Differences

This shows you the differences between two versions of the page.

--- cisco:asa_nat [2022/11/25 15:21] – created srohr
+++ cisco:asa_nat [2022/11/25 15:24] (current) – srohr
@@ Line 1: / Line 1: @@
+====== ASA NAT ======
+Regular Static NAT
+  static (inside,outside) 192.168.100.100 10.1.1.6 netmask  255.255.255.255
+  object network obj-10.1.1.6
+   host 10.1.1.6
+   nat (inside,outside) static 192.168.100.100
+Regular Static PAT
+  static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255
+  object network obj-10.1.1.16
+   host 10.1.1.16
+   nat (inside,outside) static 192.168.100.100 service tcp 8080 www
+Regular Static PAT
+  static (inside,outside) tcp 192.168.100.100 80 10.1.1.16 8080 netmask  255.255.255.255
+  object network obj-10.1.1.16
+   host 10.1.1.16
+   nat (inside,outside) static 192.168.100.100 service tcp 8080 www
+Static Policy NAT
+  access-list NET1 permit ip host 10.1.2.27 10.76.5.0 255.255.255.224
+  static (inside,outside) 192.168.100.100 access-list NET1
+  object network obj-10.1.2.27
+   host 10.1.2.27
+  object network obj-192.168.100.100
+   host 192.168.100.100
+  object network obj-10.76.5.0
+   subnet 10.76.5.0 255.255.255.224
+   nat (inside,outside) source static obj-10.1.2.27 obj-192.168.100.100 destination static obj-10.76.5.0 obj-10.76.5.0
+Regular Dynamic PAT
+  nat (inside) 1 192.168.1.0 255.255.255.0
+  nat (dmz) 1 10.1.1.0 255.255.255.0
+  global (outside) 1 192.168.100.100
+  object network obj-192.168.1.0
+   subnet 192.168.1.0 255.255.255.0
+   nat (inside,outside) dynamic 192.168.100.100
+  object network obj-10.1.1.0
+   subnet 10.1.1.0 255.255.255.0
+   nat (dmz,outside) dynamic 192.168.100.100
+Regular Dynamic PAT
+  nat (inside) 1 10.1.2.0 255.255.255.0
+  global (outside) 1 192.168.100.100
+  global (dmz) 1 192.168.1.1
+  object network obj-10.1.2.0
+   subnet 10.1.2.0 255.255.255.0
+   nat (inside,outside) dynamic 192.168.100.100
+  object network obj-10.1.2.0-01
+   subnet 10.1.2.0 255.255.255.0
+   nat (inside,dmz) dynamic 192.168.1.1
+Regular Dynamic PAT-3
+  nat (inside) 1 0 0
+  global (outside) 1 interface
+  object network obj_any
+   subnet 0.0.0.0 0.0.0.0
+   nat (inside,outside) dynamic interface
+Dynamic Policy NAT
+  object-group network og-net-src
+   network-object 192.168.1.0 255.255.255.0
+   network-object 192.168.2.0 255.255.255.0
+  object-group network og-net-dst
+   network-object 192.168.200.0 255.255.255.0
+  object-group service og-ser-src
+   service-object tcp gt 2000
+   service-object tcp eq 1500
+  access-list NET6 extended permit object-group og-ser-src object-group og-net-src object-group og-net-dst
+  nat (inside) 10 access-list NET6
+  global (outside) 10 192.168.100.100
+  object network obj-192.168.100.100
+   host 192.168.100.100
+  object service obj-tcp-range-2001-65535
+   service tcp destination range 2001 65535
+  object service obj-tcp-eq-1500
+   service tcp destination eq 1500
+  nat (inside,outside) source dynamic og-net-src obj-192.168.100.100 destination static og-net-dst og-net-dst service obj-tcp-range-2001-65535 obj-tcp-range-2001-65535
+  nat (inside,outside) source dynamic og-net-src obj-192.168.100.100 destination static og-net-dst og-net-dst service obj-tcp-eq-1500 obj-tcp-eq-1500
+Policy Dynamic NAT (with multiple ACEs)
+  access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.1.0 255.255.255.0
+  access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.2.0 255.255.255.0
+  access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.3.0 255.255.255.0
+  access-list ACL_NAT permit ip 172.29.0.0 255.255.0.0 192.168.4.0 255.255.255.0
+  nat (inside) 1 access-list ACL_NAT
