Introduction
This document describes the difference between 2 methods of NAT asked by an user.
Problem
User is configuring a couple of new 5515X ASAs. He wish to know:
- Major differences between the following two NAT syntax methods?
- Do they both work in lab environment
Method 1:
object network Test-DMZ-Server_EXT
host 172.16.11.2
object network LOCAL-RANGE_EXT
host 172.27.1.2
object network LOCAL-RANGE
host 192.168.10.2
nat (inside,outside) static LOCAL-RANGE_EXT
object network Test-DMZ-Server
host 192.168.199.2
nat (DMZ,any) static Test-DMZ-Server_EXT
object network ANY
subnet 0.0.0.0 0.0.0.0
nat (any,outside) dynamic interface
Method 2:
object network LOCAL-RANGE
host 192.168.10.2
object network Test-DMZ-Server
host 192.168.199.2
object network Test-DMZ-Server_EXT
host 172.25.1.2
object network LOCAL-RANGE_EXT
host 172.17.1.2
nat (DMZ,any) source static Test-DMZ-Server Test-DMZ-Server_EXT
nat (insdie,outside) static source LOCAL-RANGE LOCAL-RANGE_EXT
nat (any,outside) source dynamic any interface
Solution
b.) Both of the configuration when implemented achieve the same thing.
a.) In first set of configuration Auto NAT / Network Object NAT where the user configures the whole "nat" configuration under the created "object". Such type is used to do configuration for Dynamic PAT , Static NAT and Static PAT.
The second configuration deals with scenario of "Double NAT" or "Twice NAT "/ "Manual NAT". It uses configurations to list the real/mapped addresses in the NAT configurations by
creating different "object" and "object-group". This "nat" configuration is not located under any objects but rather uses them. Typically this configuration format is used to configure NAT0 or Policy type NAT configurations.
Another major difference is the way of implementation post 8.3. The NAT configurations are divided into 3 Sections which defines their priority in the "nat" configurations
Flow is mentioned below:
Section 1 = Manual NAT / Twice NAT
Section 2 = Auto NAT / Network Object NAT
Section 3 = Manual NAT / Twice NAT
Another big difference between Auto NAT and Manual NAT is
Auto NAT only does translation for the source address (might seem weird depending on which side you are looking the situation from) while Manual NAT performs translation for both the source and the destination IP address.
Source Discussion
CSC Discussion
Related info
Doc