Network Object NAT Configuration Introduction

1.Dynamic NAT (Dynamic NAT , dynamic one-to-one)

Example one:

Traditional configuration methods:

Nat (Inside) 1 10.1.1.0 255.255.255.0

Global (Outside) 1 202.100.1.100-202.100.1.200

New Configuration method (Network Object NAT)

Object Network Outside-nat-pool

Range 202.100.1.100 202.100.1.200

Object Network Inside-network

Subnet 10.1.1.0 255.255.255.0

Object Network Inside-network

Nat (inside,outside) Dynamic Outside-nat-pool

Example two:

Object Network Outside-nat-pool

Range 202.100.1.100 202.100.1.200

Object Network Outside-pat-address

Host 202.100.1.201

Object-group Network Outside-address

Network-object Object Outside-nat-pool

Network-object Object Outside-pat-address

Object Network Inside-network

(First 100-200 dynamic one-to-one, then 202.100.1.201 dynamic Pat, finally using the interface address dynamic PAT)

Nat (inside,outside) Dynamic Outside-address interface

The Guru believes that the advantage of this configuration is that the new NAT command binds the source and destination interfaces, so there is no problem with the traditional configuration affecting the DMZ (nat0 + ACL is required to bypass it at that time)

2.Dynamic PAT (Hide) (Dynamic PAT , dynamic Many-to-one)

Traditional Configuration method:

Nat (Inside) 1 10.1.1.0 255.255.255.0

Global (outside) 1 202.100.1.101

New Configuration method (Network Object NAT)

Object Network Inside-network

Subnet 10.1.1.0 255.255.255.0

Object Network Outside-pat-address

Host 202.100.1.101

Object Network Inside-network

Nat (inside,outside) Dynamic outside-pat-address

Or

Nat (inside,outside) Dynamic 202.100.1.102

3.Static Nat or Static nat with Port translation (Static one-to-one conversion, static port conversion)

Example one: (Static to single conversion)

Traditional Configuration method:

Static (Inside,outside) 10.1.1.1 202.100.1.101

New Configuration method (Network Object NAT)

Object Network Static-outside-address

Host 202.100.1.101

Object Network Static-inside-address

Host 10.1.1.1

Object Network Static-inside-address

Nat (Inside,outside) static static-outside-address

Or

Nat (Inside,outside) static 202.100.1.102

Example two: (Static port conversion)

Traditional Configuration method:

Static (inside,outside) TCP 202.100.1.102 2388 10.1.1.1 23

New Configuration method (Network Object NAT)

Object Network Static-outside-address

Host 202.100.1.101

Object Network Static-inside-address

Host 10.1.1.1

Object Network Static-inside-address

Nat (Inside,outside) static static-outside-address service TCP Telnet 2388

Or

Nat (Inside,outside) static 202.100.1.101 service TCP Telnet 2388

4.Identity NAT

Traditional Configuration method:

Nat (inside) 0 10.1.1.1 255.255.255.255

New Configuration method (Network Object NAT)

Object Network Inside-address

Host 10.1.1.1

Object Network Inside-address

Nat (Inside,outside) static inside-address

Or

Nat (Inside,outside) static 10.1.1.1

5.Twice NAT (similar to Policy NAT )

Example one:

Traditional configuration:

Access-list inside-to-1 Permit IP 10.1.1.0 255.255.255.0 host 1.1.1.1

Access-list inside-to-202 Permit IP 10.1.1.0 255.255.255.0 host 202.100.1.1

Nat (inside) 1 access-list inside-to-1

Nat (inside) 2 access-list inside-to-202

Global (outside) 1 202.100.1.101

Global (outside) 2 202.100.1.102

New Configuration method (twice NAT):

Object Network Dst-1

Host 1.1.1.1

Object Network dst-202

Host 202.100.1.1

Object Network Pat-1

Host 202.100.1.101

Object Network Pat-2

Host 202.100.1.102

Object Network Inside-network

Subnet 10.1.1.0 255.255.255.0

Nat (Inside,outside) source dynamic inside-network pat-1 destination static dst-1 dst-1

Nat (Inside,outside) source dynamic inside-network pat-2 destination static dst-202 dst-202

Example two:

Traditional configuration:

Access-list inside-to-1 Permit IP 10.1.1.0 255.255.255.0 host 1.1.1.1

Access-list inside-to-202 Permit IP 10.1.1.0 255.255.255.0 host 202.100.1.1

Nat (inside) 1 access-list inside-to-1

Nat (inside) 2 access-list inside-to-202

Global (outside) 1 202.100.1.101

Global (outside) 2 202.100.1.102

Static (Outside,inside) 10.1.1.101 1.1.1.1

Static (Outside,inside) 10.1.1.102 202.100.1.1

New Configuration method (twice NAT):

Object Network Dst-1

Host 1.1.1.1

Object Network dst-202

Host 202.100.1.1

Object Network Pat-1

Host 202.100.1.101

Object Network Pat-2

Host 202.100.1.102

Object Network Inside-network

Subnet 10.1.1.0 255.255.255.0

Object Network Map-dst-1

Host 10.1.1.101

Object Network map-dst-202

Host 10.1.1.102

Nat (Inside,outside) source dynamic inside-network pat-1 destination static map-dst-1 dst-1

