cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
962
Views
0
Helpful
5
Replies

ASA NAT and NAT+PAT Command questions

DavidtheGr2at
Level 1
Level 1

Hello! 

 

I'm self studying ASA and I'm little confused with NAT and NAT+PAT commands.

According to the book i'm reading, 

Dynamic NAT can be written as follow. 

 

object network NAT_POOL

   range 100.1.1.2 100.1.1.5

nat (INSIDE, OUTSIDE) dynamic NAT_POOL 

 

Does ASA automatically think that i intend to use PAT when there is only "one" ip address assigned in the object network (this case PAT POOL)? If that's the case, how does ASA distinguish between Nat with one ip and PAT with one ip? and as i'm writing this up, i get confusing more and more....Help!!

 

NAT+PAT

object network NAT_POOL 

   range 100.1.1.2 100.1.1.5

object network PAT_POOL

   host 100.1.1.200

 

object group network NAT_PAT

  network-object object NAT_POOL

  network-object object PAT_POOL

 

object network LAN

  subnet 192.168.1.0 255.255.255.0

  nat (INSIDE,OUTSIDE) dynamic NAT_PAT

 

1 Accepted Solution

Accepted Solutions

No, not entirely.  the ASA selects NAT or PAT based on if it has a requirement to use ports.  For example, you can have a one to one NAT, but once you specify port translation it becomes PAT.

 

When you do a many to one NAT the ASA requires a way to distinguish one traffic flow from another, and therefore uses ports. 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

Abheesh Kumar
VIP Alumni
VIP Alumni
Hi,
https://community.cisco.com/t5/security-documents/asa-nat-8-3-nat-operation-and-configuration-format-cli/ta-p/3143050
This is one of the best ever NAT document i have seen, I think this will help you for your self study.

HTH
Abheesh

 

NAT is when you are translating 1 to 1.  This can either be done with a clear 1 to 1 nat like:

object network NAT_POOL

   host 100.1.1.2

   nat (inside,outside) static 200.1.1.2

 

or it can be a 1 to 1 using a pool with an equal number of IPs as the source:

object network NAT_POOL

   subnet 200.1.1.0 255.255.255.0

object network NAT_SOURCE

  subnet 100.1.1.0 255.255.255.0

  nat (inside,outside) dynamic NAT_POOL

 

PAT is when you are translating many addresses to a single address, or a 1 to 1 NAT for specific ports:

object network PAT_SOURCE

   host 100.1.1.1

   nat (inside,outside) static 1.1.1.1 service tcp 80 80

 

Or

object network PAT_SOURCE

   subnet 100.1.1.0 255.255.255.0

   nat (inside,outside) dynamic interface

 

Hope this clarifies things a litter better for you.

--
Please remember to select a correct answer and rate helpful posts

thanks for the reply. So..ASA automatically decides when to use NAT or PAT based on the number of address available?

 

 

No, not entirely.  the ASA selects NAT or PAT based on if it has a requirement to use ports.  For example, you can have a one to one NAT, but once you specify port translation it becomes PAT.

 

When you do a many to one NAT the ASA requires a way to distinguish one traffic flow from another, and therefore uses ports. 

--
Please remember to select a correct answer and rate helpful posts

NAT is when you are translating 1 to 1.  That could either be a clear and specific 1 to 1 NAT such as:

object network NAT_SOURCE

  host 100.1.1.1

  nat (inside,outside) static 200.1.1.1

 

Or it can be NATing to a subnet to a pool of IPs that has an equal number of IPs:

object network NAT_POOL

  subnet 200.1.1.0 255.255.255.0

object network NAT_SOURCE

  subnet 100.1.1.0 255.255.255.0

 

  nat (inside,outside) dynamic NAT_POOL

 

PAT is when you are translating many IPs to a single IP or a 1 to 1 NAT for specific ports:

object network NAT_SOURCE

  host 100.1.1.1

  nat (inside,outside) static 200.1.1.1 service tcp 80 80

 

Or

obnect network NAT_SOURCE

  subnet 100.1.1.0 255.255.255.0

  nat (inside,outside) dynamic interface

 

Hope this clarifies some things for you.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: