Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
2
Replies

ASA5500 8.4 NAT versus PAT

Go to solution
Phil Williamson
Level 1
Level 1

‎03-18-2017 09:18 AM - edited ‎03-12-2019 02:05 AM

Given these addresses and ACLs:
!
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 10.1.1.254 255.255.255.0
!
object network WebServer-private
 host 10.1.1.80
object network WebServer-public
 host 192.168.1.80
!
object network InsideNet
 subnet 10.1.1.0 255.255.255.0
 nat (inside,outside) dynamic interface
!
access-list outside_ingress extended permit tcp any object WebServer eq www
access-group outside_ingress in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.1.254 1
!

Then what is the functional difference between:
!
object network WebServer-private
 host 10.1.1.80
 nat (inside,outside) static WebServer-public
!
and
object network WebServer-private
 host 10.1.1.80
 nat (inside,outside) static WebServer-public service tcp www www
!

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ajay Saini
Level 7
Level 7

‎03-18-2017 06:03 PM

Hello,

The first one is one-to-one NAT statement wherein you are mapping all the ports i.e. 1-65535.

Second is specific mapping port 80(www).

I would create static NAT(option 1 ) if I wanted to use the ip address 192.168.1.80 just for the server 10.1.1.80 and nothing else.

Option 2 ensures that other ports (apart from 80) are free and can be used elsewhere. For example, use TCP 25 for smtp server etc.

The use case scenario of option 2 is when you don't want to purchase too many public ip addresses and create static PAT for each of your server.

HTH

AJ

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Ajay Saini
Level 7
Level 7

‎03-18-2017 06:03 PM

Hello,

The first one is one-to-one NAT statement wherein you are mapping all the ports i.e. 1-65535.

Second is specific mapping port 80(www).

I would create static NAT(option 1 ) if I wanted to use the ip address 192.168.1.80 just for the server 10.1.1.80 and nothing else.

Option 2 ensures that other ports (apart from 80) are free and can be used elsewhere. For example, use TCP 25 for smtp server etc.

The use case scenario of option 2 is when you don't want to purchase too many public ip addresses and create static PAT for each of your server.

HTH

AJ

0 Helpful

Go to solution
Phil Williamson
Level 1
Level 1

‎03-19-2017 06:57 AM

Ajay,

Your answer was concise and to the point and also noted that option 2 would better fit the needs of smaller businesses which may not want, nor need to purchase large blocks of routable IPs.  I'm not sure I've ever seen this stated as such before.

Thx

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card