+  global (outside) 1 192.168.100.100
+  object network obj-172.29.0.0
+   subnet 172.29.0.0 255.255.0.0
+  object network obj-192.168.100.100
+   host 192.168.100.100
+  object network obj-192.168.1.0
+   subnet 192.168.1.0 255.255.255.0
+  object network obj-192.168.2.0
+   subnet 192.168.2.0 255.255.255.0
+  object network obj-192.168.3.0
+   subnet 192.168.3.0 255.255.255.0
+  object network obj-192.168.4.0
+   subnet 192.168.4.0 255.255.255.0
+  nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.1.0 obj-192.168.1.0
+  nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.2.0 obj-192.168.2.0
+  nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.3.0 obj-192.168.3.0
+  nat (inside,outside) source dynamic obj-172.29.0.0 obj-192.168.100.100 destination static obj-192.168.4.0 obj-192.168.4.0
+Outside NAT
+  global (inside) 1 10.1.2.30-1-10.1.2.40
+  nat (dmz) 1 10.1.1.0 255.255.255.0 outside
+  static (inside,dmz) 10.1.1.5 10.1.2.27 netmask 255.255.255.255
+  object network obj-10.1.2.27
+   host 10.1.2.27
+   nat (inside,dmz) static 10.1.1.5
+  object network obj-10.1.1.0
+   subnet 10.1.1.0 255.255.255.0
+   nat (dmz,inside) dynamic obj-10.1.2.30-10.1.2.40
+  object network obj-10.1.2.30-10.1.2.40
+   range 10.1.2.30 10.1.2.40
+NAT & Interface PAT together
+  nat (inside) 1 10.1.2.0 255.255.255.0
+  global (outside) 1 interface
+  global (outside) 1 192.168.100.100-192.168.100.200
+  object network obj-192.168.100.100_192.168.100.200
+   range 192.168.100.100 192.168.100.200
+  object network obj-10.1.2.0
+   subnet 10.1.2.0 255.255.255.0
+   nat (inside,outside) dynamic obj-192.168.100.100_192.168.100.200 interface
+NAT & Interface PAT with additional PAT together
+  nat (inside) 1 10.0.0.0 255.0.0.0
+  global (outside) 1 192.168.100.1-192.168.100.200
+  global (outside) 1 interface
+  global (outside) 1 192.168.100.210
+  object network obj-192.168.100.100_192.168.100.200
+   range 192.168.100.100 192.168.100.200
+  object network obj-10.0.0.0
+   subnet 10.0.0.0 255.0.0.0
+  object network second-pat
+   host 192.168.100.210
+  object-group network dynamic-nat-pat
+   network-object object obj-192.168.100.100_192.168.100.200
+   network-object object second-pat
+  nat (inside,outside) dynamic dynamic-nat-pat interface
+Twice NAT with both source IP, Dest IP and Source port, Dest port change.
+  On the inside:
+  Source IP: 10.30.97.129
+  Source port: 5300
+  Dest IP: 10.30.97.200
+  Dest port: any port
+  On the outside:
+  Source IP: Interface IP
+  Source port: 5300
+  Dest IP: 172.16.1.10
+  Dest port: 1022
+  object network source-real
+   host 10.30.97.129
+  object network dest-mapped
+   host 10.30.97.200
+  object network dest-real
+   host 172.16.1.10
+  object service inside-src-dest-port
+   service tcp source eq 5300 destination range 0 65535
+  object service outside-src-dest-port
+   service tcp source eq 5300 destination eq 1022
+  nat (inside,outside) after source static source-real interface destination static dest-mapped dest-real service inside-src-dest-port outside-src-dest-port
+Static NAT for a Range of Ports
+  Not Possible - Need to write multiple Statements or perform a Static one-to-one NAT.
+             (in)    (out)
+.1.1.1-------ASA-------xlate-------> 10.2.2.2
+  Original Ports: 10000 - 10010
+  Translated ports: 20000 - 20010
+  object service ports
+   service tcp source range 10000 10010
+  object service ports-xlate
+   service tcp source range 20000 20010
+  object network server
+   host 10.1.1.1
+  object network server-xlate
+   host 10.2.2.2
+  nat (inside,outside) source static server server-xlate service ports ports-xlate