Jul 21, 2010

Configuring NAT on ASA/PIX

I've designed a network scenario where I could apply every NAT type supported by ASA/PIX. Below is what I got:

The address range has been assigned to the inside network (security-level 100) of the Branch Office. An ASA connects the network segments and the access to the Internet is done via outside interface (security-level 0). An MPLS network is used to connect Remote Offices and the subnet has been assigned to them. A router running IOS Security controls the traffic coming from the MPLS network. Servers published to the Internet are located in the dmz (security-level 50), connected to a Nexus switch and using addresses within the range. There is another network segment named supp (security-level 60) connecting endpoints assigned to the subnet. Those ones are used to perform RDP access to customers' environment, so the Company achieved compliance with security standards since all the actions taken through those hosts are monitored, recorded and may be audited. Still talking about the supp network, there is a network segment with servers using the range. Finally, there is a dedicated link to a partner's network via extranet interface (security-level 30). That partner uses the subnet, generating an overlapping between their network and the Company's inside.

ASA/PIX provides several ways to configure NAT rules and it makes us able to restrict the traffic that should be matched to them. So we can go further than we do and make more than we can do with routers. All the possibilities are listed below by priority:
Some of the listed types permit us to set outside NAT (aka destination nat). This translation type is useful when we want to translate traffic coming from an interface with lower security-level.

All the types are described below and usage examples on the proposed scenario is given. Nat-control is enabled, so all the traffic coming from interfaces with higher security level must match some NAT rule.

All the traffic within the range doesn't have to be translated, except when it comes from the supp network. NAT Exemption rules have the highest priority. Thus the following configuration should be implemented:

asa(config)# access-list nat_exemption extended permit ip
asa(config)# nat (inside) 0 access-list nat_exemption
asa(config)# nat (dmz) 0 access-list nat_exemption

Connections between a DB server located in the supp network, assigned to the address, and another server located in the inside should be kept untranslated (Policy Static Identity PAT):

asa(config)# access-list supp_db_srv_nat extended permit tcp eq 1433 host eq 1433
asa(config)# static (inside,supp) tcp 1433 access-list supp_db_srv_nat

The server administrators ( perform remote access from inside to supp. This traffic should not be translated and it can be done with a Policy Static Identity NAT:

asa(config)# access-list inside_supp_srv_farm extended permit ip
asa(config)# static (inside,supp) access-list inside_supp_srv_farm

Internal users that want to reach some destination at remote offices have their traffic forwarded to the ASA before to be routed to the MPLS network. As I demonstrated previously, NAT Exemption rules don't work for intra-interface traffic. Thus, we need to set a Regular Static Identity NAT:

asa(config)# static (inside,inside) netmask

This rule matches the whole inside network performing a bidirectional one-to-one mapping, so when, for example, sends a message to, the source and destination addresses will be kept untranslated. A  Regular Static Identity PAT is not necessary, because that rule matches traffic on any protocol and service. is a DNS server published to the Internet with a Policy Static PAT:

asa(config)# access-list dns_srv_nat extended permit tcp host eq 53 any eq 53
asa(config)# access-list dns_srv_nat extended permit udp host eq 53 any eq 53
asa(config)# static (dmz,outside) tcp 53 access-list dns_srv_nat
asa(config)# static (dmz,outside) udp 53 access-list dns_srv_nat

The server assigned to the address runs a system to periodically connect to the application development network ( Only those connections are allowed and translated. A Policy Static NAT rule is set to that traffic:

asa(config)# access-list app_srv_nat extended permit ip host
asa(config)# static (dmz,outside) access-list app_srv_nat

Port forwarding rules (Regular Static PAT) are set to publish Web services on the server TCP/8080 and 443 are mapped to TCP/80 and 443, respectively. The server runs several services and is published on any protocol/port. (Regular Static NAT):

asa(config)# static (dmz,outside) tcp 80 8080 netmask
asa(config)# static (dmz,outside) tcp 443 443 netmask
asa(config)# static (dmz,outside) netmask

The overlapping between inside and the partner network is solved using an Outside Regular Static NAT and a Regular Static NAT:

asa(config)# static (extranet,inside) netmask outside
asa(config)# static (inside,extranet) netmask

Hosts located in the network supp are mapped to while RDPing to customer's devices (Policy Dynamic PAT):

asa(config)# access-list supp_host_rdp extended permit tcp host any eq 3389
asa(config)# nat (supp) 3 access-list supp_host_rdp
asa(config)# global (outside) 3

DB servers located in the dmz connect to the server using the address This is an Outside Policy Dynamic NAT (aka bidirectional NAT) because the dmz interface has a lower security level than supp:

asa(config)# access-list dmz_supp_db_srv_nat extended permit tcp any eq 1433 eq 1433
asa(config)# nat (dmz) 5 access-list dmz_supp_db_srv_nat outside
asa(config)# global (supp) 5

All the servers in the subnet have HTTPS access to the Internet using unidirectional one-to-one dynamic translation (Policy Dynamic NAT). However, there are only 254 public addresses available:

asa(config)# access-list supp_srv_farm_nat extended permit tcp any eq https
asa(config)# nat (supp) 4 access-list supp_srv_farm_nat
asa(config)# global (outside) 4

A range with 20 addresses has been defined, so that devices of the subnet have access to the Internet (Regular Dynamic NAT). Thus, only the 20 first hosts performing outbound connections would be mapped. This is an unidirectional one-to-one mapping:

asa(config)# nat (supp) 2
asa(config)# global (outside) 2

All the outbound traffic from inside to the Internet is translated to the outside interface address. This is a  Regular Dynamic PAT, also known as overload (as well as any other type of Dynamic PAT):

asa(config)# nat (inside) 1
asa(config)# global (outside) 1 interface

There is an interesting example of Policy Static NAT described in the Cisco's article below:

PIX/ASA 7.x and Later: LAN-to-LAN IPsec VPN with Overlapping Networks Configuration Example

asa(config)# end
asa# wr mem


  1. Brilliant, helped me figure out a lot of stuff! There is one mistake however:

    Hosts located in the network supp are mapped to while RDPing to customer's devices (Policy Dynamic PAT):

    asa(config)# access-list supp_host_rdp extended permit tcp host any eq 3389
    asa(config)# nat (supp) 3 access-list supp_host_rdp
    asa(config)# global (outside) 3

    I think you meant global (inside) here.

    1. Thank you TheGrave! It's good to know this article is helpful!

      In my example, the customers are reachable through the Internet, that's why I used the outside interface. Note that I didn't use Internet routable addresses on the diagram.

  2. I like your blog post. Keep on writing this type of great stuff. I'll make sure to follow up on your blog in the future.
    ISDN Configuration