–Network Address Translation, ASA 8.2
NAT is required for a number of scenarios and can be used in the most unusual places. Most common is translation of a private RFC 1918 address into a globally routed public IP address. An example of this would be a home device with an address of 10.10.16.10 being translated to 200.165.231.20 when going to the internet. The translation table keeps a record of this conversation and then when the destination packet returns to 200.165.231.20 it is sent back to the device it originated from – 10.10.16.10. There are a number of different NAT styles and syntax styles. Syntax changes between 8.2 and 8.3 caused commotion among ASA users. This section will clearly state which NAT method is being used.
Order of Operations – 8.2 ASA
The interface order of operations is important to understand where NAT takes its place in connection criteria.
- NAT Exemption
- Static NAT and Static PAT
- Policy Dynamic NAT
- Regular Dynamic NAT
- NAT Control on and no match will drop packet
Dynamic NAT – 8.2 ASA
Dynamic NAT will translate an IP address into a pre-defined pool of addresses for communication. Generally this is employed in a situation of higher security to lower security. An address is generally reserved for PAT in case the pool defined fills.
nat (inside) 1 10.10.10.0 255.255.255.0global (outside) 1 192.168.20.15-192.168.20.150global (outside) 1 192.168.20.151
The above example of 8.2 Dynamic NAT will take addresses from the inside source range of 10.10.10.0/24 and translate them to an address on 192.168.20.15-150 range. This occurs when traffic goes from inside to outside. If the translation pool fills the 192.168.20.151 address is there to perform PAT.
The ASDM configuration window resides at Configuration > Firewall > NAT Rules. Then select Add Dynamic NAT Rule.
Static NAT – 8.2 ASA
Static NAT’s recommended use is where an application based server needs to be accessed from an external network. Due to a translation is always present in the table, remote connections can establish. It is best used when connections need to be established from an outside interface which has a lower-security level than the host being accessed. The addresses listed are what we will use for our example. The server has an internal address of 192.168.16.10 on interface dmz-mail and outside requests hit 202.16.142.30 on interface isp-a.
static (dmz-mail,isp-a) 202.16.142.30 192.168.16.10
A good way to remember static 8.2 NAT is the following structure defined in the table below.
| Real IP | Mapped IP | Mapped IP | Real IP |
| dmz-mail | isp-a | isp-a | dmz-mail |
The ASDM configuration window resides at Configuration > Firewall > NAT Rules. Then select Add Static NAT Rule.
Static Exemption, Exemption and Identity NAT – 8.2 ASA
The following examples are devices that do not need NAT translations to take place.
Static identity NAT creates a slot in the translation table as it is configured.
static (dmz-c,outside) 206.100.100.42 206.100.100.42 netmask 255.255.255.255
Dynamic identity NAT will create a dynamic identity in the translation table. This is where the local and global addresses are the same. Used when clients access less secure interfaces.
nat (inside) 0 10.36.100.0 255.255.255.0
Remember that a pool ID of 0 is a specific command to the ASA software not to translate.
Finally is NAT exemption. This mode behaves differently due to the fact it bypasses NAT operations in the Order of Operations.
nat (inside) 0 access-list CI-VPN
The ASDM configuration window resides at Configuration > Firewall > NAT Rules. Then select Add Static NAT Rule. Ensure NAT Exempt Outbound Traffic from Interface “inside” to Lower Security Interfaces (Default) is enabled for Exemption.
NAT caveats for 8.2
NAT control was a feature of 8.2. It ensured that NAT rules had to be in place when enabled; Traffic would be dropped if no translation rule was found. NAT exemption was the other way for traffic to traverse a firewall when NAT control was enabled. This did lead to excess configuration on the firewalls. In ASA 8.3 this feature was removed completely. If a connection cannot find a translation it is allowed and is subject to other access policies.