Cisco ASA Dynamic NAT Configuration

Like the Cisco IOS routers, we can configure NAT / PAT on our Cisco ASA firewall. In this lesson, I will explain how to configure dynamic NAT. If you are unsure of how NAT/PAT exactly works, then I recommend reading my Introduction to NAT/PAT first.

Let’s look at dynamic NAT on the ASA. We will use this topology:

In the middle, we have our ASA, its E0/0 interface belongs to the inside and the e0/1 interface belongs to the outside. I’m using routers so that I have something to connect to. Let’s start with the interface first.

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown

Now, we can focus on configuring dynamic NAT…

Dynamic NAT Configuration

The following example is for ASA 8.3 and later. First, we will configure a network object that defines the pool with public IP addresses that we want to use for translation:

ASA1(config)# object network PUBLIC_POOL 
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200

For example, I’ll use the 192.168.2.100 – 200 range from the 192.168.2.0 /24 subnet we use on the outside interface. The next step is to configure a network object for the hosts that we want to translate:

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL

The ” INTERNAL ” network object specifies the subnet that we want to translate (the entire 192.168.1.0 /24) subnet and has the NAT rule. When traffic from the inside goes to the outside, we will translate it to the public pool we created earlier.

When all hosts on the 192.168.1.0 /24 subnet try to access the outside network, we will run out of IP addresses in the public pool. If you want, you can enable NAT fallback. This means that when the public pool runs out of IP addresses, we will use the IP address on the outside interface (192.168.2.254) for translation. Here’s how to do it:

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL interface

The configuration is the same, but I added the keyword interface at the end.

Let’s see if our dynamic NAT configuration is working or not. I’ll use telnet on R1 to connect to R2:

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

R1 was able to make a connection. Let’s see if this traffic is translated:

ASA1# show nat

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic INTERNAL PUBLIC_POOL interface
    translate_hits = 1, untranslate_hits = 0

The show nat command shows us that some traffic from the inside to the outside has been translated. Let’s take a closer look:

ASA1# show nat detail

Auto NAT Policies (Section 2)
1 (INSIDE) to (OUTSIDE) source dynamic INTERNAL PUBLIC_POOL interface
    translate_hits = 1, untranslate_hits = 0
    Source - Origin: 192.168.1.0/24, Translated: 192.168.2.100-192.168.2.200, 192.168.2.254/24

If you add the keyword detail then you can see that traffic from the 192.168.1.0/24 subnet has been translated, but it still doesn’t tell us exactly what source IP addresses have been translated to which IP address in the public pool. If we want to see this, we need to use the show xlate command:

ASA1# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
NAT from INSIDE:192.168.1.1 to OUTSIDE:192.168.2.139 flags i idle 0:00:44 timeout 3:00:00

You can see that the IP address 192.168.1.1 has been translated to 192.168.2.139. It also tells us what kind of NAT we are doing here (dynamic NAT in our example) and how long this entry has been idle.

I hope this lesson has helped understand dynamic NAT on the Cisco ASA firewall. If you have any questions, feel free to leave a comment!

Forum Replies

alex_physucr says:

Hello,

I do not understand the difference of the object nat and the regular nat, can you explain that to me?
ReneMolenaar says:

Hi Alejandro,

Object groups are used to group things like IP addresses, ports, etc together. This simplifies the configuration.

Take a look at this post:

https://networklessons.com/cisco/asa-firewall/cisco-asa-object-group-access-list

Rene

Rene

I was not able to ping between interfaces after adding the policy map on a ASA 5505

1    inside                           up        Et0/0, Et0/3, Et0/4, Et0/5
Et0/6, Et0/7
2    outside                          up        Et0/1
3    DMZ                              up        Et0/2

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h

... Continue reading in our forum

ReneMolenaar says:

Hi Donald,

Try the “packet-tracer” command from the CLI, it will show you why it is dropping the packet.

Rene
Openlearner says:

Hi Rene,
What is the difference or when do you use one or the other? on this example I am using PAT with a dynamic ip address on the outside interface.

nat (INSIDE,OUTSIDE) dynamic interface

or

nat (INSIDE,OUTSIDE) after-auto 1 source dynamic any interface.

Please advise

57 more replies! Ask a question or join the discussion by visiting our Community Forum