This article assumes prior knowledge of each of these concepts. If you need a refresher, please check out the article series. There are two sets of syntax available for configuring address translation on a Cisco ASA. The syntax for both makes use of a construct known as an object. The configuration of objects involve the keywords real and mapped. In Part 1 of this article we will discuss all five of these terms. An object is a construct which represents any single item in your network environment.
Two types of objects can be configured:. To configure a network objectfirst use the following syntax to create the object:. To create a network object which represents your Inside network, you would use the following syntax:. Lastly, to create a network object which represents a particular IP address range, you would use the following syntax.
This will define a range that includes all five IP addresses in the inclusive range of To configure a service objectfirst use the following syntax to create the object:. The content of the service object must include at least a protocol, and can also include a source port, destination port, or both.
Here are examples of all four possibilities:. The specific port number the object represents can be identified using certain operators — the example above uses eq and gt. Five different operators exists:. The show run object command lists the objects essentially as they were configured above:. And the show run object in-line command displays the same as above, except every object definition will be on the same line as the object name:.
These terms can be applied to IP addresses or interfaces. We will define these with the example of a Static NAT below:. The word real indicates what is really configured on a server. For example, the web server at the IP address.
Hence, Hence, for the translation above, the Inside interface is considered the real interface. The word mapped indicates attributes after a translation has occurred. For example, the real address Which makes Hence the Outside interface is considered the mapped interface. Another way to remember it is the mapped attributes only exist because the ASA created them, whereas the real attributes exist despite any configuration on the ASA. We discussed the configuration of Objects because Auto NAT is configured within the Object definition, and we discussed the keywords Real and Mapped because the syntax uses these terms to designate the addresses involved in the translation.
With those items defined, we can finally discuss the definition and syntax of Auto NAT. This is the syntax for Auto NAT is as follows remember, this will be applied within the object definition :. Consequently, Auto NAT can only be configured directly within an object. The real-IP This is a complete example configuration of a Dynamic PAT for the Inside segment from the image above.
The real-ip addresses in the Something that has always made NAT somewhat confusing to work with is overlapping terminology. The first screenshot is from the ASA 9.
The second screenshot is show output from an ASA that has the items referenced in the documentation snippet configured. This section is intended to help with that as best as I can. Overall there are two categories where the terminology can be a bit confusing.
The first is items referred to with one term in the documentation, and a different one in the device. They are exactly the same thing. This is used in situations where you would be performing NAT for most traffic flows, but you want to exempt speicifc destinations from translations.
The term policy means setting the condition based on a specific destination. These types of connectivity typically call for the customer server to be seen as coming from a specific Mapped address. Object network Server-A-In host Object network Server-A-Out host host These two statements produce the exact same end result.
So the term destination NAT is really a matter of perspective. This is really very straightforward, but it can be a bit counter-intuitive at first. Object network server-web host The intuitive thing would be to consider that an internet user would use the address Since the object can only have one real address, but potentially many mapped addresses, it makes sense for the ACL logic work this way. In fact, using objects and object groups in Access-control lists instead of bare ip addresses is quite handy.
If you get in the mindset of working with objects instead of addresses which are the properties of an objectthe operational logic of the ASA then becomes more intuitive.
My goodness, where does the time go. Skip to content Hello! Contents 1 Notes on confusing terminology 1. Share this: Twitter Facebook.Troubleshooting connect with Packet Tracer on FTD
Like this: Like Loading Leave a Reply Cancel reply.Each computer and device within an IP network is assigned a unique IP address that identifies the host. Because of a shortage of public IPv4 addresses, most of these IP addresses are private, not routable anywhere outside of the private company network. RFC defines the private IP addresses you can use internally that should not be advertised:.
NAT replaces a private IP address with a public IP address, translating the private addresses in the internal private network into legal, routable addresses that can be used on the public Internet. In this way, NAT conserves public addresses because it can be configured to advertise at a minimum only one public address for the entire network to the outside world.
Security—Keeping internal IP addresses hidden discourages direct attacks. Flexibility—You can change internal IP addressing schemes without affecting the public addresses available externally; for example, for a server accessible to the Internet, you can maintain a fixed IP address for Internet use, but internally, you can change the server address.
NAT is not required. If you do not configure NAT for a given set of traffic, that traffic will not be translated, but will have all of the security policies applied as normal. The following topics explain some of the basics of NAT. Note that you can translate any network connected to the device, not just an inside network. During address translation, IP addresses configured for the device interfaces are not translated.
Bidirectional initiation—Static NAT allows connections to be initiated bidirectionallymeaning both to the host and from the host. You can implement NAT using the following methods:. Only the real host can initiate traffic. See Dynamic NAT. See Dynamic PAT. Allows bidirectional traffic initiation. See Static NAT. You might want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses.
