I know that they take LSD (yes Lysergic acid diethylamide) at Cisco like Kevin Herbert but can they consume less? Every release of a new 8.x software version of the Cisco ASA has new NAT statements and logic. This week I replaced an old Cisco PIX 6.x with a new Cisco ASA 8.4(4)1 (asa844-1-k8.bin) and ran into some logic traps and I decided to write some examples here for you in case that this can help you. My customer has a provider router but the examples are also working with a PPPoE uplink (except multiple IPNAT commands).
NAT from inside to outside:
object network MyInternalNetwork
subnet 192.168.23.0 255.255.255.0
object network MyInternalNetwork
nat (inside,outside) dynamic interface
You will see that an incoming packet will be first translated and than be checked by the firewall. PAT for port-forwarding a network service (in this example https tcp 443):
object network MyExchangeServer
host 192.168.23.5
object network MyExchangeServer
nat (inside,outside) static interface service tcp https https
access-list world_in extended permit tcp any object MyExchangeServer eq https
access-group world_in in interface outside
1:1 NAT (with example for PPTP passthrough):
object network MyPPTPserver
host 192.168.23.10
object network MyPPTPserver
nat (inside,outside) static 88.77.66.23
access-list world_in extended permit tcp any object MyPPTPserver eq pptp
access-list world_in extended permit gre any object MyPPTPserver
access-group world_in in interface outside
No-NAT Statements (for not natting into connected VPN-networks):
object network MyHeadquarter
subnet 192.168.23.0 255.255.255.0
object network MyBranchOffice
subnet 192.168.80.0 255.255.255.0
nat (inside,any) source static MyHeadquarter MyHeadquarter destination static MyBranchOffice MyBranchOffice no-proxy-arp
don’t forget to place no-proxy-arp at the end of the NAT statement, otherwhise your Cisco ASA will answer on every ARP-Broadcast “YES THAT’S ME HERE IS MY MAC-ADDRESS!!!11111” -.-
If you have any further wishes on NAT-config-examples or older NAT-statements (just like for Cisco ASA software version 8.0, 8.1, 8.2 and/or 8.3) just let me know!
4 Responses
Hi, I’m using version 8.6 and want to have a guest vlan which uses a different external IP for its NAT address.
Here’s my nat setup
Manual NAT Policies (Section 1)
1 (Inside) to (Outside) source dynamic any interface translate_hits = 13818379, untranslate_hits = 551007
2 (Wifi_guest) to (Outside) source dynamic any EXT_wifiguest_29 translate_hits = 516, untranslate_hits = 0
The second policy gets some hits but does not work. If I change it to interface, rather than the network object of an external IP, it works.
Hi Ben,
I would try this:
object network GuestNetwork
subnet 192.168.1.0 255.255.255.0
object network Guest-WAN-IP
host 88.77.66.55
object network GuestNetwork
nat (guests,outside) static Guest-WAN-IP
Michel, Thank you so much for writing
“don’t forget to place no-proxy-arp at the end of the NAT statement, otherwhise your Cisco ASA will answer on every ARP-Broadcast “YES THAT’S ME HERE IS MY MAC-ADDRESS!!!11111″ -.-”
This is exactly what was happening in my case. I could ping the devices but unable to connect on port 443 or 80 as the learned mac address was ASA interface for all the machines on same subnet and it was killing all my logics as I am not a cisco expert yet.