Configuring Cisco ASA Dynamic NAT

Core Knowledge and Real World Scenarios

When it comes to Network Address Translation, Dynamic NAT is by far the most common. Dynamic NAT, also known as Many to One NAT allows for internal private address pace such as the RFC1918 range to be translated to a single public facing IP Address.

This type of NAT is performed on all consumer grade products to allow multiple PC’s to access the internet using a single public IP Address.

Dynamic NAT works in a simple way which translates the internal private source IP Address and source port number to the public facing IP Address and random available source port number before forwarding the traffic to the destination.

So lets look at an Example;

Traffic from host 10.1.1.10:3948 going towards the Google Website 173.194.121.14:80 first hits the inside interface of the firewall, The firewall see’s the NAT policy and translates source IP 10.1.1.10 and port 3948 to its public outside interface IP Address 198.51.100.37 with a random port number such as 48324. The traffic then gets forwarded to the ISP using the public routable IP Address and is routed towards Google. Traffic returning from Google would return to the destination 198.51.100.37:48324 which is the firewall, the firewall processes the return traffic and translates it based on the NAT translation table and forwards it back to the original source 10.1.1.0:3948

So now that you got a general understanding of how dynamic NAT works on the firewall, lets talk about how to configure it out on the ASA.

Unlike the Cisco IOS software which runs on Routers, the ASA Software is a little different. First lets talk about how NAT is processed on the ASA in the order of configuration.

There are 3 sections of NAT on the Cisco ASA when running ASA 8.3 or later. The first Section is known as Manual Nat, this is where you can configure dynamic, policy, NAT exemption and identity NAT. This section is processed in the order of line number. When configure NAT entries you have the ability to specify line number to insert a NAT entry above or below existing entries to ensure that NAT is processed correctly.

The second section known as Auto NAT functions much as NAT did back in 8.2 whereas the longest match related to the traffic being NAT’ed is used. There are no line numbers in Section 2 as it is based on longest traffic flow match. This section is where your static NAT and static PAT (Port Address Translation, AKA: Port Fowarding) occurs.

The third section is just like Section 1 however it is processed after Section 1 and 2. This section is known as “After-Auto” Manual NAT. This section is used for the same types of NAT policies that you would find in Section 1 but need to be processed after Section 2, for example, Dynamic Internet NAT policies.

Lets look at Section 2 and Section 3 closer, Lets say you have a static PAT to forward public traffic to a private internal web server. This would be configured in Section 2, however lets say you also have a Dynamic NAT policy for all internal traffic to reach the internet in section one. When traffic going to the web server gets translated by Section 2 inbound, traffic returning to the source would be translated by Section 1 as that policy matches first and would fail because the source would not recognize the return traffic and would be dropped by the original source. In this case the Dynamic NAT policy used for the internet is commonly placed in the After-Auto section so that all prior NAT policies are processed first.

In order to build a dynamic NAT policy you must first define an object or object group which identifies the source network. In this case we’re going to use an object-group to define the 10.1.1.0/24 and 10.1.10.0/24 networks which are located on the “INSIDE” zone of the ASA.

Afterwards you define the object(s) you build the NAT policy using a single command nat (INSIDE,OUTSIDE) after-auto source dynamic DNAT_NETWORKS_INSIDE_TO_OUTSIDE interface

The (INSIDE,OUTSIDE) defines the flow of traffic, from the inside zone to the outside zone. We’re playing this NAT policy in the after-auto section (Section 3) and the source is dynamic as defined by the object-group DNAT_NETWORKS_INSIDE_TO_OUTSIDE. Lately we’re NAT’ing the traffic to the OUTSIDE interface IP Address.

To verify this configuration you would use the show nat command as shown below;

FW1# show nat
Manual NAT Policies (Section 3)
1 (INSIDE) to (OUTSIDE) source dynamic DNAT_NETWORKS_INSIDE_TO_OUTSIDE interface  
    translate_hits = 0, untranslate_hits = 0
FW1#

Because no other NAT policies are defined, the show nat command is only showing the dynamic NAT policy in section 3.

The last command that we’re going to look at is show xlate

This command has been around since the PIX days which is used to show the translation table. An example is provided below;

FW1# show xlate
2 in use, 2 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from OUTSIDE:0.0.0.0/0 to INSIDE:0.0.0.0/0
    flags sIT idle 0:00:07 timeout 0:00:00
ICMP PAT from INSIDE:10.1.1.2/2 to OUTSIDE:198.51.100.37/2 flags ri idle 0:00:07 timeout 0:00:30
FW1#

Commands You Should Know

As a network engineer implementing the technologies outlined in this lab you should be familiar with the following commands provided in the table below;

Command	Description
nat (SOURCE,DESTINATION) after-auto dynamic {OBJECT_GROUP} interface	This command when executed in global configuration defines a dynamic NAT policy whereas the source and destination zones are defined. This policy is placed in Section 3 and matches objects sourced by networks defined by the object group. This traffic is NAT’d to the IP Address of the Destination Interface.
show nat	This command when executed shows existing configured NAT policies on the Cisco ASA
show xlate	This command when executed shows all current entries in the NAT translation table.

Lab Logical Topology

Free CCNA Workbook - Security Workbook Section 7 Topology

To view the physical cabling topology please visit the Topology page.

Lab Device Initial Configuration(s)

In Section 7 you’ll only be configuring FW1. You will however use other lab devices to verify your configuration on FW1.

If you completed the previous lab you can continue where you left off otherwise you’ll need to load the following initial configurations into their respective device(s);

!############################################
!#  FW1  -  CCNA Security Workbook Lab 7-12 #
!############################################
!
enable
config term
!
hostname FW1
enable password 2KFQnbNIdI.2KYOU encrypted
!
interface Ethernet0/0
 description OUTSIDE PHY INTERFACE
 nameif OUTSIDE
 security-level 0
 ip address 198.51.100.37 255.255.255.252
 no shut
!
interface Ethernet0/1
 description INSIDE PHY INTERFACE
 nameif INSIDE
 security-level 100
 ip address 10.1.1.1 255.255.255.0
 no shut
!
interface Ethernet0/2
 description DMZ PHY INTERFACE
 nameif DMZ
 security-level 50
 ip address 10.1.250.1 255.255.255.0 
 no shut
!
banner login ####################################
banner login #  UNAUTHORIZED ACCESS PROHIBITED  #
banner login ####################################
!
banner motd #####################################################
banner motd #  CONTACT JOHN PRIOR TO MAKING ANY CONFIG CHANGES  #
banner motd #####################################################
!
username jdoe password 2ck/B41DqLmwNyy8 encrypted privilege 15
username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15
!
aaa authentication serial console LOCAL
!
object network RADIUS_SRV
 host 10.1.1.25
object-group network DMZ_WEBSERVERS
 network-object host 10.1.250.11
 network-object host 10.1.250.12
 network-object host 10.1.250.13
!
access-list INSIDE_IN extended permit ip object RADIUS_SRV 10.1.0.0 255.255.0.0 
access-list INSIDE_IN extended permit tcp 10.1.1.0 255.255.255.0 object-group DMZ_WEBSERVERS eq www 
access-list INSIDE_IN extended permit ip any any log
!
access-list OUTSIDE_IN extended permit icmp any any
!
access-list DMZ_IN extended permit icmp any any
!
!
access-group INSIDE_IN in interface INSIDE
access-group OUTSIDE_IN in interface OUTSIDE
access-group DMZ_IN in interface DMZ
!
route OUTSIDE 0.0.0.0 0.0.0.0 198.51.100.38
!
domain-name freeccnaworkbook.com
ssh 10.1.1.0 255.255.255.0 INSIDE
aaa authentication ssh console LOCAL
!
router ospf 1
 network 10.1.1.0 255.255.255.0 area 0
 network 10.1.250.0 255.255.255.0 area 51
 log-adj-changes
!
dhcpd address 10.1.1.10-10.1.01.50 INSIDE
dhcpd dns 10.10.10.10 10.20.10.10 interface INSIDE
dhcpd enable
!
http server enable
http 10.1.0.0 255.255.0.0 INSIDE
!
end

Section 7 Pre-Configured Lab Device(s)

In Section 7 you’ll only be configuring FW1. You will however use other lab devices to verify your configuration on FW1.

If you completed the previous lab you can continue where you left off otherwise you’ll need to load the following initial configurations into their respective device(s);

!############################################
!#  FW1  -  CCNA Security Workbook Lab 7-X  #
!############################################
!
enable