See Identity NAT. The following figure shows a typical NAT example in routed mode, with a private network on the inside. When the inside host at We have two ASA X in the network for internal and external. A DMZ switch sits in between the two firewalls. Following is the link having configuration example.
Buy or Renew. Find A Community. Cisco Community. Turn on suggestions. Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type. Showing results for. Search instead for. Did you mean:. All Community This category This board. X - All forum topics Previous Topic Next Topic. Hi, Following is the link having configuration example. Post Reply.
Preview Exit Preview. You must be signed in to add attachments. Additional options Associated Products. You do not have permission to remove this product association. Latest Contents. Created by pablohernandez on PM. Checking this flo Created by Vibhor Amrodia on PM.You might want to do this if the remote end of the VPN connection can handle your internal addresses.
However, this works only if your local protected network is connected through a single routed interface not a bridge group member.
Exempting Site-to-Site VPN Traffic from NAT
If instead, the local networks in the connection reside behind two or more routed interfaces or one or more bridge group members, you need to configure the NAT exempt rules manually. Then, apply NAT to the traffic when the destination is anything else for example, the Internet.
If you have more than one interface for the local network, create rules for each interface. Also, consider the following suggestions:. Consider the following example, which shows a site-to-site tunnel connecting the Boulder and San Jose offices. For traffic that you want to go to the Internet for example from However, for traffic that you want to go over the VPN tunnel for example from Identity NAT translates an address to the same address.
The following example explains the configuration for Firewall1 Boulder. The example assumes that the inside interface is a bridge group, so you need to write the rules for each member interface.
The process is the same if you have a single or multiple routed inside interfaces. The manual identity NAT rule would be for 'sanjose-network' when the destination is boulder-network. Create new interface objects for the Firewall2 inside and outside networks. The manual dynamic interface PAT rule would be for 'sanjose-network' when the destination is "any. In the CDO navigation bar at the left, click Objects.
Identify the Boulder inside network. Enter the object name for example, san-jose.
Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager, Version 6.1
Click Add. Select Use Destination. Leave all of the port fields blank. This rule configures identity NAT for both source and destination.
Repeat the process to create equivalent rules for each of the other inside interfaces. However, the configuration is shown here for completeness.
Before completing these steps, check whether a rule already exists that covers the inside interface and network, and skip this step if it does. If you are also managing Firewall2 San Joseyou can configure similar rules for that device.In my opinion this is one of those topics where the difficulty level can be measured by the quality of your foundation knowledge. The actual configuration syntax is easy to learn and work with. So you only have to learn it once for both platforms, nice right?!?
This baseline will give NAT syntax and semantics their context, so please at least skim it.
You can always come back to it as needed. For the purpose of working with NAT, I find it helpful to visualize this in a left to right fashion like this:. A conversation between two hosts can be seen as two unidirectional Flows were the IP addresses and Ports are a mirror image in the reverse direction. A stateful firewall recognizes these mirror image flows and identifies them as related. This simplifies usage — we only have to define our traffic rules in one direction, and the firewall can imply how the return traffic should be processed.
This logic also applies to NAT. If you define the flow in one direction, the NAT engine in the firewall processes the mirror image packets to look for a match. TCP outside I think of it as the microwave popcorn button of NAT.
We define a network object, then attach a NAT statement to the object that tells that firewall what translation we want to perform based on the source and destination interface. Object network Server-A host Original packet: [ Host Nat inside ,outside — The source ip address is coming from the inside interface of the router, and the destination ip address is on the outside interface of the router.
Static — The source and destination address will be linked together in a fixed relationship. This is most commonly used for servers that require a fixed public mapped ip address.Section 1 rules are applied first, then section 2, and finally section 3, until a match is found. For example, if a match is found in section 1, sections 2 and 3 are not evaluated.
The following table shows the order of rules within each section. Applied on a first match basis, in the order they appear in the configuration.
Configure and Verify NAT on FTD
Because the first match is applied, you must ensure that specific rules come before more general rules, or the specific rules might not be applied as desired. If a match is still not found, section 3 rules are applied on a first match basis, in the order they appear in the configuration.
This section should contain your most general rules. You must also ensure that any specific rules in this section come before general rules that would otherwise apply.
For section 2 rules, for example, you have the following IP addresses defined within network objects:. If a match in section 1 is not found, section 2 rules are applied in the following order: Static rules. Dynamic rules. Within each rule type, the following ordering guidelines are used: Quantity of real IP addresses—From smallest to largest.
For example, an object with one address will be assessed before an object with 10 addresses. For quantities that are the same, then the IP address number is used, from lowest to highest. For example, If the same IP address is used, then the name of the network object is used, in alphabetical order.
For example, object "Arlington" is assessed before object "Detroit.