Nat (Inside,outside) source dynamic inside-network pat-2 destination static map-dst-202 dst-202

Example three:

Traditional configuration:

Access-list inside-to-1 Permit TCP 10.1.1.0 255.255.255.0 host 1.1.1.1 eq 23

Access-list inside-to-202 Permit TCP 10.1.1.0 255.255.255.0 host 202.100.1.1 eq 3032

Nat (inside) 1 access-list inside-to-1

Nat (inside) 2 access-list inside-to-202

Global (outside) 1 202.100.1.101

Global (outside) 1 202.100.1.102

New Configuration method (twice NAT):

Object Network Dst-1

Host 1.1.1.1

Object Network dst-202

Host 202.100.1.1

Object Network Pat-1

Host 202.100.1.101

Object Network Pat-2

Host 202.100.1.102

Object Network Inside-network

Subnet 10.1.1.0 255.255.255.0

Object Service telnet23

Service TCP Destination EQ telnet

Object Service telnet3032

Service TCP Destination EQ 3032

Nat (Inside,outside) source dynamic inside-network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

Nat (Inside,outside) source dynamic inside-network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

Main Differences between Network Object Nat and twice Nat ( Network Object NAT and the twice NAT the main difference)

How do you define the real address. (from the perspective of how to define real addresses)

–network Object Nat-you define NAT as a parameter for a Network object; The Network object definition itself provides the real address. This method lets your easily add NAT to network objects. The objects can also is used in other parts of your configuration, for example, for access rules or even in twice NAT rule S.

–twice nat-you Identify a network object or network object group for both the real and

Mapped addresses. In this case, NAT was not a parameter of the network object; The network object or group is a parameter of the NAT configuration. The ability to use a network object group for the real address means this twice NAT is more scalable.

< defines the network object or network object group for both true and post-mapped addresses. In twice Nat, Nat is not a parameter to the network object, and the network object or group is a parameter to the NAT configuration. The ability to use the Network object group for real addresses also reflects the extensibility of twice Nat. >

How source and destination NAT are implemented. (Source and destination Nat are used)

–network Object Nat-each rule can apply to either the source or destination of a packet. So the rules might is used, one for the source IP address, and one for the destination IP address. These the rules cannot be tied together to enforce a specific translation for a source/destination combination.

< each strategy can only be applied to the source or purpose of the packet, if you want to transform the source and purpose of a package, you need to use two policies, the two policies can not be bound together to achieve a special source and purpose of the transformation. >

–twice nat-a Single rule translates both the source and destination. A matching packet only matches the one rule, and further rules is not checked. Even if you don't configure the optional destination address for twice NAT, a matching packet still only matches one TWIC e NAT rule. The source and destination is tied together, so you can enforce different translations depending on the Source/destinatio n combination. For example, Sourcea/destinationa can has a different translation than sourcea/destinationb.

< A single strategy that can transform the source and convert the purpose. A package can only match the previous policy, and no further checks are made. Even if you do not have the destination Address option configured for twice NAT, a packet can only match one twice Nat policy, and the purpose and source are bound together, so you can make conversions based on different sources and purposes, for example: source A/destination A and source A/purpose B convert different >

We recommend using Network object NAT unless you need the extra features that twice NAT provides. Network object NAT is easier to configure, and might are more reliable for applications such as Voice over IP (VoIP).

< we recommend using Network object NAT unless you explicitly need the features provided by twice NAT. Network object NAT is easy to configure and more reliable for voice applications >

NAT Rule Order

Sort instances:

192.168.1.1/32 (Static)

10.1.1.0/24 (Static)

192.168.1.0/24 (Static)

172.16.1.0/24 (dynamic) (object ABC)

172.16.1.0/24 (Dynamic) (Object Def)

192.168.1.0/24 (Dynamic)

To view the NAT Order command:

ASA (config) # sh run NAT

Nat (Inside,outside) source dynamic inside-network pat-2 destination static dst-202 dst-202 service telnet3032 telnet3032

!

Object Network Inside-network

Nat (inside,outside) Dynamic 202.100.1.105

!

Nat (Inside,outside) after-auto source dynamic inside-network pat-1 destination static dst-1 dst-1 service telnet23 telnet 23

ASA (config) # sh nat

Manual NAT Policies (Section 1)

1 (Inside) to (Outside) source dynamic inside-network pat-2 destination static dst-202 dst-202 service telnet3032 Telnet30 32

Translate_hits = 1, untranslate_hits = 0

Auto NAT Policies (Section 2)

1 (Inside) to (Outside) source Dynamic Inside-network 202.100.1.105

translate_hits = 0, untranslate_hits = 0

Manual NAT Policies (Section 3)

1 (Inside) to (Outside) source dynamic inside-network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

translate_hits = 0, untranslate_hits = 0

How to adjust and insert Nat

Nat (Inside,outside) 1 source dynamic inside-network pat-1 destination static dst-1 dst-1 service telnet23 telnet23

Network Object NAT Configuration Introduction