Cisco ASA PAT Configuration

In previous lessons I explained how to configure Dynamic NAT or Dynamic NAT with a DMZ on your Cisco ASA Firewall. In this lesson you will learn how to configure PAT. Here’s the topology I will use:

ASA1 Inside Outside

We have an INSIDE and OUTSIDE interface and we will use PAT to translate traffic from our hosts on the INSIDE that want to reach the OUTSIDE. R1 and R2 are only used to generate traffic. This is the basic ASA configuration that I will use:

ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown

Now let’s configure PAT…

PAT Configuration

Configuring PAT is quite straight forward, the example below is for ASA 8.3 or higher. We will configure a network object for this:

ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253

This tells our firewall to translate traffic from the 192.168.1.0 /24 subnet headed towards the OUTSIDE to IP address 192.168.2.253. If you configure the IP address like this then it has to be an IP address that is not in use on the interface. For example, when I try to use 192.168.2.254 (that’s the IP address on the OUTSIDE interface) then I will get an error:

ASA1(config-network-object)#  nat (INSIDE,OUTSIDE) dynamic 192.168.2.254
ERROR: Address 192.168.2.254 overlaps with OUTSIDE interface address.
ERROR: NAT Policy is not downloaded

Of course there’s another way to use the IP address on the OUTSIDE interface but I just wanted to show you what happens when you try to configure the IP address like this. Let’s first try if PAT works…I’ll generate some traffic from R1:

R1#telnet 192.168.2.2
Trying 192.168.2.2 ... Open

Let’s see if this traffic was translated or not:

ASA1# show xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
       s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/49065 to OUTSIDE:192.168.2.253/49065 flags ri idle 0:00:18 timeout 0:00:30

Excellent…it has been translated from 192.168.1.1 to 192.168.2.253, just as we configured. Now let me show you how you can use the IP address on your OUTSIDE interface for PAT:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Full Access to our 660 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

507 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags:


Forum Replies

  1. Hi Rene,
    What is the difference or when do you use one or the other? on this example I am using PAT with a dynamic ip address on the outside interface.

    nat (INSIDE,OUTSIDE) dynamic interface

    or

    nat (INSIDE,OUTSIDE) after-auto 1 source dynamic any interface.

    Please advise

  2. Hi Alfredo,

    The ASA (since 8.3) has different NAT “sections”:

    • 1:Manual
    • 2: Auto
    • 3: "after auto" Manual
    • The ASA will first process NAT rules in section 1, then 2 and finally 3.

      Here’s an example of manual NAT:

    ASA(config)# object network INTERNAL_SERVER
    ASA(config-network-object)# host 192.168.1.1
    
    ASA(config)# object network PUBLIC_IP
    ASA(config-network-object)# host 1.1.1.1
    
    ASA(config)# nat (INSIDE,OUTSIDE) source static INTERNAL_SERVER PUBLIC_IP
    

    The NAT rule has been configured globally, this section 1 rule is preferred over 2 and 3.

    Here’s an example for A

    ... Continue reading in our forum

  3. Hi

    Can someone help cant figure out why my internal ip address wont get nat’ed

    R1 IOS 
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    no aaa new-model
    ethernet lmi ce
    !
    !
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    ip cef
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    redundancy
    !
    !
    ! 
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    interface GigabitEthernet0/0
     no ip address
     shutdown
     duplex auto
     speed auto
     media-type rj45
    !
    interface GigabitEthernet0/1
     ip address 192.168.1.1 255.255.255.0
     duplex
    ... Continue reading in our forum

  4. Hi Sunil,

    These are the pre < 8.3 commands to configure NAT.

    Let’s break down these commands:

    global (outside) 1 interface
    • global means we configure a global address pool.
    • (outside) means we define the pool on this interface (outside).
    • 1 is the ID of our pool.
    • interface means that we use PAT with the IP address on the interface.
    global (guestwifi) 1 interface

    Same as above but for the guestwifi interface.

    nat (outside) 1 10.10.10.0 255.255.255.0
    • (outside) this is the interface where the NAT network exists. The outside interface in this case.
    • 1
    ... Continue reading in our forum

  5. Hello Harshi

    You can use the clear xlate command to clear all NAT entries in the NAT table.

    In order to have the ASA firewall perform NAT, you will require the use of a Layer 3 inside inter

    ... Continue reading in our forum

39 more replies! Ask a question or join the discussion by visiting our Community Forum