There are so many variations that are possible with NAT now – and I am just talking in the “new rules”. In this post, lets just review one. We will do dynamic NAT with a PAT backup using network objects. We will provide the NAT instructions manually instead of inside an object.
Our topology is as follows:
Our objective here is as follows:
- Configure NAT so that hosts on the inside network 192.168.65.0/24 attempting to reach the outside network are translated using the pool 74.0.0.102 to 103. We need to use the interface IP address as a PAT backup. The NAT configuration must be manual.
My first step is to create my network objects:
object network 192INSIDE subnet 192.168.65.0 255.255.255.0 object network POOL1 range 74.0.0.102 74.0.0.103
Verification of this step is show run object.
Now I am ready for the manual NAT:
nat (inside,outside) source dynamic 192INSIDE POOL1 interface
The above command is made VERY easy thanks to context-sensitive help.
For verification – we do not even need to leave the ASA thanks to Packet Tracer!
packet-tracer input inside tcp 192.168.65.3 1027 4.4.4.4 23
...
Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source dynamic 192INSIDE POOL1 interface
Additional Information:
Dynamic translate 192.168.65.3/1027 to 74.0.0.102/1027
...
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
ASA1#
Of course, we can always create traffic through the ASA and view the translation. Here I telnet through from R3 on the inside to R4 on the outside. We confirm out configuration and that traffic is matching it:
ASA1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic 192INSIDE POOL1 interface
translate_hits = 6, untranslate_hits = 6
ASA1#
Of course I will be back with plenty of other “new” NAT sample configurations and verifications for you.