11-17-2018 05:46 AM - edited 02-21-2020 08:28 AM
Hello!
I'm self studying ASA and I'm little confused with NAT and NAT+PAT commands.
According to the book i'm reading,
Dynamic NAT can be written as follow.
object network NAT_POOL
range 100.1.1.2 100.1.1.5
nat (INSIDE, OUTSIDE) dynamic NAT_POOL
Does ASA automatically think that i intend to use PAT when there is only "one" ip address assigned in the object network (this case PAT POOL)? If that's the case, how does ASA distinguish between Nat with one ip and PAT with one ip? and as i'm writing this up, i get confusing more and more....Help!!
NAT+PAT
object network NAT_POOL
range 100.1.1.2 100.1.1.5
object network PAT_POOL
host 100.1.1.200
object group network NAT_PAT
network-object object NAT_POOL
network-object object PAT_POOL
object network LAN
subnet 192.168.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) dynamic NAT_PAT
Solved! Go to Solution.
11-19-2018 01:11 PM
No, not entirely. the ASA selects NAT or PAT based on if it has a requirement to use ports. For example, you can have a one to one NAT, but once you specify port translation it becomes PAT.
When you do a many to one NAT the ASA requires a way to distinguish one traffic flow from another, and therefore uses ports.
11-17-2018 07:57 AM
11-18-2018 08:26 AM
NAT is when you are translating 1 to 1. This can either be done with a clear 1 to 1 nat like:
object network NAT_POOL
host 100.1.1.2
nat (inside,outside) static 200.1.1.2
or it can be a 1 to 1 using a pool with an equal number of IPs as the source:
object network NAT_POOL
subnet 200.1.1.0 255.255.255.0
object network NAT_SOURCE
subnet 100.1.1.0 255.255.255.0
nat (inside,outside) dynamic NAT_POOL
PAT is when you are translating many addresses to a single address, or a 1 to 1 NAT for specific ports:
object network PAT_SOURCE
host 100.1.1.1
nat (inside,outside) static 1.1.1.1 service tcp 80 80
Or
object network PAT_SOURCE
subnet 100.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Hope this clarifies things a litter better for you.
11-19-2018 08:24 AM
thanks for the reply. So..ASA automatically decides when to use NAT or PAT based on the number of address available?
11-19-2018 01:11 PM
No, not entirely. the ASA selects NAT or PAT based on if it has a requirement to use ports. For example, you can have a one to one NAT, but once you specify port translation it becomes PAT.
When you do a many to one NAT the ASA requires a way to distinguish one traffic flow from another, and therefore uses ports.
11-18-2018 08:37 AM
NAT is when you are translating 1 to 1. That could either be a clear and specific 1 to 1 NAT such as:
object network NAT_SOURCE
host 100.1.1.1
nat (inside,outside) static 200.1.1.1
Or it can be NATing to a subnet to a pool of IPs that has an equal number of IPs:
object network NAT_POOL
subnet 200.1.1.0 255.255.255.0
object network NAT_SOURCE
subnet 100.1.1.0 255.255.255.0
nat (inside,outside) dynamic NAT_POOL
PAT is when you are translating many IPs to a single IP or a 1 to 1 NAT for specific ports:
object network NAT_SOURCE
host 100.1.1.1
nat (inside,outside) static 200.1.1.1 service tcp 80 80
Or
obnect network NAT_SOURCE
subnet 100.1.1.0 255.255.255.0
nat (inside,outside) dynamic interface
Hope this clarifies some things for you.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: