Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
489
Views
0
Helpful
2
Replies

Is it a must to set NAT in ASA for initial the network and which NAT config is the most secure in real practice

martlee2
Cisco Employee
Cisco Employee

‎01-11-2015 08:58 PM - last edited on ‎03-25-2019 05:54 PM by Community Manager

Is it a must to set NAT in ASA for initial the network

 

i see that there are a number of kinds of NAT setting such as policies, NAT, PAT,

what are their difference? which one is the simplest one? which is the most secure in real practice?

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-12-2015 01:11 AM

Hi,

 

Typically you will need atleast a Dynamic PAT configuration for a firewall that is on the LAN/WAN edge of a network. This is because without this the users traffic (if allowed by ACL) will be forwarded through the firewall without any NAT to a public IP address and naturally connection will fail as private IP addresses are not routable on the Internet.

 

In the new ASA software levels that are 8.3 or above there are 2 ways to configure Dynamic PAT for your users

  • Manual NAT / Twice NAT
  • Auto NAT / Network Object NAT

 

The above are mainly different configuration formats on the ASA which give different options for you.

 

Here are examples of both

 

Dynamic PAT with Manual NAT

 

The below configuration will perform Dynamic PAT for "any" source address behind "any" source interface and the Dynamic PAT IP address will be the "interface" IP address of the interface "outside".

 

nat (any,outside) after-auto source dynamic any interface

 

The below configuration is similiar to the above example but uses an "object-group" to tell the ASA which internal subnet are valid source subnets for the Dynamic PAT.

 

object-group network LAN-SUBNETS
 network-object 10.10.10.0 255.255.255.0
 network-object 10.10.20.0 255.255.255.0

 

nat (any,outside) after-auto source LAN-SUBNETS interface

 

 

Dynamic PAT with Auto NAT

 

When comparing Auto NAT with the above Manual NAT its important to notice that the above Manual NAT only uses different objects as its parameters. Auto NAT on the other hand will always be configured under an "object".

 

The below is a very basic Dynamic PAT configuration you can use for a single subnet

 

object network DYNAMIC-PAT
 subnet 10.10.10.0 255.255.255.0
 nat (inside,outside) dynamic interface

 

Of the above examples I tend to use the Manual NAT configuration format as it keeps the NAT configuration smaller when dealing with multiple LAN subnets. Part of it also has to do with how I want to organize the NAT configuration in general.

 

You can check some NAT configuration information about the new 8.3+ format from a document I wrote in 2013

https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli

 

Hope this helps :)

 

Please do remember to mark a reply as the correct answer if it answered your question. Feel free to ask more if needed.

 

- Jouni

0 Helpful

martlee2
Cisco Employee
Cisco Employee
In response to Jouni Forss

‎01-12-2015 06:58 AM

 

it seems the essential NAT config for initial setup

i find a youtube video using config below, is it wrong? it seems different from your official one.

conf t
no global (outside) 1 192.168.1.4
no nat (inside) 1 0.0.0.0 0.0.0.0 0 0

end

then i change to use your config below

conf t
object network DYNAMIC-PAT
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface
end

 

besides essential NAT, why it can implement extra NAT? what are they? will they duplicate the function as essential ones?

just a mapping table, what extra function can be implemented besides essential NAT command above

as i know that there is a kind of NAT include the port too, is PAT represent Port something?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card