config terminal
!
hostname FW1
!
username jdoe password whoami privilege 15
username cisco password cisco privilege 15
enable password cisco
!
object-group network DMZ_WEBSERVERS
 network-object host 10.1.250.11
 network-object host 10.1.250.12
 network-object host 10.1.250.13
!
object network RADIUS_SRV
 host 10.1.1.25
!
interface Ethernet0/0
 nameif OUTSIDE
 security-level 0
 ip address 198.51.100.37 255.255.255.252 
 no shutdown
!
interface Ethernet0/1
 nameif INSIDE
 security-level 100
 ip address 10.1.1.254 255.255.255.0
 no shutdown
!
interface Ethernet0/2
 nameif DMZ
 security-level 50
 ip address 10.1.250.254 255.255.255.0
 no shutdown
!
aaa-server STUBLAB_RADIUS protocol radius
aaa-server STUBLAB_RADIUS (INSIDE) host 10.1.1.25
 key CISCO123
 authentication-port 1812
!
aaa-server STUBLAB_TACACS protocol tacacs+
aaa-server STUBLAB_TACACS (INSIDE) host 10.1.1.26
 key CISCO123
!
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console STUBLAB_TACACS LOCAL
aaa authentication http console LOCAL
!
banner login ####################################
banner login #  UNAUTHORIZED ACCESS PROHIBITED  #
banner login ####################################
!
banner motd #####################################################
banner motd #  CONTACT JOHN PRIOR TO MAKING ANY CONFIG CHANGES  #
banner motd #####################################################
!
route OUTSIDE 0.0.0.0 0.0.0.0 198.51.100.38
!
dhcpd address 10.1.1.10-10.1.1.50 INSIDE
dhcpd dns 1.1.1.1 2.2.2.2 interface INSIDE
dhcpd enable INSIDE
!
router ospf 1
 network 10.1.1.0 255.255.255.0 area 0
 network 10.1.250.0 255.255.255.0 area 51
!
crypto key gen rsa modulus 2048 noconfirm
telnet 1.1.1.1 255.255.255.255 INSIDE
ssh 10.1.1.0 255.255.255.0 INSIDE
!
asdm image flash:asdm-732.bin
http 10.1.0.0 255.255.0.0 INSIDE
http server enable
!
access-list INSIDE_IN extended permit ip object RADIUS_SRV 10.1.0.0 255.255.0.0 
access-list INSIDE_IN extended permit tcp 10.1.1.0 255.255.255.0 object-group DMZ_WEBSERVERS eq www 
access-list INSIDE_IN extended permit ip any any
access-list DMZ_IN extended permit ip any any
access-list OUTSIDE_IN extended permit icmp any any
!
access-group OUTSIDE_IN in interface OUTSIDE
access-group INSIDE_IN in interface INSIDE
access-group DMZ_IN in interface DMZ
!
end

Section 7 Pre-Configured Lab Device(s)

The following lab devices have been pre-configured to save you time as you’ll only be working with FW1 in Section 7.

In order to complete the labs in section 7 you MUST load the following pre-configuration(s);

!############################################
!#  R1 - CCNA Security Workbook Section 7   #
!############################################
!
enable
config terminal
!
hostname R1
!
no ip domain lookup
!
aaa new-model
!
aaa authentication login default local
aaa authorization console
aaa authorization exec default local if-authenticated 
!
aaa session-id common
!
username cisco privilege 15 password 0 cisco
enable password cisco
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 description Link to SW1 FastEthernet0/2 (INSIDE)
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
 no shutdown
!
interface FastEthernet0/1
 description Link to SW2 FastEthernet0/2 (INSIDE)
 ip address 10.1.10.1 255.255.255.0
 duplex auto
 speed auto
 no shutdown
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
!
interface Serial0/1/0
 no ip address
 shutdown
!
router eigrp 10
 network 0.0.0.0
 no auto-summary
!
router ospf 1
 network 0.0.0.0 255.255.255.255 area 0
!
router rip
 version 2
 network 10.0.0.0
 no auto-summary
!
ip route 0.0.0.0 0.0.0.0 10.1.1.254 250
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
banner login ^
############################################
#  R1  -  CCNA Security Workbook Section 7 #
#  NOTICE:  This Router is Preconfigured   #
############################################
^
!
line con 0
 exec-timeout 0 0
 logging synchronous
line aux 0
line vty 0 4
 transport input all
!
end

