Cisco ASA Dynamic NAT Configuration

Just like the Cisco IOS routers we can configure NAT / PAT on our Cisco ASA firewall. In this lesson I will explain how to configure dynamic NAT. If you are unsure of how NAT/PAT exactly works then I recommend to read my Introduction to NAT/PAT first.

Having said that, let’s take a look at dynamic NAT on the ASA. We will use this topology:

ASA1 Inside OutsideIn the middle we have our ASA, its E0/0 interface belongs to the inside and the e0/1 interface belongs to the outside. I’m using routers so that I have something to connect to. Let’s start with the interface first.

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown

Now we can focus on configuring dynamic NAT…

Dynamic NAT Configuration

The following example is for ASA 8.3 and later. First we will configure a network object that defines the pool with public IP addresses that we want to use for translation:

ASA1(config)# object network PUBLIC_POOL 
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200

As an example I’ll use the 192.168.2.100 – 200 range from the 192.168.2.0 /24 subnet that we use on the outside interface. The next step is to configure a network object for the hosts that we want to translate:

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL

The network object called “INTERNAL” specifies the subnet that we want to translate (the entire 192.168.1.0 /24) subnet and also has the NAT rule. When traffic from the inside goes to the outside, we will translate it to the public pool that we created earlier.

When all hosts on the 192.168.1.0 /24 subnet try to access the outside network we will run out of IP addresses in the public pool, if you want you can enable NAT fallback. This means that when the public pool runs out of IP addresses, we will use the IP address on the outside interface (192.168.2.254) for translation. Here’s how to do it:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 657 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

528 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,
    What is the difference or when do you use one or the other? on this example I am using PAT with a dynamic ip address on the outside interface.

    nat (INSIDE,OUTSIDE) dynamic interface

    or

    nat (INSIDE,OUTSIDE) after-auto 1 source dynamic any interface.

    Please advise

  2. Hi Alfredo,

    The ASA (since 8.3) has different NAT “sections”:

    • 1:Manual
    • 2: Auto
    • 3: "after auto" Manual
    • The ASA will first process NAT rules in section 1, then 2 and finally 3.

      Here’s an example of manual NAT:

    ASA(config)# object network INTERNAL_SERVER
    ASA(config-network-object)# host 192.168.1.1
    
    ASA(config)# object network PUBLIC_IP
    ASA(config-network-object)# host 1.1.1.1
    
    ASA(config)# nat (INSIDE,OUTSIDE) source static INTERNAL_SERVER PUBLIC_IP
    

    The NAT rule has been configured globally, this section 1 rule is preferred over 2 and 3.

    Here’s an example for A

    ... Continue reading in our forum

  3. Hi

    Can someone help cant figure out why my internal ip address wont get nat’ed

    R1 IOS 
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    ethernet lmi ce
    !
    !
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip cef
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    redundancy
    !
    !
    ! 
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface GigabitEthernet0/0
     no ip address
     shutdown
     duplex auto
     speed auto
     media-type rj45
    !
    interface GigabitEthernet0/1
     ip address 192.168.1.1 255.255.255.0
     duplex
    ... Continue reading in our forum

  4. Hi Sunil,

    These are the pre < 8.3 commands to configure NAT.

    Let’s break down these commands:

    global (outside) 1 interface
    • global means we configure a global address pool.
    • (outside) means we define the pool on this interface (outside).
    • 1 is the ID of our pool.
    • interface means that we use PAT with the IP address on the interface.
    global (guestwifi) 1 interface

    Same as above but for the guestwifi interface.

    nat (outside) 1 10.10.10.0 255.255.255.0
    • (outside) this is the interface where the NAT network exists. The outside interface in this case.
    • 1
    ... Continue reading in our forum

  5. Hello Harshi

    You can use the clear xlate command to clear all NAT entries in the NAT table.

    In order to have the ASA firewall perform NAT, you will require the use of a Layer 3 inside inter

    ... Continue reading in our forum

39 more replies! Ask a question or join the discussion by visiting our Community Forum