it for PAT in the case that our NAT range becomes oversubscribed. Seeing as the ASA cant PAT approximately 64,000 sessions through a single external IP, one PAT statement is usually enough. If you wish two PAT ranges can be defined and will be used in order.
Summary
In this post we took a look at what I would call basic NAT/PAT’. The idea of this post was to get you familiar with build blocks of NAT and see a couple of common implementations. In the next couple of posts we’ll talk about policy NAT and NAT configuration with a DMZ interface.
This is actually now incorrect for changes in 8.3 – there is new NAT syntax (described as Network Object NAT and Twice NAT). For Cisco’s changes you can find them in the ASA 8.3 CLI Guide:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/config.html
And some others have written about it as well:
http://www.fir3net.com/Firewalls/Cisco-ASA/how-to-configure-nat-of-asa-83.html
Great blog! 🙂
Yep, I just havent gotten 8.3 laoded yet. When I do, I’ll talk about that a bit as well. The new NAT config looks interesting.