Cisco ASA Dynamic NAT Configuration

Like the Cisco IOS routers, we can configure NAT / PAT on our Cisco ASA firewall. In this lesson, I will explain how to configure dynamic NAT. If you are unsure of how NAT/PAT exactly works, then I recommend reading my Introduction to NAT/PAT first.

Let’s look at dynamic NAT on the ASA. We will use this topology:

In the middle, we have our ASA, its E0/0 interface belongs to the inside and the e0/1 interface belongs to the outside. I’m using routers so that I have something to connect to. Let’s start with the interface first.

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown

ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown

Now, we can focus on configuring dynamic NAT…

Dynamic NAT Configuration

The following example is for ASA 8.3 and later. First, we will configure a network object that defines the pool with public IP addresses that we want to use for translation:

ASA1(config)# object network PUBLIC_POOL 
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200

For example, I’ll use the 192.168.2.100 – 200 range from the 192.168.2.0 /24 subnet we use on the outside interface. The next step is to configure a network object for the hosts that we want to translate:

ASA1(config)# object network INTERNAL
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL

The ” INTERNAL ” network object specifies the subnet that we want to translate (the entire 192.168.1.0 /24) subnet and has the NAT rule. When traffic from the inside goes to the outside, we will translate it to the public pool we created earlier.

When all hosts on the 192.168.1.0 /24 subnet try to access the outside network, we will run out of IP addresses in the public pool. If you want, you can enable NAT fallback. This means that when the public pool runs out of IP addresses, we will use the IP address on the outside interface (192.168.2.254) for translation. Here’s how to do it:

Forum Replies

Hello,

I do not understand the difference of the object nat and the regular nat, can you explain that to me?

Hi Alejandro,

Object groups are used to group things like IP addresses, ports, etc together. This simplifies the configuration.

Take a look at this post:

https://networklessons.com/security/cisco-asa-object-group-access-list/

Rene

I was not able to ping between interfaces after adding the policy map on a ASA 5505

1    inside                           up        Et0/0, Et0/3, Et0/4, Et0/5
Et0/6, Et0/7
2    outside                          up        Et0/1
3    DMZ                              up        Et0/2

------------------

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
ins

... Continue reading in our forum

Hi Donald,

Try the “packet-tracer” command from the CLI, it will show you why it is dropping the packet.

Rene

Hi Rene,
What is the difference or when do you use one or the other? on this example I am using PAT with a dynamic ip address on the outside interface.

nat (INSIDE,OUTSIDE) dynamic interface

nat (INSIDE,OUTSIDE) after-auto 1 source dynamic any interface.

Please advise

57 more replies! Ask a question or join the discussion by visiting our Community Forum

Dynamic NAT Configuration

We're Sorry, Full Content Access is for Members Only...

Forum Replies