ASA Version 9.

X NAT

There is no concept of nat-control.

NAT can be configured in two ways Manual/Global or Auto/Object.

Manual/Global NAT comes in Section 1

Auto/Object comes in Section 2.

Section 1 wins over Section 2

Within a Section its sequence no which takes preference.

Within a Sequence Primary Method takes preference over Backup

Method.

If a NAT Rule matches then it needs to be compulsory translated.

Else it would be dropped. So if no pool or free ip available traffic
gets dropped.

IN 8.4/8.6 Access-list hits after NAT when request comes from lower
to higher. So we would always need Private IP as destination and
Private Port as Destination Port.
Dynamic NAT

✓ Commands: nat and objects

✓ Dynamic NAT translates a group of real addresses to a pool of mapped addresses

that are routable on the destination network

✓ Uni-directional (only the source ip is translated when someone goes from segment
LEFT to RIGHT in the parenthesis)

✓ For example: Object network OBJECT-REAL

Subnet 192.168.65.0 255.255.255.0

Object network OBJECT-MAPPED

range 74.0.0.150 74.0.0.160

nat (inside,outside) source dynamic OBJECT-REAL OBJECT-MAPPED

In this example when 192.168.65.0 who is behind inside segment accesses

any destination on the outside segment , the source 192.168.65.0/24 would
be translated to any ip from the pool 74.0.0.150-74.0.0.160. The Source
Port, Destination Port and Destination IP remains unchanged.

✓ For example: Object network OBJECT-R4

Subnet 74.0.0.0 255.255.255.0

Object network OBJECT-R4-LAN

range 192.168.65.150 192.168.65.160

nat (outside,inside) source dynamic OBJECT-R4 OBJECT-R4-LAN

In this example when 74.0.0.0 who is behind outside segment accesses any
destination on the inside segment , the source 74.0.0.0/24 would be
translated to any ip from the pool 192.168.65.150-192.168.65.160. The
Source Port, Destination Port and Destination IP remains unchanged.
However you would additionally need ACL from lower to higher.

✓ For example: Object network OBJECT-REAL

Subnet 192.168.65.0 255.255.255.0

Object network OBJECT-MAPPED

range 74.0.0.150 74.0.0.160

Object network OBJECT-REAL

nat (inside,outside) dynamic OBJECT-MAPPED

 This is an example of previous task done under the object. This would be
seen in Section 2 when you issue the command “show nat”

Dynamic Policy NAT

✓ Commands: nat and objects

✓ Dynamic policy NAT translates a group of real addresses to a pool of mapped

addresses that are routable on the destination network

✓ Uni-directional (only the source ip is translated when someone goes from segment
LEFT to RIGHT for a particular service. It is used when you want to define a
condition.

✓ For example (This example is of Manual/Global NAT)

nat (inside,outside) source dynamic OBJ-REAL OBJ-MAPPED service Otelnet Otelnet

Object network OBJ-REAL

Subnet 10.0.0.0 255.255.255.0

Object network OBJ-MAPPED

range 20.0.0.1 20.0.0.10

Object service Otelnet

service tcp destination eq 23

In this example when 10.0.0.0 who is behind inside segment accesses any
destination on the outside segment for destination port telnet, the source
10.0.0.0/24 would be translated to any ip from the pool 20.0.0.1-20.0.0.10. The
Source Port, Destination Port and Destination IP remains unchanged.

✓ For example (This example is of Manual/Global NAT)

nat (inside,outside) source dynamic OBJ-REAL OBJ-MAPPED service O2323 O23

Object network OBJ-REAL

Subnet 10.0.0.0 255.255.255.0

Object network OBJ-MAPPED

range 20.0.0.1 20.0.0.10

Object service O23

service tcp destination eq 23

 Object service O2323

service tcp destination eq 2323

In this example when 10.0.0.0 who is behind inside segment accesses any
destination on the outside segment for destination port 2323, the source
10.0.0.0/24 would be translated to any ip from the pool 20.0.0.1-20.0.0.10 and the
Destination Port would be translated from 2323 to 23. The Source Port and
Destination IP remains unchanged.

✓ For example: Object network OBJ-R4

Subnet 74.0.0.0 255.255.255.0

Object network OBJ-R4-LAN

range 192.168.65.150 192.168.65.160

Object service O23

service tcp destination eq 23

Object service O2323

service tcp destination eq 2323

nat (outside,inside) source dynamic OBJ-R4 OBJ-R4-LAN service O2323 O23

In this example when 74.0.0.0 who is behind outside segment accesses any
destination on the inside segment , the source 74.0.0.0/24 would be
translated to any ip from the pool 192.168.65.150-192.168.65.160 and the
destination port 2323 would change to 23. The Source Port and Destination
IP remains unchanged. However you would additionally need ACL from lower
to higher.

Dynamic PAT

✓ Commands: nat and objects

✓ Dynamic PAT translates a group of real addresses to a single mapped address that is
routable on the destination network

✓ Uni-directional (The source ip and the source port no is translated when someone
from the segment LEFT goes to the RIGHT segment.)

For example

nat (inside,outside) source dynamic OBJECT-REAL OBJECT-MAPPED

Object network OBJECT-REAL

 Subnet 10.0.0.0 255.255.255.0

Object network OBJECT-MAPPED

host 20.0.0.1

In this example when 10.0.0.0 who is behind inside segment accesses any
destination on the outside segment, the source 10.0.0.0/24 would be
translated to ip 20.0.0.1 and source port no would be randomly assigned.
The destination Port and Destination IP remains unchanged.

