Home > CISCO, Network Design, Security > Cisco ASA – Comparison of NAT Configuration Scenarios

Cisco ASA – Comparison of NAT Configuration Scenarios

October 18th, 2013

This aide-memoir describes and compares NAT configuration (Identity NAT, NAT Exemption/Identity NAT and also compares the syntax between ASA version 8.4.2 and below.  There are some considerable differences to the syntax and some of the better-known commands have been deprecated.

(Basically the difference is that with Identity NAT the connections can only be established by hosts within the subnet specified in the NAT statement, whereas in NAT Exemption either direction may initiate the connection)

Identity NAT:
This allows connections to connect from the inside interface to through the outside interface without changing the address. This would be suitable for a private MPLS network where the address space does not overlap.  Identity NAT is enabled by using the NAT id of zero:

nat (inside) 0  <== (This example disables NAT for anything sourced from the network which is received on the inside interface).
nat (inside) 0       <== (This example disables NAT for any IP received on the inside interface).

nat (inside) 0
nat (inside) 0
nat (inside) 0
nat (inside) 0

This statement bypasses NAT for the,, and networks.
It is possible to configure more than one “nat 0” statements.

NAT Exemption:
This is typically used for VPN connections. You should exercise careful consideration before configuring NAT Exemption because unlike Identity NAT above, NAT Exemption allows the remote network to establish connections inbound to your internal network.  In later versions of ASA software it is possible to configure Uni-directional NAT statements to avoid this potential security hole.  Unidirectional NAT is described further below in this post.

NAT Exemption Configuration Example (NAT Exemption references an ACL to match the traffic):

access-list NAT-EXEMPT permit ip <== (match any traffic sourced from to (inside) 0 access-list NAT-EXEMPT <== (apply the ACL to the inside interface with nat 0 to disable NAT).
This “Policy-Based NAT” is the preferred way to support VPN access.

NOTE: If you remove a NAT exemption configuration, existing connections that use NAT exemption are not affected. To remove these connections, enter the “clear local-host” command.

NOTE:  In ASA version  8.3 and above, the “nat 0” command has been deprecated. The new syntax is ironically named “Simplified” NAT. In 8.2 and below NAT exemptions (nat 0) were used to exempt traffic from being translated through the VPN. In ASA version 8.3+ there is no such term as “NAT Exemption” – the new term is “Identity NAT”.

Enabling NAT from inside to outside:
Steps:  Create a network object for the subnet that you wish to be translated, then add the NAT statement to the object:

object network INTERNAL-NET
object network INTERNAL-NET
nat (inside,outside) dynamic interface  <=== (or use IP address of ISP-assigned address)

PAT for port-forwarding to a service such as https (TCP/443):

object network EMAIL-SERVER
object network EMAIL-SERVER
nat (inside,outside) static interface service tcp https https
access-list ANY-INBOUND extended permit tcp any object EMAIL-SERVER eq https
access-group ANY-INBOUND in interface outside

One-to-One NAT (with example for PPTP passthrough):

object network PPTP-SERVER
object network PPTP-SERVER
nat (inside,outside) static
access-list ANY-INBOUND extended permit tcp any object PPTP-SERVER eq pptp
access-list ANY-INBOUND extended permit gre any object PPTP-SERVER
access-group ANY-INBOUND in interface outside

Unidirectional Identity NAT:

(mitigates the potential security risk in the configuration of NAT Exemption, where connections can be established in either direction):
(Unidirectional NAT Configuration is available from ASA version 8.4.2 or above).

Create objects for the internal and remote networks:

object network THE-CORP-NETWORK
object network REMOTE-NETWORK
nat (inside,OUTSIDE) 1 source static THE-CORP-NETWORK THE-CORP-NETWORK destination static REMOTE-NETWORK REMOTE-NETWORK unidirectional

In the example above, the connection may only be established from the direction of the THE-CORP-NETWORK to the REMOTE-NETWORK

– Unidirectional NAT Configuration is available from ASA version 8.4.2 or above
– The identity NAT in version 8.4.2 was extended with the addition of new keywords “route-lookup” and “no-proxy-arp” (which is explained below)
– If you enable either “route-lookup” or “no-proxy-arp” then you are no longer able to apply Unidirectional NAT.

