How to Use NAT and Auto-NAT on ASA
Quick Definition: Network Address Translation, also known as NAT, is a method of swapping out network address information in the header of IP packets. There are many reasons for doing NAT, but in effect the process hides the true source of internet traffic. NAT is performed by traffic routing devices, devices that execute rules written by network administrators. More "intelligent" devices can follow more complex rules for handling network addresses.
What is a Cisco ASA?
Quick Definition: Adaptive Security Appliances, or ASAs, are cybersecurity devices sold by Cisco. ASAs are multi-purpose security devices and their behavior can be modified to provide you with excellent, custom network security.
An Overview of Using NAT on ASA [VIDEO]
In this video, Keith Barker covers NAT on ASA v8.3 and higher. Keith manually demonstrates configuring auto or object NAT, manual NAT and the three sections in the NAT table: manual NAT in first position, auto NAT in second, and then manual NAT that’s been pushed to third.
Why is NAT Necessary?
Most devices on internal networks don't have globally routable addresses. Not only are there not enough IP addresses to give every smartphone and printer in the world to have its own public address, but there are plenty of other, security-minded reasons not to make every device reachable.
Most devices on internal networks have what are called RFC1918 address spaces, which are private address spaces. These are addresses that start with "10.0.0.", "192.168.", or "172.16.". One of the things NAT does is make it possible for those devices, despite their private addresses, to reach the internet and get responses.
How to Practice Your Network Address Translation Skills
If you're practicing with NAT, you may find having a real or simulated network environment you can work within and tweak very helpful. As we wrote this post, we created our own simulated networks and devices. We're assuming that you have a way to simulate or configure a network, even a simple one, as we proceed.
Also, for our purposes, when we talk about our destination server, R2, we've put it on a network at 192.168.1.171 /24, and we're imagining it's a public, global server. You may find it beneficial to do the same when you practice your NAT concepts. That's just so that the internet will play nicely with us and the routes that we practice.
What is an Object in an ASA?
An object is like an alias. It's a way for the ASA to refer to some item, such as a subnet, or a pool of addresses. An object is a lot like a shortcut sitting on your desktop. You click the shortcut and it goes to something else.
Inside the ASA, we can have an object that's referring to the entire 10.0.0.x network. Or if we had a pool of addresses that we wanted to set aside for use, for instance, 192.168.1.51 – 192.168.1.100, we can have an object that refers to that pool of addresses.
Once we set up those objects, we can refer to them simply by modifying the object inside the ASA's interface. One nice thing about working with ASDM, the GUI for ASAs, is that we can also, almost as an afterthought, say, "Oh by the way, as I manipulate the objects in the 10.0.0.x network, let's go ahead and tie NAT to the object."
For purposes of our explanation, we're assuming you've created objects on your ASA. We've created objects for our 10.0.0.x network, for the pool of addresses we want our network to use while on the Internet, the machine we're using on the network, and more, which we'll cover below.
What's the Difference between Auto-NAT and Object NAT?
There's no effective difference between Auto-NAT and Object NAT. They're different names for the same process: when you configure a NAT rule directly onto the object.
What are the Three Sections of NAT?
The three sections of NAT are "Manual NAT" in the first position and take precedence over all the others. These happen first, then "Auto-NAT" rules are in the second position. Last is the third section where "Manual NAT" rules that have been purposely pushed behind the auto-NAT rules happen.
How to Create Auto-NAT Rules on An ASA
Using ASDM to configure the ASA, expand "Objects" (in the left sidebar). Select the sub-heading "Network Objects/Groups".
In this area exist the network objects that have been created. Depending on what network objects you've created, you may see networks, pools of addresses, and devices here. Double-clicking one of the aliases will provide details of the network. We're starting with the object we've created for the 10.0.0.x network.
At the bottom of the window that appears is a drop-down that reads "NAT". Clicking it will give you the option to configure NAT for that network object – that's Auto-NAT. Clicking "Add Automatic Address Translation Rules" will start auto-NAT.
Once there, change "Type" to "Dynamic".
Then, click "…" next to "Translated Addr:". Here, you'll be instructing where to find the pool of addresses to perform dynamic translation to.
Grab the object representing the pool. In our case, we titled it "outside-pool", and it gives a description that this is a pool of IP addresses in the range of 192.168.1.51-100.
Double-click that and press OK. That generates everything you need.
A great thing about working in the ASA GUI, ASDM, is that it allows you to preview the code that will be sent to the command line for you. In this case, the code we see reads:
object network inside_10 nat dynamic outside-pool
In English, these two lines translate to, "Whenever you see this network object called 'inside_10'" and "Use NAT dynamically, and use the range of addresses called 'outside_pool' for it."
Notice that we didn't have to specify source interface or destination interface. Those are options but not required. Click okay and you're done. You've now got an auto-NAT setup.
How Do You Verify Your Auto-NAT Rules Are Working?
In the left sidebar, click "NAT Rules". If everything's gone right, you should now see a table of NAT rules. If this is your first NAT rule, it's a table of one. The rule we just made should be there saying that traffic from any interface to any other interface, if it's sourced from the 10.0.0.x network, should be added to the outside pool.
That's verifying that the rule is written, but to verify that it's doing its job, bring up the ASA's CLI.
