Is it a must to set NAT in ASA for initial the network and which NAT config is the most secure in real practice

martlee2 — Tue, 26 Mar 2019 00:54:31 GMT

Is it a must to set NAT in ASA for initial the network

i see that there are a number of kinds of NAT setting such as policies, NAT, PAT,

what are their difference? which one is the simplest one? which is the most secure in real practice?

Hi, Typically you will need

Jouni Forss — Mon, 12 Jan 2015 09:11:33 GMT

Hi,

Typically you will need atleast a Dynamic PAT configuration for a firewall that is on the LAN/WAN edge of a network. This is because without this the users traffic (if allowed by ACL) will be forwarded through the firewall without any NAT to a public IP address and naturally connection will fail as private IP addresses are not routable on the Internet.

In the new ASA software levels that are 8.3 or above there are 2 ways to configure Dynamic PAT for your users

Manual NAT / Twice NAT
Auto NAT / Network Object NAT

The above are mainly different configuration formats on the ASA which give different options for you.

Here are examples of both

Dynamic PAT with Manual NAT

The below configuration will perform Dynamic PAT for "any" source address behind "any" source interface and the Dynamic PAT IP address will be the "interface" IP address of the interface "outside".

nat (any,outside) after-auto source dynamic any interface

The below configuration is similiar to the above example but uses an "object-group" to tell the ASA which internal subnet are valid source subnets for the Dynamic PAT.

object-group network LAN-SUBNETS
network-object 10.10.10.0 255.255.255.0
network-object 10.10.20.0 255.255.255.0

nat (any,outside) after-auto source LAN-SUBNETS interface

Dynamic PAT with Auto NAT

When comparing Auto NAT with the above Manual NAT its important to notice that the above Manual NAT only uses different objects as its parameters. Auto NAT on the other hand will always be configured under an "object".

The below is a very basic Dynamic PAT configuration you can use for a single subnet

object network DYNAMIC-PAT
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic interface

Of the above examples I tend to use the Manual NAT configuration format as it keeps the NAT configuration smaller when dealing with multiple LAN subnets. Part of it also has to do with how I want to organize the NAT configuration in general.

You can check some NAT configuration information about the new 8.3+ format from a document I wrote in 2013

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

Hope this helps 🙂

Please do remember to mark a reply as the correct answer if it answered your question. Feel free to ask more if needed.

- Jouni

it seems the essential NAT

martlee2 — Mon, 12 Jan 2015 14:58:49 GMT

it seems the essential NAT config for initial setup

i find a youtube video using config below, is it wrong? it seems different from your official one.

conf t
no global (outside) 1 192.168.1.4
no nat (inside) 1 0.0.0.0 0.0.0.0 0 0

end

then i change to use your config below

conf t
object network DYNAMIC-PAT
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
end

besides essential NAT, why it can implement extra NAT? what are they? will they duplicate the function as essential ones?

just a mapping table, what extra function can be implemented besides essential NAT command above

as i know that there is a kind of NAT include the port too, is PAT represent Port something?

topic Is it a must to set NAT in ASA for initial the network and which NAT config is the most secure in real practice in Network Security

Is it a must to set NAT in ASA for initial the network and which NAT config is the most secure in real practice

Hi, Typically you will need

it seems the essential NAT