No-NAT Statements (for disabling NAT when connecting into the network via a VPN such as Cisco AnyConnect):
object network THE-CORP-NETWORK
object network VPN-USERS
nat (inside,any) source static THE-CORP-NETWORK THE-CORP-NETWORK destination static VPN-USERS VPN-USERS no-proxy-arp route-lookup

By default, Proxy ARP is enabled on ALL interfaces globally in sysopt, so the use of the no-proxy-arp keyword at the end of the NAT Object statement (and understanding what it does) is very important.  You can see the sysopt setting in the output of the CLI command “show run all sysopt”, where “noproxyarp” is actually negated (thereby turning ON proxy ARP):

no sysopt noproxyarp management
no sysopt noproxyarp outside
no sysopt noproxyarp inside

Why is it important to understand Proxy ARP?  In the NAT Object statement above, the Object that is referenced is “THE-CORP-NETWORK”, which covers the entire internal network.  What this means is that any ARP broadcasts seen on the LAN segment where the ASA resides will proxied by the firewall.  So, if say, two servers on the same segment sent an ARP request for the MAC address of the other machine, the ASA would say “send it to my MAC address” instead.

If you wish to avoid this behaviour, you can either disable proxy ARP “globally” by removing the negation of “noproxyarp” in sysopt OR you can choose to do this on a per-NAT statement basis, by adding the “no-proxy-arp” keyword at the end, as in the No-NAT example shown above.

There is considerable debate and confusion about the use of Proxy ARP and whether to enable it or not. Proxy ARP is a useful tool to protect your Access-Server from list of Attacks like “ARP Spoofing Attacks” or “Man-in-the-Middle Attacks”(MITM).  Proxy ARP can also hide misconfiguration such incorrect subnet masks (imagine two networks, and separated by a router. If say, one host on the network incorrectly sets a /16 mask, it will assume that the hosts on the network are within it’s own subnet and so will ARP for the IP address of the host rather than the default gateway.  Proxy ARP would “intercept” this ARP request and may route the packet, thereby hiding the incorrect mask setting.

The item “route-lookup” describes how the ASA determines the egress interface for each packet:
–  When a packet is received the ASA checks the  XLATE table in order to determine the egress interface.
–  If there is no XLATE entry the ASA then checks the NAT table for the presence of a static NAT entry.
–  If there is no static NAT entry, the ASA will then examine it’s routing tables. (In ASA version 8.4.1 and below, a routing table lookup was always performed.  The current (ASA version 8.4.2+) behaviour is NOT to check the routing tables by default – you have to explicitly enable this using the “route-lookup” keyword.

Note The no-proxy-arp, route-lookup, pat-pool, and round-robin keywords were added in 8.4(2).


Useful CLI show commands:
show run all sysopt  (to check for noproxyarp setting)
show run object
show run nat (to see nat statements configured)
show nat (to see hit counts on nat statements)

show conn address [ip address]
show nat translated interface outside detail (reveal all current dynamic and static NAT entries)

Testing authentication:  Example SDI (Authentication): test aaa authentication AAA_GROUP_NAME host [ip address of auth. server] username  [username] password [password or pin/token]

show current VPN sessions:  show vpn-sessiondb svc
Session Type: AnyConnect
Username     : darenm               Index        : 154
Assigned IP  :              Public IP    :
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Essentials
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)RC4  DTLS-Tunnel: (1)AES128
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA1  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 10344                  Bytes Rx     : 3680
Group Policy : My_RSA_Group
Tunnel Group : My_RSA_Group
Login Time   : 11:39:24 UTC Thu Nov 21 2013
Duration     : 0h:00m:15s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Categories: CISCO, Network Design, Security Tags: , ,
Comments are closed.