!############################################
!#  SW1 - CCNA Security Workbook Section 7  #
!############################################
!
enable
config term
!
hostname SW1
!
username cisco privilege 15 password cisco
enable password cisco
!
aaa new-model
aaa authentication login default local
aaa authorization console
aaa authorization exec default local if-authenticated 
!
vtp mode transparent
ip routing
!
spanning-tree mode rapid-pvst
!
vlan internal allocation policy ascending
!
vlan 11
 name FW1_INSIDE-10.1.1.0-24
!
vlan 22
 name FW2_INSIDE-10.2.2.0-24
!
vlan 110
 name R1_ETH0-1_10.1.10.0-24
!
vlan 125
 name FW1_DMZ_10.1.250.0-24
!
vlan 192
 name SW1_SW2_SIMULATED_INTERNET_XCONN
!
interface Loopback4222
 ip address 4.2.2.2 255.255.255.255
!
interface range FastEthernet0/1 - 24
 shutdown
!
interface FastEthernet0/1
 switchport access vlan 11
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/2
 switchport access vlan 22
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/3
 switchport access vlan 125
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/13
 description Link to FW1 Ethernet0/0 (OUTSIDE)
 no switchport
 ip address 198.51.100.38 255.255.255.252
 no shutdown
!
interface FastEthernet0/14
 description Link to FW1 Ethernet0/1 (INSIDE)
 switchport access vlan 11
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/15
 description Link to FW1 Ethernet0/2 (DMZ)
 switchport access vlan 125
 switchport mode access
 spanning-tree portfast
 no shutdown
!
interface FastEthernet0/24
 description L2 Trunk Link to SW2 FastEthernet0/24
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no shutdown
!
interface GigabitEthernet0/1
 shutdown
!
interface GigabitEthernet0/2
 description STUBLAB RADIUS AND TACACS SERVER (IP: 10.1.1.25/24)
 switchport access vlan 11
 switchport mode access
 no cdp enable
 spanning-tree portfast
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan192
 description SW1-SW2 CROSS-CONNECT
 ip address 192.0.2.185 255.255.255.252
!
router eigrp 10
 network 0.0.0.0
 passive-interface default
 no passive-interface Vlan192
!
banner login ^
############################################
#  SW1 - CCNA Security Workbook Section 7  #
#  NOTICE:  This Switch is Preconfigured   #
############################################
^
!
line con 0
 exec-timeout 0 0
 logging synchronous
line vty 0 4
line vty 5 15
!
end

Before you Start

This lab requires that you have access to a Cisco ASA. You can complete this lab using a virtual Cisco ASA within GNS3 or you can reserve free lab time on the Stub Lab to have access to a pair of Cisco ASA 5510 Series Firewalls which can be used to complete this lab.

Lab Objectives

In this lab you will complete the following objectives.

Create an Object-group that defines the 10.1.1.0/24 and 10.10.10.10/32 network.
Create an after-auto dynamic NAT policy that translates all networks sourced in the define dobject group to the OUTSIDE interface IP Address
Verify the operational status of the newly created NAT Policy by pinging 4.2.2.2 sourced from R1’s Loopback0 interface.
Verify that the ping test is showing up in the ASA’s translation table.

One More Thing…

It is recommended that you attempt to complete these lab objectives the first time without looking at the Lab Instruction section.

If you are a student preparing for the Cisco CCNA Security Certification Exam than you are more likely to remember how to complete these objectives if you attempt to complete them the first time on your own with the use of the core knowledge section found in this lab. You should only resort to the Lab Instruction section to verify your work.

Lab Instruction

Objective 1. – Create an Object-group that defines the 10.1.1.0/24 and 10.10.10.10/32 network.

FW1# config terminal
FW1(config)# config terminal
FW1(config)# object-group network INSIDE_TO_OUTSIDE_DYNAMIC_NAT_NETS
FW1(config-network-object-group)# network-object 10.1.1.0 255.255.255.0
FW1(config-network-object-group)# network-object 10.10.10.10 255.255.255.255
FW1(config-network-object-group)# exit
FW1(config)#

Objective 2. – Create an after-auto dynamic NAT policy that translates all networks sourced in the defined object group to the OUTSIDE interface IP Address

FW1(config)# nat (INSIDE,OUTSIDE) after-auto source dynamic INSIDE_TO_OUTSIDE_DYNAMIC_NAT_NETS interface
FW1(config)# end
FW1#

Objective 3. – Verify your Dynamic NAT policy configuration on the ASA by viewing all NAT policies on the ASA.

FW1# show nat

Manual NAT Policies (Section 3)
1 (INSIDE) to (OUTSIDE) source dynamic INSIDE_TO_OUTSIDE_DYNAMIC_NAT_NETS interface  
    translate_hits = 0, untranslate_hits = 0
FW1#

Objective 4. – Verify the operational status of the newly created NAT Policy by pinging 4.2.2.2 sourced from R1’s Loopback0 interface.

R1#R1#ping 4.2.2.2 source loopback0 size 1472 repeat 10000
Type escape sequence to abort.
Sending 10000, 1472-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.10 
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
### TRUNCATED ###

Objective 5. – Verify that the ping test is showing up in the ASA’s translation table.

FW1(config)# object-group network INSIDE_TO_OUTSIDE_DYNAMIC_NAT_NETS
FW1# show xlate
2 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from OUTSIDE:0.0.0.0/0 to INSIDE:0.0.0.0/0
    flags sIT idle 0:00:04 timeout 0:00:00
ICMP PAT from INSIDE:10.10.10.10/6 to OUTSIDE:198.51.100.37/6 flags ri idle 0:00:04 timeout 0:00:30
FW1#