This makes sure you're on clear ground.
This makes sure there are no translations currently in use.
You should see that you're in section 2.
Now, you might be saying, "Hold on! I wanted the good seats! I don't want to be sent off to section 2." But here's how it works: any time we create auto-NAT or object-NAT as they're used interchangeably, it's going to put that rule in Section 2 of this table. If we want to create manual NAT rules, we can put those in Section 1, above the Auto-NAT, or we can push them to the end after the Auto-NAT, which we'll do in a moment.
Now that we've seen that ASDM understands the rule, and that the ASA has it registered, let's see if it actually works.
Open a browser and navigate to the internet, visit a website. You should get the internet, and if you do, head back to the CLI and once again enter
You should see: a translation for a host at 10.0.0.51, a translated address of 192.168.1.58, which remember is our globally routable server for this demonstration, a flag of "i”, which means it was dynamic from a dynamic network address translation rule, and that it has been up for about five seconds.
Like we said before, there's effectively no difference between Auto-NAT and Object NAT. In fact, if you were to go to NAT rules and add a new rule, you'd see the same menu.
To do that, go to NAT Rules in the left sidebar and click "Add" in that window, then select "Add "Network Object" NAT Rule…". This brings up an interface that asks, "Do you want to create a network object, and by the way do you want to create a NAT rule for this network object?"
How to Write a Manual NAT Rule to Override an Auto NAT Rule
Let's imagine a scenario in which we wanted to override the network behavior. An example of when we'd want to create a manual rule and have it run before the object NAT would be if we wanted a PC on our 10.0.0.x network, whenever it's going to a specific destination, then and only then, to use a specific, different IP address for the translation.
For our purposes, you'll want to either have or imagine you have a server set up at 192.168.1.253. We named ours at that address R2.
The rule we want to imagine would instruct the ASA that, "If this host (our client) is headed to R2, then NAT to 192.168.1.101 rather than one of the available pool addresses."
We can do that with a Manual NAT rule that sits at the top of the stack. It goes in Section 1, the top of our three sections, with Auto-NAT in the middle at Section 2. Doing so, means our manual NAT would happen first, sort of like Policy NAT in the good ol' days.
To do that, bring up your device. First, verify the IP address. You should also telnet into your R2. Once you've done so, use "who" command to inspect what the IP address of the host machine is. It should be one of the addresses from the pool. In our case, it's 192.168.1.72, which is between .51-.100 and therefore following our Section 2 rule. But if we change the rules, we'll see a different address. Once you've confirmed all this, type "exit".
Go back to ASDM. Because we're going to create a manual rule, click NAT Rules in the left sidebar, then "Add", and "Add NAT Rule Before "Network Object NAT Rules".
In the window that opens next, leave the value for "Source Interface" as "Any".
For source address, select the object that represents the machine you're on.
For "Destination Address", find the object that represents the destination you're specifying. In this case, our R2. If it doesn't exist, you can create the object at this step. Leave "Source NAT Type" as "Static Translation".
Under Source Address, select the object that represents the source IP address you want to use, which in our case is 192.168.1.101.
Applying that rule will bring a CLI preview again:
nat 1 source static cbtn_local_IP Cbtn-global-101_address destination static R2_real_address R2_real_address
Translated to English, this command says, "If traffic is coming from CBT Nuggets' local IP address, go ahead and translate it to the global address if the destination address is the IP address of R2." And we're not doing Destination NAT here, not changing the destination of the IP packet, just the source on a set of conditions. That's manual NAT.
If you have the NAT Rules window open, you should see that this new route has taken a higher position on the table of rules.
Now if we take a look at the CLI, it gets fun. "show nat" will now present two sections. Section 1 is Manual NAT, like our policy NAT that we just created. If there's no match there, the second set of rules will be the auto-NAT. The third section (which is empty for now) is, again, manual rules that we can push to the bottom.
How Do You Verify Your Manual NAT Rules Are Working?
Demonstrating the manual NAT rules is the same as testing auto-NAT rules: checking your IP address at each step of the way. Go back to the CLI and telnet to the R2. Type the command:
This will display the source IP addresses of anyone logged in. The device you're on should now be appearing to come from 192.168.1.101, because the manual rule is overriding the automatic rule and pool of available IP addresses.
How to Push a Manual Rule Behind Auto-NAT Rules
If you wanted to put a manual policy at the end, say for when there aren't matches in the first set of policies or the auto-NAT, it's possible to create a third policy.
This is another time when the ASA interface, ASDM, is great: just select the rule and push the down arrow that's in the menu at the top of the NAT Rules window. That'll move the policy rule downward on the table. Then press "Apply".
When your CLI preview window appears, you should see something a lot like this:
no nat 1 nat after-auto 1 source static cbtn_local_IP Cbtn-global-101_address destination static R2_real_address R2_real_address
The key thing to pay attention to is the "after-auto" part. ASDM has simply added the keywords "after-auto", which moves the manual policies to the bottom after section 2.
To check this, go back to your command line and type "show nat". You should still see two sections, but Section 2 should now be first, and Section 3 should come after it.
If configuring ASAs to perform Network Address Translation is something you need to master, all the information from this post can be found within the CCNP Security training at CBT Nuggets — where destination NAT and many other options are available.