Static NAT (on ASA)

Prerequisite – Adaptive security appliance (ASA), Network address translation (NAT)
ASA is a Cisco security device which has classic firewall capabilities like static packet filtering, stateful packet filtering with VPN, antivirus and intrusion prevention capabilities.
Network Address Translation (NAT) is a process in which a private IP address is translated to a public IP address. This hides the IP address of the original source device from the outside network.

Static NAT –
In this, a single unregistered (Private) IP address is mapped with a legally registered (Public) IP address i.e one-to-one mapping between local and global address.
These are generally used in Web hosting and home networks.

These are not used in organisations as there are many devices who will need Internet access and to provide Internet access, public IP addresses are needed. Suppose, if there are 3000 devices who needs access to Internet, the organisation have to buy 3000 public addresses that will be very costly.

Procedure –

  • Step-1: Configure the access-list –
    Build the access-list stating the permit condition i.e who should be permit and what protocol should be permit.

  • Step-2: Apply the access-list to an interface –
    The access-group command will be used to state the direction (out or in) in which the action (specified above) should be taken place.

  • Step-3: Create network object –
    This will state the host on which NAT will be applied.

  • Step-4: Create static NAT statement –
    This step will specify the direction in which NAT should takes place and in what IP address the private IP address should be translated, e.g., NAT (DMZ, OUTSIDE) static 111.1.1.1 This states that the static NAT operation will take place when the traffic is going from DMZ to OUTSIDE and will translate the IP address (specified in network object command) to 111.1.1.1

Note –
The access-list has been made to allow ICMP the traffic from OUTSIDE to DMZ or INSIDE because by default, the ICMP traffic is not allowed from lower security level to higher security level in ASA (Adaptive Security Appliance).

Example –

Three routers namely Router1 (IP address – 10.1.1.1/24), Router2 (IP address – 11.1.1.1/24) and Router3 (IP address – 101.1.1.1) are connected to ASA (IP address- 10.1.1.2/24, name – INSIDE and security level – 100 on Gi0/0, IP address – 11.1.1.2/24, name – DMZ and security level – 50 on Gi0/1, IP address – 101.1.1.2/24, name-OUTSIDE and security level – 0 on Gi0/2) as shown in the above figure.

In this task, we will enable static NAT for the traffic generating from INSIDE to OUTSIDE and for the traffic going from DMZ to OUTSIDE.
Configuring IP addresses on all routers and ASA.
Configure IP address on Router1.

Router1(config)#int fa0/0
Router1(config-if)#ip address 10.1.1.1 255.255.255.0
Router1(config-if)#no shut 

Configuring IP address on Router2.

Router2(config)#int fa0/0
Router2(config-if)#ip address 11.1.1.1 255.255.255.0
Router2(config-if)#no shut 

Configuring IP address on Router3.

Router3(config)#int fa0/0
Router3(config-if)#ip address 101.1.1.1 255.255.255.0
Router3(config-if)#no shut 

Configuring IP address, name and security level on the interface of ASA.

asa(config)#int Gi0/0
asa(config-if)#no shut
asa(config-if)#ip address 10.1.1.2 255.255.255.0
asa(config-if)#nameif INSIDE 
asa(config-if)#security level 100
asa(config-if)#exit
asa(config)#int Gi0/1
asa(config-if)#no shut
asa(config-if)#ip address 11.1.1.2 255.255.255.0
asa(config-if)#nameif DMZ
asa(config-if)#security level 50
asa(config-if)#exit
asa(config)#int Gi0/2
asa(config-if)#no shut
asa(config-if)#ip address 101.1.1.2 255.255.255.0
asa(config-if)#nameif OUTSIDE
asa(config-if)#security level 0

Now giving static routes to the routers.Configuring static route to Router1.

Router1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2 

Configuring static route to Router2.

Router2(config)#ip route 0.0.0.0 0.0.0.0 11.1.1.2 

Configuring static route to Router3.

Router3(config)#ip route 0.0.0.0 0.0.0.0 101.1.1.2 

Now, at last configuring static route to ASA.

asa(config)#route INSIDE 10.1.1.0 255.255.255.0 10.1.1.1
asa(config)#route OUTSIDE 101.1.1.0 255.255.255.0 101.1.1.1
asa(config)#route DMZ 11.1.1.0 255.255.255.0 10.1.1.1

Now, for ICMP, either we have to inspect or we have to use ACL to allow the ICMP echo reply from the lower security level to higher security level (This is to be done because by default, no traffic is allowed from lower security level to higher security level).
In this scenario, we will use ACL.

asa(config)#access-list traffic_out permit icmp any any 
asa(config)#access-list traffic_dmz permit icmp any any 

Here, two access-list has been made.
First access-list name is traffic_out which will allow ICMP traffic from OUTSIDE to INSIDE (having any IP address any mask).
Second access-list has been made named as traffic_dmz which will allow ICMP traffic from OUTSIDE to DMZ (having any IP address any mask) .

Now, we have to apply these access-list to the ASA interfaces:

asa(config)#access-group traffic_out in interface OUTSIDE 
asa(config)#access-group traffic_dmz in interface DMZ

First statement states that the access-list traffic_out is applied in the inwards direction to the OUTSIDE interface. Second statement states that the access-list traffic_dmz is applied in the inwards direction to the DMZ interface.
Now, INSIDE devices will be able to ping OUTSIDE and DMZ devices. Now, the task is to enable NAT on ASA whenever the traffic goes out from INSIDE to OUTSIDE and DMZ to OUTSIDE.

asa(config)#object network INSIDE_OUTSIDE_NAT
asa(config-network-object)#host 10.1.1.1
asa(config-network-object)#nat (INSIDE, OUTSIDE) static 110.1.1.1 

Here, the host 10.1.1.1 will be translated to 110.1.1.1 when the traffic will go from INSIDE to OUTSIDE.

asa(config)#object network DMZ_OUTSIDE_NAT
asa(config-network-object)#host 11.1.1.1
asa(config-network-object)#exit
asa(config)#nat (DMZ, OUTSIDE) static 111.1.1.1 

Here, the host 11.1.1.1 will be translated to 111.1.1.1 when the traffic will go from DMZ to OUTSIDE.



My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.