In previous lessons, I explained how to configure Dynamic NAT or Dynamic NAT with a DMZ on your Cisco ASA Firewall. In this lesson, you will learn how to configure PAT. Here’s the topology I will use:
We have an INSIDE and OUTSIDE interface and we will use PAT to translate traffic from our hosts on the INSIDE that want to reach the OUTSIDE. R1 and R2 are only used to generate traffic. This is the basic ASA configuration that I will use:
ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdownASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdownNow, let’s configure PAT…
PAT Configuration
Configuring PAT is quite straightforward. The example below is for ASA 8.3 or higher. We will configure a network object for this:
ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253This tells our firewall to translate traffic from the 192.168.1.0 /24 subnet headed towards the OUTSIDE to IP address 192.168.2.253. If you configure the IP address like this, then it has to be an IP address that is not in use on the interface. For example, when I try to use 192.168.2.254 (that’s the IP address on the OUTSIDE interface) I will get an error:
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.254
ERROR: Address 192.168.2.254 overlaps with OUTSIDE interface address.
ERROR: NAT Policy is not downloadedOf course, there’s another way to use the IP address on the OUTSIDE interface, but I just wanted to show you what happens when you try to configure the IP address like this. Let’s first try if PAT works…I’ll generate some traffic from R1:
R1#telnet 192.168.2.2
Trying 192.168.2.2 ... OpenLet’s see if this traffic was translated or not:
ASA1# show xlate
1 in use, 3 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
TCP PAT from INSIDE:192.168.1.1/49065 to OUTSIDE:192.168.2.253/49065 flags ri idle 0:00:18 timeout 0:00:30Excellent…it has been translated from 192.168.1.1 to 192.168.2.253, just as we configured. Now let me show you how you can use the IP address on your OUTSIDE interface for PAT:
Hi Rene,
I dont know exactly what topic to place this question in thats why i am placing it here
i got an opportunity for 3 days to work under a CCIE who was very rude and did not bother to ask him any questions as i knew he was not interested in explaining
i was able to understand all bits till core SW through knowledge of your tutorials on VLAN and routing ,However cannot understand few bits in design at this point
They got a public IP block from ISP lets say 90.81.31.128/27 30 host count
Now the way the IP are assigned is as - 90.81.3.157 => ISP router LAN
... Continue reading in our forumHi Rene,
If I have many subnets inside my local network.
How can I PAT all of subnets?
Thank you!
i did not understand that answer and did not expect this kind of answer
thanks you any way
that was help ful
@Asi
When you configure an IP address on the ASA then your ASA will know which IP addresses belong to the subnet. For example, let’s say you have subnet 90.81.31.128/27.
Once you configure 90.81.3.158/27 on the outside interface, your ASA knows that this is a subnet with 30 addresses. You can use any of the addresses in this subnet for NAT and you don’t have to configure these addresses on the interface. Just make sure that it’s not in use…
@net2net
You could use object groups to “bundle” multiple network objects. You could also configure a bigger subnet range in the network object.
Rene
Hi Rene,
Can you please explain f
... Continue reading in our forum