c

Policy NAT
KHAWAR BUTT
CCIE # 12353 [R/S, SECURITY, SP, DC, VOICE, STORAGE & CCDE]
Overview
 Policy NAT Overview
 Policy NAT Process
 Configuration Commands c

 Lab Configuration
Network Diagram
199.1.1.0/24

R2 Internet
S1
192.1.25.0/24 (.1)

200.1.1.0/24

192.1.20.0/24 Outside
c
S2
(.1)

ASA FW

R4 R3
192.168.4.0/24 DMZ-4 192.168.3.0/24 DMZ-3

S1 S2 S3
(.11) (.12) (.13)

10.11.11.0/24 Inside

10.1.1.0/24
10.20.20.0/24
10.10.10.0/24 R1
Policy NAT Overview
 This type of NAT allows you to translate devices based on a flow rather than just the Source or
Destination IP Address.

 Normal Dynamic NAT will classify the NAT statement by comparing the Source Address of a
Packet going from Inside to Outside. It doesc not care about the destination that the packet is
going to.

 If you want NAT to translate by looking at the Source and Destination IP address combination
to execute the NAT statement, it is called Policy NAT.

 This type of NAT is also referred to as Manual NAT on the ASA.

 It is NOT done under the Object. This type of NAT is configured globally.
Policy NAT Process
 Just like the other NAT configurations, you need to specify which interface
is the internal interface and which interface is the external interface.
 When a packet is received on thec Internal Interface, unlike normal NAT
where it only checks the Source IP, Policy NAT checks the Source and
Destination IP against the NAT configuration.
 The NAT configuration will need to specify the Source and Destination IP
that define the flow and the corresponding translated addresses.
 Policy NAT allows you to translate both the Source and Destination
addresses using the same statement. It is also referred to as Twice-NAT or
Manual NAT.
Configuration Commands
 Policy NAT configuration on the ASA Firewall requires you to create objects for all IP’s that are
going to be used in the NAT Statement.

Syntax:
Object network [NAME] c
Host [X.X.X.X]

 Once the Objects are created for each address, you will use them in the NAT Statement. The
NAT statement is configured in the Global Configuration Mode.

Syntax:
NAT (HIGH INT,LOW INT) source static [Your IP] [Your Xlated IP] destination static [Remote IP] [Remote Xlated IP]
Network Diagram
199.1.1.0/24

R2 Internet
S1
192.1.25.0/24 (.1)

200.1.1.0/24

192.1.20.0/24 Outside
c
S2
(.1)

ASA FW

R4 R3
192.168.4.0/24 DMZ-4 192.168.3.0/24 DMZ-3

S1 S2 S3
(.11) (.12) (.13)

10.11.11.0/24 Inside

10.1.1.0/24
10.20.20.0/24
10.10.10.0/24 R1
Lab Configuration
 This lab builds on the Previous Lab (Static PAT)

 Configure Policy NAT such that R1 (10.11.11.1) gets translated to

c
192.1.20.31 when it communicates to 199.1.1.1. 199.1.1.1 should not get
translated.

 Configure Policy NAT such that R1 (10.11.11.1) gets translated to

192.1.20.32 when it communicates to 200.1.1.1. 200.1.1.1 should not get
translated.
Lab Configuration
ASA

Object network R1
host 10.11.11.1
!
Object network X1
host 192.1.20.31
c
!
Object network X2
host 192.1.20.32
!
Object network D1
host 199.1.1.1
!
Object network D2
host 200.1.1.1
!
Nat (Inside,outside) source static R1 X1 destination static D1 D1
Nat (Inside,outside) source static R1 X2 destination static D2 D2
Lab Configuration
 Verify the configuration by Telnetting into 199.1.1.1 from R1 (10.11.11.1).
 Verify the Translation Table by using the “Show Users” command once you have connected
to R2. The 192.1.20.31 should be IP used to connect.
 Verify the configuration by Telnetting into 200.1.1.1
c from R1 (10.11.11.1).
 Verify the Translation Table by using the “Show Users” command once you have connected
to R2. The 192.1.20.32 should be IP used to connect.
Whiteboard