This guide provides detailed explanations, commands, and use cases for configuring Network Address Translation (NAT/PAT) on Cisco ASA. NAT/PAT is a critical feature for managing IP addresses and enabling communication between different network segments. The guide is organized into three sections: NAT Syntax, NAT Configuration Examples, and Advanced NAT.
NAT Objects simplify the management of entities involved in NAT, such as IP addresses and port numbers.
# Define NAT object for internal server
object network InternalServer
host 192.168.1.10
Objects help in referencing and organizing entities within NAT configurations.
Real addresses represent actual IP addresses in your network, while Mapped addresses are translated addresses visible to the outside world.
# Map internal server to a public IP address
nat (inside,outside) static 203.0.113.10
Mapping real addresses to mapped addresses is crucial for proper NAT operation.
Auto NAT simplifies the configuration process by automatically creating translation rules.
# Configure Auto NAT for inside network
object network obj_any
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Auto NAT reduces manual configuration efforts by dynamically generating translation rules.
Manual NAT provides granular control over translation rules.
# Manually configure NAT for specific source and destination
nat (inside,outside) source static InternalServer PublicServer
Manual NAT allows explicit configuration of translation rules to meet specific requirements.
Static NAT establishes a one-to-one mapping between internal and external addresses.
# Configure static NAT for internal server
static (inside,outside) 203.0.113.10 192.168.1.10
Static NAT is ideal for scenarios where a fixed mapping is required.
Static Port Address Translation (PAT) allows multiple internal devices to share a single external IP address using different ports.
# Configure static PAT for web servers
static (inside,outside) tcp interface www InternalWebServer www
static (inside,outside) tcp interface smtp InternalMailServer smtp
Static PAT is useful for enabling multiple internal services on a single external IP address.
Dynamic PAT maps multiple internal addresses to a single external address using different source ports.
# Configure dynamic PAT for inside network
nat (inside,outside) dynamic interface
Dynamic PAT is suitable for scenarios where multiple internal devices need to share a common external IP address.
Dynamic NAT maps a range of internal addresses to a pool of external addresses.
# Configure dynamic NAT for inside network
nat (inside,outside) after-auto source dynamic InsidePool interface
Dynamic NAT provides a pool of external addresses for dynamic mapping of internal devices.
Policy NAT allows you to apply NAT based on specific criteria, such as source or destination addresses.
# Apply NAT policy based on source network
nat (inside,outside) source dynamic InsidePool interface destination static DMZ DMZ
Policy NAT is useful when different NAT rules are required for specific traffic conditions.
Twice NAT allows for modification of both source and destination addresses in a single rule.
# Configure Twice NAT for inside network
object network InternalHost
host 192.168.1.20
nat (inside,outside) source static InternalHost PublicHost destination static InternalServer PublicServer
Twice NAT is beneficial when bidirectional address translation is necessary.
NAT Precedence determines the priority of NAT rules when conflicts arise.
# Configure NAT precedence for inside network
nat (inside,outside) source dynamic InsidePool interface precedence 1
nat (inside,outside) source dynamic DMZPool interface precedence 2
NAT Precedence helps in resolving conflicts when multiple NAT rules are applicable.
Identity NAT exempts certain traffic from NAT, preserving original source and destination addresses.
# Exempt VPN traffic from NAT
nat (inside,outside) source static InternalNetwork InternalNetwork destination static VPN-Network VPN-Network no-proxy-arp
Identity NAT is useful when specific traffic should not undergo address translation.
This guide covers a wide range of NAT configurations, from basic syntax to advanced scenarios like Policy NAT and Twice NAT. Customize the examples according to your network requirements and security policies.