Cisco ASA5520 understanding NAT rules

SvenIA
SvenIA used Ask the Experts™
on
Hi Experts,

I have some questions about NAT rules. I have a running config of an ASA5520 with some NAT rules i'm trying to understand. I hope that someone can explain the following NAT rules to me.

First of all, in some rules I see the number 0, 1 or 2 comming back all the time. What does this number mean? And what does the global mean?

global (outside) 2 192.168.80.1-192.168.80.254 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT


Second I see some access-group commands in front of an access list. What does this mean?

access-group OUTSIDE_ACCESS_IN in interface outside
access-group INSIDE_ACCESS_IN in interface inside


Thanks in advance!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
access-group OUTSIDE_ACCESS_IN in interface outside
access-group INSIDE_ACCESS_IN in interface inside

This is what it looks like, it is applying whatever you specified in the OUTSIDE_ACCESS_IN access-list to the oustide interface in an inbound direction and vice versa for the other.

The NAT rules:

global (outside) 2 192.168.80.1-192.168.80.254 netmask 255.255.255.0
global (outside) 1 interface
nat (inside) 0 access-list NONAT


So the number 1 is the global NAT for clients to use the interfaces IP (PAT).  You would then specify another line such as:

nat (inside) 1 0.0.0.0 0.0.0.0

This would NAT everything from the inside to the outside, the 1 is the signifying link between the two.

  Or:

nat (inside) 2 0.0.0.0 0.0.0.0

This would use the IP addresses stated in the global (outside) 2 line.

The nat 0, is for no_nat rules, so any addresses you don't want to have their address changed, such as VPN traffic.


Take a look here for further information:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.shtml


Does that help?

Simon

Author

Commented:
Yeah that does help. So if I understand it well, several nat rules with number 1 belong together? Like,

nat (inside) 1 S011 255.255.255.255
nat (inside) 1 S014 255.255.255.255
nat (inside) 1 C001 255.255.255.255
nat (inside) 1 DC1-WS03 255.255.255.255
nat (inside) 1 Server_data_lan 255.255.255.0
nat (inside) 1 132.147.192.0 255.255.192.0
nat (inside) 1 10.0.0.0 255.0.0.0
nat (ASA-ISA) 1 S013-outside 255.255.255.25
Yes, The number that is next to the NAT rule really is there to bind the NAT with to the GLOBAL command.

To explain further,

The NAT command is used to tell the ASA which machine/ip addresse or range of addresses/or access list to NAT.

The Global command is used to tell the ASA what IP address to use for the NAT command.

nat (inside) 1 S011 255.255.255.255
nat (which interface should the ASA see the traffic from) [the logical number for this nat] {the ip address and subnet address that will need to be NATed.

global (outside) 1 interface
global (which interface should the ASA see the traffic going out) [the logical number that matches the NAT command so the ASA knows what IP address to replace] {the ip address that the ASA should replace the above IP address to}

In the above example with the global command; this is telling the ASA instead of using a defined ip address that you can state, just use the ip address that is already assigned to the "outside" interface.

Travis
OK now for the access lists.

access-group OUTSIDE_ACCESS_IN in interface outside
access-group INSIDE_ACCESS_IN in interface inside

These access-groups relate to access-lists that are created. You should have access-lists with the same names "OUTSIDE_ACCESS_IN" "INSIDE_ACCESS_IN".

So how it works is, you create an access-list that filters traffic and then you create an access-group to bind the access-list to an interface.

I am going to make up an access list to explain further.

access-list OUTSIDE_ACCESS_IN extended permit IP host 8.8.8.8 host 192.168.1.1 eq 80

The above access list states:

OUTSIDE_ACCESS_IN = name of the access-list
permit = to allow, this can also be deny
IP = the protocol of the traffic, this can also be UDP or TCP.
The rest of the access-list states the ip addresses and the port that is permitted.

So this access-list is saying: allow ip address 8.8.8.8 to access ip address 192.168.1.1 via port 80 which is http.

Now with the access-group command:
access-group OUTSIDE_ACCESS_IN in interface outside

OUTSIDE_ACCESS_IN = name of the access-lists to do the filtering
in = the traffic is either "in"bound or "out"bound
outside = the interface that the access-lists are to use.

it states: access-lists with the name of "OUTSIDE_ACCESS_IN" are to be used to filter traffic "in" bound interface "outside"

Travis

Author

Commented:
You guys are the best! Very helpfull explinations, thank you very much!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial