Cisco ASA Dynamic port address translation

karamak2 · ‎09-22-2016

All,

We are currently using static nat translations on our firewall that map our internal server address to external address. The customer on the other end see traffic getting to them via this external address. The configuration I have is below.

object network WebServer_HTTP

host 192.168.102.5

nat (inside,outside) static 192.168.1.194 service tcp 80 80

We are given a “/27” address space and running out of addresses. We are running out of external addresses and currently considering doing some form of Global NAT or PAT to save up on addresses. Can someone assist how the configuration is going to be?

karamak2 · ‎09-22-2016

So I have something like below.

asa(config)# object network obj-server
asa(config-network-object)# host 192.168.50.1 <-- REAL IP
asa(config-network-object)# nat (inside,outside) static 88.88.88.1 <-- MAPPED IP

Going forward, I have only one external address (e.g. 88.88.88.2) and I want it to map to three internal host IP (192.168.50.2,192.168.50.2 and 192.168.50.3). How will the configuration be?

Pawan Raut · ‎09-23-2016

Hi you can do the PAT for three host as as below

object network REAL-IP

host 192.168.50.1

host 192.168.50.2

host 192.168.50.3

!

object network MAP-IP

host 88.88.88.1

!

nat (inside,outside) source dynamic REAL-IP MAP-IP

!

karamak2 · ‎09-23-2016

Thanks for your response. Is this the same as Dynamic NAT?

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/nat_dynamic.pdf

Aditya Ganjoo · ‎09-23-2016

Hi,

No this would be static PAT as you would be using a single Public IP and using different ports to differentiate between the services.

Here is an example for this:

https://supportforums.cisco.com/discussion/11462701/asa-84-static-nat-statements

Regards,

Aditya

Please rate helpful posts and mark correct answers.