There are three types of NAT on the ASA which have different processing orders and functions.  To understand the different ASA NAT types, we should first go over the the different types of NAT in general.

General Types of NAT

• Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation.
• Dynamic NAT—Maps a group of IP addresses to another group of IP addresses (possibly smaller). This is done based on which ever IP initiates traffic first. Only the ‘real’ hosts can initiate traffic.
• Dynamic Port Address Translation (PAT)—Maps a group of IP addresses to a single IP address with a unique source port of that IP address. Only the ‘real’ hosts can initiate traffic.
• Identity NAT—Lets you translate a real address to itself, essentially bypassing NAT. You might want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses.
• Twice NAT—A NAT which can perform all the functions of the other NATs but NATs both the Source and Destination IP addresses. Sometimes called Selective NAT if you NAT the Source but NAT the Destination to itself. Selective NAT is useful when you need to NAT the Source to a different Mapped Address based on Destination.

ASA NATs

• Manual NAT—A NAT on the ASA to perform all of the NAT types mentioned above. Manual NATs are processed first and executed on the ASA in the order in which they are configured. These are often used in conjunction with VPNs as Identity NATs to exclude VPN traffic from being NAT’d
• Auto NAT—Auto NAT can be used as any NAT type above except for Twice NAT or Selective NAT since the Destination IP address can not be specified. These are generally used for Static NATs and are processed after Manual NATs. These do not necessarily perform in their configured order on the ASA, but rather, perform in Alphabetical order. This can be troublesome if you plan on performing PATs within Auto Nats. You can see the processing order of Auto NATs if you do a ‘show xlate’ on the ASA.
• After Auto Nat—After Auto NATs are processed last but are written and performed similar to Manual NATs. These can have both Source and Destination IP Address but this type of NAT is generally used for PATs.

Examples:

Not every scenario will be covered, nor every possible type of NAT, but NAT is a powerful tool on the ASA if one understands the way it functions. You can do something as simple as allowing a LAN out to the Internet by using a PAT or do something more complicated. For example, allow your Local LAN to communicate to many Remote LANs (VPNs for example) which have the exact same Local LAN as the Local environment. With NAT, we can fully control everything on the ASA without requesting the Remote side to make complicated NAT changes on their end or requesting that someone play rock paper scissors on who gets to re-IP their networks.

Manual Nat(Source only):

Here, we will use Manual NAT as a Static NAT. We will NAT our local internal IP 192.168.5.7 to the External IP of 83.24.5.34.

object network Web1-192.168.5.7
host 192.168.5.7

object network Web1-External-83.24.5.34
host 83.24.5.34

     nat (inside,outside) source static Web1-192.168.5.7 Web1-External-83.24.5.34

With Manual NATs, the IPs are referenced using objects or object-groups. You are not able to just type the IP addresses with these types of NATs so we need an object for every IP or IP network.

Notice the coloring of the text as this will help you identify which IP is for which segment. If the IP 192.168.5.7 comes into the inside segment and its traffic is destined for the outside segment, then it will NAT as 83.24.5.34. The same is true in the reverse if traffic is destined for the 83.24.5.34 on the outside interface. Note that the first segment in the (), in this case is the inside segment, is the sourcing interface. The next interface, in this case outside, is used as the destination so this will NAT anything Destined for 83.24.5.34  to the 192.168.5.7 in the inside segment.

Manual NAT(Source and Destination):

Manual NAT is best used when you need to NAT your traffic differently for a specific Destination. In this example, I will be doing Selective NAT (Twice NAT). We want to NAT 192.168.5.7 to 83.24.5.34 only when our destination is 72.84.56.78. To do this, we will reuse our NAT from earlier but add a destination.

object network Web1-192.168.5.7
host 192.168.5.6

object network Web1-External-83.24.5.34
host 83.24.5.34

object network Destination-72.84.56.78
host 72.84.56.78

     nat (inside,outside) source static Web1-192.168.5.7 Web1-External-83.24.5.34 destination static Destination-72.84.56.78 Destination-72.84.56.78

Notice that I have colored the Destination both light blue and blue. This is because of how this NAT functions and which IP in the NAT talks to which IP. In this case, the inside address 192.168.5.7 is using the first object (IP) referenced in the Destination portion of the NAT. The same is true for the outside portion of the NAT which talks to the second object (IP) referenced in the Destination. Always understand this order as it helps if we need to do a full Twice NAT where we map our Destination as a different IP.

Let’c complicate the same NAT a bit and NAT our Destination to a different remote host. We will state that when our 192.168.5.7 address is destined to 72.84.56.78 that we want to map this to googles DNS Server 8.8.8.8.

object network Google-8.8.8.8
host 8.8.8.8

     nat (inside,outside) source static Web1-192.168.5.7 Web1-External-83.24.5.34 destination static Destination-72.84.56.78 Google-8.8.8.8

With this addition to our NAT, when our 192.168.5.7 is destined for 72.84.56.78, it will NAT 192.168.5.7 to 83.24.5.34. At the same time, it will NAT 72.84.56.78 to 8.8.8.8. By using this type of NAT, 8.8.8.8 will see our Web1 Server as 83.24.5.34 but our Web1 Server sourcing as 192.168.5.7 will think it is talking to 72.84.56.78.

Auto NAT:

Auto NAT is simpler to configure then Manual NAT and is mainly used for static NATs. We can perform PATs and other NAT types with Auto NAT but I would recommend that Auto NAT is only used for static NATs. As I stated before, these are processed in alphabetical order so if you try to make more specific port forwarding NATs etc with these, you may not get the outcome you want if you name your objects in the wrong alphabetical order.

Lets configure the same Static NAT we did earlier but with Auto NAT.

object network Web1-192.168.5.7
host 192.168.5.6
     nat (inside,outside) static 83.24.5.34

You will notice it took less configuration to get the same desired outcome for the Static NAT. This NAT is configured within your object that you specify your host or subnet that you wish to be NAT’d. I will only cover Static NAT for Auto NAT as this is really the only time we should use Auto NAT.

After-Auto NAT:

After Auto NAT is the last NAT to be processed on the ASA. Since this is the last NAT to be processed, these are generally used as a catch all PAT type of NAT. Lets configure a PAT where we take our entire 192.168.5.0/24 Subnet and NAT (PAT) it to 83.24.5.35.

object network Inside-Subnet
subnet 192.168.5.0 255.255.255.0
object network Default-PAT-Outbound
host 83.24.5.35

     nat (inside,outside) after-auto source dynamic Inside-Subnet Default-PAT-Outbound

Notice that this NAT looks a lot like the Manual NAT we did earlier except now we see the after-auto keyword. This is what makes a Manual NAT into an After-Auto NAT. I also changed the keyword static to dynamic which is what makes a NAT act as a PAT on the ASA. As with Auto-NAT, I will only cover PATs with After-Auto NATs as this is really the only time these should be used. Try to keep all of your more complicated NATs within Manual NATs since those are processed first and processed in configured order.

If you would like to know more or see more articles on NAT please let me know. You can contact me and I will do what I can to help.

The post Different ASA NATs 8.3+ appeared first on Think Netsec.