Understanding ASA NAT

In this post I will cover understanding NAT on the Cisco ASA. There are methods known as Auto NAT & Manual NAT. When using either one we are making use of objects. Within these objects there are configuration keywords known as real and mapped, which I will breakdown later.

In short, here are the differences between Auto NAT & Manual NAT:

  • Auto NAT makes decisions only on the source

  • Auto NAT can only translate the source

  • Manual NAT can make a decision on both source/destination

  • Manual NAT can translate the source/destination, and even at the same time

Before we start diving in, it is important to know/understand that there are four main types of translations. These are: Static NAT, Static PAT, Dynamic NAT, Dynamic PAT.

  • Static NAT = translation of just an IP Address, where the post-translation address is explicitly defined.

  • Static PAT = translation of an IP address & port, where the post-translation attributes are explicitly defined.

  • Dynamic NAT = translation of just an IP address, where the post-translation is selected via device.

  • Dynamic PAT = translation of both IP & port, where the post-translation attributes are selected via the device.

Quickly, an object is a construct that represents something on the network. There are different types of objects, but the main ones when focusing on NAT are:

  • Network object = single IP, subnet, or range

  • Service object = one set of a protocol, source and/or destination port

Once these so called objects are created the intention is to utilize them in the NAT configuration. Example of object syntax:

#object network <object name>
##host <IP>
##subnet <net id><subnet mask>
##range <start><end>

Example of a network object:

#object network test-server

Example of object syntax:

#object service <object name>

Example of service objects:

#object service protocol-test
##service tcp destination eq 80

Now I will breakdown the definitions of real versus mapped & what their importance is. Both terms can be applied to interfaces and IP addresses. It is best to think of "real" as what is really configured (in use). Then for "mapped" just remember that mapped indicates what the "real" has been translated to.

Next I want to breakdown Auto NAT, Manual NAT, Policy NAT, Twice NAT, NAT Precedence, & lastly Identity NAT.

  • Auto NAT = this type of NAT is configured within an object definition & can only translate/make decisions on source traffic.

  • Manual NAT = can do everything that Auto NAT can do, but can also do Policy NAT & Twice NAT

  • Policy NAT = translation decisions are based upon both source/destination. Prime example is when you want to translate based on the destination address.

  • Twice NAT = performing NAT twice; once on the source, once on the destination

  • Identity NAT = translating addresses to themselves. Essentially not translating certain traffic.

The last item to cover is NAT precedence. It is very important to understand that the Cisco ASA translates in a specific order. Every Manual NAT statement takes precedence over every Auto NAT statement. However, if you wish to de-prioritize a Manual NAT statement so that it occurs after Auto NAT you can configure it to be below all Auto NAT statements by deploying it into the third section. Now, on the ASA there are three sections that all NAT statements fall into which declares order of operation. These sections are:

  1. Section 1: Manual NAT or Twice NAT

  2. Section 2: Auto NAT or Object NAT

  3. Section 3: Manual NAT when specifying 'after-auto' in NAT rule

To see ASA NAT configuration & verification see more posts via the asa tag. Cheers!


Recent Posts

See All

"The What?" - In this blog I want to share some valuable Digital Network Architecture Center (DNAC) tips & tricks that I have collected that are quite useful when needing to troubleshoot/perform some

In this post I want to cover the ESA Email pipeline. The email pipeline represents how emails are processed through the system from start to finish. The pipeline consists of 3 main phases: Receipt:

I recently started pursuing email security studies. Other posts have mentioned this, and a recent post shared a deeper look at SPF. In this blog I want to cover DKIM & DMARC. Starting with DKIM, it