Just like the Cisco IOS routers we can configure NAT / PAT on our Cisco ASA firewall. In this lesson I will explain how to configure dynamic NAT. If you are unsure of how NAT/PAT exactly works then I recommend to read my Introduction to NAT/PAT first.
Having said that, let’s take a look at dynamic NAT on the ASA. We will use this topology:
In the middle we have our ASA, its E0/0 interface belongs to the inside and the e0/1 interface belongs to the outside. I’m using routers so that I have something to connect to. Let’s start with the interface first.
ASA1(config)# interface e0/0 ASA1(config-if)# nameif INSIDE ASA1(config-if)# ip address 192.168.1.254 255.255.255.0 ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1 ASA1(config-if)# nameif OUTSIDE ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 ASA1(config-if)# no shutdown
Now we can focus on configuring dynamic NAT…
Dynamic NAT Configuration
The following example is for ASA 8.3 and later. First we will configure a network object that defines the pool with public IP addresses that we want to use for translation:
ASA1(config)# object network PUBLIC_POOL ASA1(config-network-object)# range 192.168.2.100 192.168.2.200
As an example I’ll use the 192.168.2.100 – 200 range from the 192.168.2.0 /24 subnet that we use on the outside interface. The next step is to configure a network object for the hosts that we want to translate:
ASA1(config)# object network INTERNAL ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0 ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL
The network object called “INTERNAL” specifies the subnet that we want to translate (the entire 192.168.1.0 /24) subnet and also has the NAT rule. When traffic from the inside goes to the outside, we will translate it to the public pool that we created earlier.
When all hosts on the 192.168.1.0 /24 subnet try to access the outside network we will run out of IP addresses in the public pool, if you want you can enable NAT fallback. This means that when the public pool runs out of IP addresses, we will use the IP address on the outside interface (192.168.2.254) for translation. Here’s how to do it:
I do not understand the difference of the object nat and the regular nat, can you explain that to me?
Object groups are used to group things like IP addresses, ports, etc together. This simplifies the configuration.
Take a look at this post:
I was not able to ping between interfaces after adding the policy map on a ASA 5505
------------------... Continue reading in our forum
Try the “packet-tracer” command from the CLI, it will show you why it is dropping the packet.
What is the difference or when do you use one or the other? on this example I am using PAT with a dynamic ip address on the outside interface.
nat (INSIDE,OUTSIDE) dynamic interface
nat (INSIDE,OUTSIDE) after-auto 1 source dynamic any interface.