Configuring Dynamic NAT, PAT, or Identity NAT

Carlton Patterson · ‎01-14-2013

Hello Community,

To configure a dynamic NAT, PAT, or identity NAT rule, I need to perform the following steps:

Step 1 From the Configuration > Firewall > NAT Rules pane, choose Add >

Add Dynamic NAT Rule

.

The Add Dynamic NAT Rule dialog box appears.

However, when I click on Add I don't get the option to

Add Dynamic Nat Rule

To see the options I get please see attachment.

Can someone please explain what I'm missing.

The following is a capture of the show version:

ciscoasa# show ver

Cisco Adaptive Security Appliance Software Version 8.4(2) <system>

Device Manager Version 6.4(1)

Compiled on Wed 15-Jun-11 18:17 by builders

System image file is "Unknown, monitor mode tftp booted image"

Config file at boot was "startup-config"

ciscoasa up 16 mins 57 secs

Hardware: ASA 5520, 1024 MB RAM, CPU Pentium II 1000 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash unknown @ 0x0, 0KB

0: Ext: GigabitEthernet0 : address is 00ab.a72f.0100, irq 0

1: Ext: GigabitEthernet1 : address is 00ab.a72f.0101, irq 0

2: Ext: GigabitEthernet2 : address is 0000.ab6d.9802, irq 0

3: Ext: GigabitEthernet3 : address is 0000.abd4.8803, irq 0

4: Ext: GigabitEthernet4 : address is 0000.abe3.8804, irq 0

5: Ext: GigabitEthernet5 : address is 0000.abb8.a605, irq 0

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited perpetual

Maximum VLANs : 100 perpetual

Inside Hosts : Unlimited perpetual

Failover : Active/Active perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

Security Contexts : 2 perpetual

GTP/GPRS : Disabled perpetual

AnyConnect Premium Peers : 5000 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 5000 perpetual

Total VPN Peers : 0 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has an ASA 5520 VPN Plus license.

Serial Number: 123456789AB

Running Permanent Activation Key: 0x4a3ec071 0x0d86fbf6 0x7cb1bc48 0x8b48b8b0 0xf317c0b5

Configuration register is 0x0

Configuration has not been modified since last system restart.

ciscoasa#

Jouni Forss · ‎01-14-2013

Hi,

You are trying to add basic PAT configuration using your "outside" interface public IP address?

To be honest I'm personally more comfortable with using CLI.

But looking at the ASDM side on my ASA5505 8.4(5)

Choosing the Rule to Add

Choose the highlighted one

Configuring the PAT

Source interface = LAN = My "inside" interface
Source address = any = any IP address behind "inside" will match this translation rule
- Can be replced with "object-group" or "object network" also
Destination interface = WAN = My "outside" interface
Source NAT Type = Dynamic PAT (Hide)
Source Address = WAN = interface WAN IP address is used for the PAT
Press "Ok" and "Apply" in the next window to apply the configuration

Actual CLI format Command inserted by ASDM

Since I have 2 previous rules in this section it will add the new ones and third "3"

nat (LAN,WAN) after-auto 3 source dynamic any interface

Naturally this has many other options depending the interfaces used, NAT type used, source addresses etc. But as I said I rather not use ASDM at all when I'm configuring NAT

If you need example configurations in CLI format I can help you with those.

- Jouni

Carlton Patterson · ‎01-14-2013

JouniForss

Thanks for responding.

I'm actually trying to do the following:

Can you show me how to achieve that?

Cheers

Jouni Forss · ‎01-14-2013

Hi,

The above ASDM configuration I posted is the typical PAT translation configuration for your software level.

As rudy said above it seems that you are looking at some instruction that is for older software and its NAT configuration format.

The ID number the instruction refers to the 8.2 and below software level format of configuration NAT/PAT, which you cant use in your new software level

- Jouni

Carlton Patterson · ‎01-14-2013

Thanks again for responding,

I was hoping that you might be able to guide me to equivalent configuration to 8.2?

Rudy Sanjoko · ‎01-14-2013

If you have ASA with version 8.2 or earlier, you will have below options,

The reason you have below options on your ASDM is because you are running 8.4 and ASDM 6.4

Please refer to following link for configuring NAT on 8.4

http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/nat_objects.html

Carlton Patterson · ‎01-14-2013

Rudy/Jouni,

Attached is the topology of the lab that I'm trying recreate...

Rudy Sanjoko · ‎01-14-2013

Carlton, you can use the link that I've mentioned above on my comment to configure dynamic/static nat, pat, or identity nat on ASA with 8.4 or later. Give it a try, if you encounter any problems just post it on the forum, people will gladly help you.

Carlton Patterson · ‎01-14-2013

OK Rudy, I will do as you suggested. I'll get back if I come across any problems

Cheers mate.