Dynamic Policy PAT

✓ Commands: nat and objects

✓ Dynamic policy PAT translates a group of real addresses to a single mapped address
that is routable on the destination network

✓ Uni-directional (The source ip and the source port no is translated when someone
from the segment LEFT goes to the RIGHT segment for a particular service

For example

nat (inside,outside) source dynamic OBJ-REAL OBJ-MAPPED service O23 O23

Object network OBJ-REAL

Subnet 10.0.0.0 255.255.255.0

Object network OBJ-MAPPED

host 20.0.0.1

object service O23

service tcp destination eq 23

In this example when 10.0.0.0 who is behind inside segment accesses any destination on
the outside segment for destination port telnet, the source 10.0.0.0/24 would be pat
translated to ip 20.0.0.1 and source port no would be randomly assigned.

Static NAT

✓ Commands: nat and object

✓ Static NAT translates a single real address to a single mapped address that is
routable on the destination network

✓ Bi-directional (From LEFT to RIGHT segment source ip is translated and from

RIGHT to LEFT segment destination ip is translated)
 ✓ For example

Object network OBJECT-REAL

Host 10.0.0.1

Object network OBJECT-MAPPED

host 20.0.0.1

nat (inside,outside) source static OBJECT-REAL OBJECT-MAPPED

In this example when 10.0.0.1 that is behind inside segment accesses any
destination on the outside segment, the source 10.0.0.1 would be
translated to ip 20.0.0.1. The Source Port, Destination Port and Destination
IP remains unchanged. (LEFT TO RIGHT)

Also when any source from the outside segment accesses the public
translated ip 20.0.0.1 the destination 20.0.0.1 would be translated to
private ip 10.0.0.1 (RIGHT TO LEFT). However you would need an access-list
to permit from a lower security level to a higher security level.

Static PAT

✓ Commands: nat and objects

✓ Uni-directional (Only translates destination ip if traffic is initiated from RIGHT to

LEFT segment. Your service object should be a source object)

✓ Uni-directional (Only translates source ip if traffic is initiated from LEFT to RIGHT

segment. Your service object should be a destination object)

✓ ONLY LEFT to RIGHT or RIGHT TO LEFT Works depending on service type whether its
configured as source or destination.

✓ For example

nat (inside,outside) source static OBJ-REAL OBJ-MAPPED service O23 O23

Object service O23

service tcp destination eq 23

Object network OBJ-REAL

Host 10.0.0.1

Object network OBJ-MAPPED

host 20.0.0.1
 In the example when 10.0.0.1 who is behind inside accesses any destination
on the outside segment for destination port 23, the source 10.0.0.1 would be
translated to 20.0.0.1. The Source port and Destination port and Destination IP
remains unchanged. This is LEFT to RIGHT so source ip is translated.

If in same example the service object is changed to source eq 23 then it

becomes reverse which means when Any source on the outside segment accesses
the public ip 20.0.0.1 for destination port 23 then the Destination ip would change
to 10.0.0.1. The source port, and destination port and Source IP remains
unchanged. However you need additional ACL for Lower to Higher security level.

Note: Auto/Object based NAT only supports source based service.

Static Twice NAT

✓ Commands: nat and object

✓ Static NAT translates a single real address to a single mapped address that is
routable on the destination network

✓ Bi-directional (From LEFT to RIGHT segment source ip and destination ip is

translated and from RIGHT to LEFT segment destination ip and source ip is
translated)

✓ For example

nat (inside,outside) source static R3real R3public destination static R4 R4

Object network R3real

Host 192.168.65.3

Object network R3public

host 74.0.0.3

Object network R4

Host 74.0.0.4

In this example when the source 192.168.65.3 that is behind inside segment
accesses the destination 74.0.0.3 who is on the outside segment, the source
192.168.65.3 would be translated to ip 74.0.0.3 and the destination
74.0.0.4 would be translated to 74.0.0.4. The Source Port and Destination
Port remains unchanged.

Also when the source 74.0.0.4 from the outside segment accesses the public
translated ip 74.0.0.3 the destination 74.0.0.3 would be translated to
private ip 192.168.65.3 and the source would be translated from 74.0.0.4 to
 74.0.0.4. However you would need an access-list to permit from a lower
security level to a higher security level.

✓ For example

nat (inside,outside) source static R3real R3public destination static R4int R4real

Object network R3real

Host 192.168.65.3

Object network R3public

host 74.0.0.3

Object network R4real

Host 74.0.0.4

Object network R4int

Host 192.168.65.4

In this example when the source 192.168.65.3 that is behind inside segment
accesses the destination R4 locally on 192.168.65.4, the source
192.168.65.3 would be translated to ip 74.0.0.3 and the destination
192.168.65.4 would be translated to 74.0.0.4. The Source Port and
Destination Port remains unchanged.

Also when the source 74.0.0.4 from the outside segment accesses the public
translated ip 74.0.0.3 the destination 74.0.0.3 would be translated to
private ip 192.168.65.3 and the source would be translated from 74.0.0.4 to
192.168.65.4. However you would need an access-list to permit from a
lower security level to a higher security level.