ASA 8.3 – Auto NAT Examples

As you will have heard (and if not you will do soon) the new ASA 8.3 brings massive changes. The main change is the way in which the ASA handles NAT.

Below provides a number of Auto NAT examples. Auto NAT is configured using the following steps:

1. Create a network object.
2. Within this object define the Real IP/Network to be translated.
3. Also within this object you can use the the nat commands to specify whether the translation will be dynamic or static.

Examples

Configuring Dynamic NAT

The following example configures dynamic NAT that hides 192.168.2.0 network behind a range of outside addresses 2.2.2.1-2.2.2.10:

hostname(config)# object network my-range-obj
hostname(config-network-object)# range 2.2.2.1 2.2.2.10
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic my-range-obj

Dynamic PAT (Hide NAT)

The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 2.2.2.2:

hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 2.2.2.2

The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:

hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface

Configuring Static NAT or Static NAT with Port Translation

The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside with DNS rewrite enabled.

hostname(config)# object network my-host-obj1
hostname(config-network-object)# host 1.1.1.1
hostname(config-network-object)# nat (inside,outside) static 2.2.2.2 dns

The following example configures static NAT for the real host 1.1.1.1 on the inside to 2.2.2.2 on the outside using a mapped object.

hostname(config)# object network my-mapped-obj
hostname(config-network-object)# host 2.2.2.2
hostname(config-network-object)# object network my-host-obj1
hostname(config-network-object)# host 1.1.1.1
hostname(config-network-object)# nat (inside,outside) static my-mapped-obj

The following example configures static NAT with port translation for 1.1.1.1 at TCP port 21 to the outside interface at port 2121.

hostname(config)# object network my-ftp-server
hostname(config-network-object)# host 1.1.1.1
hostname(config-network-object)# nat (inside,outside) static interface service tcp 21 2121

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial