In previous lessons I explained how to configure Dynamic NAT or Dynamic NAT with a DMZ on your Cisco ASA Firewall. In this lesson you will learn how to configure PAT. Here’s the topology I will use:
We have an INSIDE and OUTSIDE interface and we will use PAT to translate traffic from our hosts on the INSIDE that want to reach the OUTSIDE. R1 and R2 are only used to generate traffic. This is the basic ASA configuration that I will use:
ASA1(config)# interface e0/0 ASA1(config-if)# nameif INSIDE ASA1(config-if)# ip address 192.168.1.254 255.255.255.0 ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1 ASA1(config-if)# nameif OUTSIDE ASA1(config-if)# ip address 192.168.2.254 255.255.255.0 ASA1(config-if)# no shutdown
Now let’s configure PAT…
Configuring PAT is quite straight forward, the example below is for ASA 8.3 or higher. We will configure a network object for this:
ASA1(config)# object network INSIDE ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0 ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.253
This tells our firewall to translate traffic from the 192.168.1.0 /24 subnet headed towards the OUTSIDE to IP address 192.168.2.253. If you configure the IP address like this then it has to be an IP address that is not in use on the interface. For example, when I try to use 192.168.2.254 (that’s the IP address on the OUTSIDE interface) then I will get an error:
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic 192.168.2.254 ERROR: Address 192.168.2.254 overlaps with OUTSIDE interface address. ERROR: NAT Policy is not downloaded
Of course there’s another way to use the IP address on the OUTSIDE interface but I just wanted to show you what happens when you try to configure the IP address like this. Let’s first try if PAT works…I’ll generate some traffic from R1:
R1#telnet 192.168.2.2 Trying 192.168.2.2 ... Open
Let’s see if this traffic was translated or not:
ASA1# show xlate 1 in use, 3 most used Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap, s - static, T - twice, N - net-to-net TCP PAT from INSIDE:192.168.1.1/49065 to OUTSIDE:192.168.2.253/49065 flags ri idle 0:00:18 timeout 0:00:30
Excellent…it has been translated from 192.168.1.1 to 192.168.2.253, just as we configured. Now let me show you how you can use the IP address on your OUTSIDE interface for PAT:
I dont know exactly what topic to place this question in thats why i am placing it here
i got an opportunity for 3 days to work under a CCIE who was very rude and did not bother to ask him any questions as i knew he was not interested in explaining
i was able to understand all bits till core SW through knowledge of your tutorials on VLAN and routing ,However cannot understand few bits in design at this point
They got a public IP block from ISP lets say 126.96.36.199/27 30 host count
Now the way the IP are assigned is as - 188.8.131.52 => ISP router LAN... Continue reading in our forum
If I have many subnets inside my local network.
How can I PAT all of subnets?
i did not understand that answer and did not expect this kind of answer
thanks you any way
that was help ful
When you configure an IP address on the ASA then your ASA will know which IP addresses belong to the subnet. For example, let’s say you have subnet 184.108.40.206/27.
Once you configure 220.127.116.11/27 on the outside interface, your ASA knows that this is a subnet with 30 addresses. You can use any of the addresses in this subnet for NAT and you don’t have to configure these addresses on the interface. Just make sure that it’s not in use…
You could use object groups to “bundle” multiple network objects. You could also configure a bigger subnet range in the network object.
Can you please explain f... Continue reading in our forum