NAT on a PIX/ASA

NATting sucks and can be confusing. I’m sure everyone agrees to that, but you have to use it at some times. In a PIX/ASA, it’s easy to configure a simple setup, but can be super-complicated in larger networks. In a simple lab, we have set up an ASA with inside and outside interfaces, with the inside as your internal and outside as the Internet.

The NAT setup here is easy.

nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface

This NATs everyone on the inside (0.0.0.0 with a mask of 0.0.0.0, or 0/0) to the IP of the outside interface (overload in the IOS world). The nat command says who gets NATted; the global command says what they get NATted to. Notice the number “1” in both commands; this is the NAT group and allows you to have some flexibility in your NAT strategy. In essence, if you match a nat line with a “1” in it, you’ll be matched to a “1” on the global list.

What if you add a DMZ interface and don’t want to NAT when your inside network talks to it? That, my friend, is a little more complicated. We’ll assume your internal network is 10.0.0.0/24 and your DMZ is 192.168.0.0/24.

access-list NONAT permit ip 10.0.0.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list NONAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (dmz) 1 0.0.0.0 0.0.0.0

global (outside) 1 interface

That was painful, but what did it do? That’s a very good question.

We have multiple nat lines on the inside, so the firewall starts at the top and works its way down (there are exceptions). The first nat line has a group of 0, which is very special. If you match group 0, you are not NATted at all, and your connection is passed as-is with no changes. In our second example, you match if the ACL matches, so, if you’re going from the inside network to the DMZ, you won’t be NATted. If your connection didn’t match this line (like you’re downloading porn from the Internet), the firewall goes to the next line, which says to NAT everyone to group 1 just as we did in the first example.

Another twist here is the “nat (dmz) 1 0.0.0.0 0.0.0.0” line. This says that anything from the DMZ is NATted to group 1 just as the inside traffic is.

So, if the inside network connects to the DMZ, it doesn’t get NATted. If the inside goes to the Internet, it gets NATted to the outside IP of the firewall. If the DMZ connects to the Internet, it gets NATted to the outside IP as well, but what if the DMZ connects to the inside? That’s another story. 🙂

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages.

More Posts

Follow Me:
Twitter

3 comments for “NAT on a PIX/ASA

  1. October 27, 2009 at 11:10 pm

    great article – been using pix for years and hadn’t seen an explanation as nice as this 🙂

  2. November 3, 2009 at 5:05 pm

    Thanks, Mark. I appreciate the compliment!

  3. Adrian
    May 31, 2010 at 5:12 pm

    I was doing a search to find if people was happy with the way they do NAT with the PIXs/ASAs, I found several blogs where people is not happy with the sintax. Well I think Cisco heared you all. Now Cisco has changed the design, in my opinion the old way (5.x to 8.2x versions) was great. I think it was a smart way of doing NAT, it just needed some time to learn it, for me it was easy and fun, and I managed ASAs with dozens of NAT rules.

    Now… the new way of doing nat with NETWORK OBJECT NAT. Well just by looking at the sintax:
    http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html#wp51731

    and the fact that all this “old” comands:
    alias
    •global
    •nat (old version)
    •nat-control
    •static
    •sysopt nodnsalias

    are no longer available…

    Well I prefer the old way, I dont like Cisco changing things just to please people that find things “hard to understand”…

Leave a Reply

Your email address will not be published. Required fields are marked *