In this post I will cover understanding NAT on the Cisco ASA. There are methods known as Auto NAT & Manual NAT. When using either one we are making use of objects. Within these objects there are configuration keywords known as real and mapped, which I will breakdown later.
In short, here are the differences between Auto NAT & Manual NAT:
Auto NAT makes decisions only on the source
Auto NAT can only translate the source
Manual NAT can make a decision on both source/destination
Manual NAT can translate the source/destination, and even at the same time
Before we start diving in, it is important to know/understand that there are four main types of translations. These are: Static NAT, Static PAT, Dynamic NAT, Dynamic PAT.
Static NAT = translation of just an IP Address, where the post-translation address is explicitly defined.
Static PAT = translation of an IP address & port, where the post-translation attributes are explicitly defined.
Dynamic NAT = translation of just an IP address, where the post-translation is selected via device.
Dynamic PAT = translation of both IP & port, where the post-translation attributes are selected via the device.
Quickly, an object is a construct that represents something on the network. There are different types of objects, but the main ones when focusing on NAT are:
Network object = single IP, subnet, or range
Service object = one set of a protocol, source and/or destination port
Once these so called objects are created the intention is to utilize them in the NAT configuration. Example of object syntax:
#object network <object name> ##host <IP> ##subnet <net id><subnet mask> ##range <start><end>
Example of a network object:
#object network test-server ##host 22.214.171.124
Example of object syntax:
#object service <object name>
Example of service objects:
#object service protocol-test ##service tcp destination eq 80
Now I will breakdown the definitions of real versus mapped & what their importance is. Both terms can be applied to interfaces and IP addresses. It is best to think of "real" as what is really configured (in use). Then for "mapped" just remember that mapped indicates what the "real" has been translated to.
Next I want to breakdown Auto NAT, Manual NAT, Policy NAT, Twice NAT, NAT Precedence, & lastly Identity NAT.
Auto NAT = this type of NAT is configured within an object definition & can only translate/make decisions on source traffic.
Manual NAT = can do everything that Auto NAT can do, but can also do Policy NAT & Twice NAT
Policy NAT = translation decisions are based upon both source/destination. Prime example is when you want to translate based on the destination address.
Twice NAT = performing NAT twice; once on the source, once on the destination
Identity NAT = translating addresses to themselves. Essentially not translating certain traffic.
The last item to cover is NAT precedence. It is very important to understand that the Cisco ASA translates in a specific order. Every Manual NAT statement takes precedence over every Auto NAT statement. However, if you wish to de-prioritize a Manual NAT statement so that it occurs after Auto NAT you can configure it to be below all Auto NAT statements by deploying it into the third section. Now, on the ASA there are three sections that all NAT statements fall into which declares order of operation. These sections are:
Section 1: Manual NAT or Twice NAT
Section 2: Auto NAT or Object NAT
Section 3: Manual NAT when specifying 'after-auto' in NAT rule
To see ASA NAT configuration & verification see more posts via the asa tag. Cheers!