Edit post Follow this blog Administration + Create my blog
Cisco & Cisco Network Hardware News and Technology

Configuring NAT on Cisco ASA

April 16 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Network address translation (NAT) allows you to translate private to public addresses. 
With CISCO ASA firewall, You can configure 2 types of NAT: 
- Dynamic NAT (including PAT - port address translation)
- Static NAT 

Nat example (Web server must send responses to a client on public/mapped address):


Dynamic NAT allows You to translate internal addresses to a predefined set or pool of public addresses You define. The "nat" command defines which internal hosts, and the "global" command defines public address range in which internal addresses will be translated. Number "1" in nat configuration defines NAT ID (number of NAT rule), and must match on "nat" and "global" command: 

ASA1(config)#nat (inside) 1                               

 ASA1(config)#global (outside) 1

PAT translates a range of internal addresses to 1 public address by mapping them to a different ports: 

ASA1(config)#nat (inside) 1                               

 ASA1(config)#global (outside) 1                 

Instead of ip address in a global command, it's possible to define word "interface". That way, the internal addresses will automatically be PAT-ed into the address of an outside inteface: 

 ASA1(config)#nat (inside) 1                               

 ASA1(config)#global (outside) 1 interface              


Static NAT, allows You to permanently map public ip address and port to an inside one (port forwarding). Along with that, cisco allows 1:1 NAT, or "mirroring", which translates all internal ports of a private address to the same ports on a public address (bi-directional). Of course, to enable traffic flow from the "outsude" to the "inside" interface, traffic also must be allowed with the Access control list. 

Port forwarding:


Port forwarding of publicly available ports to an internal addresses. After configuring NAT, to enable traffic flow from outside to inside hosts, You must apply access-lists which will allow the traffic. Finally, to activate acl, bind it on a "outside" interface with the "access-group" command: 

ASA1(config)#static (inside,outside) tcp http http netmask

 ASA1(config)#static (inside,outside) tcp ftp ftp netmask

 ASA1(config)#static (inside,outside) tcp smtp smtp netmask


ASA1(config)#access-list outside_in_acl extended permit tcp any host eq http

 ASA1(config)#access-list outside_in_acl extended permit tcp any host eq ftp

 ASA1(config)#access-list outside_in_acl extended permit tcp any host eq smtp


 ASA1(config)#access-group outside_in_acl in interface outside


Static 1:1 nat, (every public port maped to the same internal port): 

ASA1(config)#static (inside,outside) netmask        

To allow traffic flow from lower security interface "outside", to higher security interface "inside", access control list must be applied. 


More Related Cisco ASA Tips:

Site-to-Site IPSEC VPN between Two Cisco ASA 5520

How to Configure Dual ISP on Cisco ASA 5505?

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

VLAN Sub-Interfaces on Cisco ASA 5500 Firewall Configuration

How to Configure Cisco ASA 5505 Firewall?

Share this post
To be informed of the latest articles, subscribe:
Comment on this post