You are currently viewing Configuring NAT on the Cisco ASA

Configuring NAT on the Cisco ASA

In this article, we will take a look at how to configure different types of NAT on the Cisco ASA post 8.4 software code. Accompanying this post is a video demonstration covering what has been discussed in this article.

We will cover the following types of NAT:
  • Static NAT
  • Dynamic NAT
  • Dynamic PAT
  • Identity NAT
Before jumping into the demonstrations I will explain the purpose of each type of NAT on the Cisco ASA.
Overview of NAT
NAT addresses can be defined as the following:
  • Inside local address: This is the IP address that is assigned to a host on the inside of a network. The inside local address is most certainly bound to fall within the RFC 1918 reserved private IP address spaces.
  • Inside global address: This is a globally routable IP address (public IP address) that can represent one or more inside local IP addresses to the outside world.
  • Outside local address: This is the IP address of an outside host as it appears on the inside network.
  • Outside global address: This is the IP address that is assigned to a host or hosts on the outside network. The outside global address is allocated from a globally routable address or network space (public IP address).
On the ASA NAT can be applied in one of two ways; using Object NAT or Twice (manual) NAT. Cisco recommends using Object NAT where possible unless the extra features of twice NAT such as changing the destination address are required.
ASA NAT Considerations
When configuring Object NAT there are a few considerations that must be taken into account; some of these are:
  • Object NAT cannot be configured under Object Groups however they can be referred to when configuring twice NAT
  • NAT is supported for both Routed and Transparent mode deployments
  • Object networks and groups can only include IPv4 or IPv6 addresses and cannot have both
  • As per the NAT order of operation, Twice NAT rules will be considered before Object NAT (shown below)
ASA NAT Order of Operation
The order of operation is important when thinking about using NAT on your ASA because other configured rules could override other rules. The ASA NAT order of operation follows a top-down approach, meaning that the ASA will look at the NAT rules configured at the top and work its way to the bottom until a match is found.
Twice NAT rules are always matched first in section 1, followed by Object NAT in section 2 and lastly, more generic Twice NAT rules in section 3.
It is best practice to ensure that the most important NAT rules are placed first before generic rules.
In terms of Object NAT, there are a few considerations to mention when more than one NAT rule exists:
• The number of real IP addresses is assessed first, the object with the smallest IP addresses will be assessed before the object with the largest addresses
• If an object has the same number of IP addresses, the lowest IP address is assessed first i.e. before
• If an object has the same address used then the object name is assessed in alphabetical order i.e. ‘ABC’ will be assessed before ‘ADZ’

Static NAT

Static NAT will create a fixed translation between a real IP and a mapped (NAT) IP address. Static NAT on the ASA will also allow a bidirectional flow between both source and destination only if an ACL permits.
The following image shows a static NAT translation whereby the real source address (inside local) host is translated to the mapped source address (inside global). The destination address is also translated on this occasion.
An example of the static NAT configuration is shown below using Object NAT:
object network VPC3
nat (inside,outside) static VPC3-Mapped


ciscoasa(config)# show nat detail
Auto NAT Policies (Section 2)
1 (inside) to (outside) source static VPC3 VPC3-Mapped
translate_hits = 10, untranslate_hits = 5
Source – Origin:, Translated:


Dynamic NAT

Dynamic NAT will translate a group of RFC 1918 addresses to a pool of mapped (NAT) IP addresses that are routable. The NAT pool will often contain fewer IP addresses than the RFC 1918 addresses that need to be translated. When an inside host is translated, one routable address from the pool of addresses is used for that connection. Once the connection is torn down, the routable address is returned back to the pool so that other back-to-the-inside local hosts can make use of it when required. The inside local host does not keep the public IP address and therefore connections cannot be initiated to the inside local host.
An example of dynamic NAT configuration is shown below:
nat (inside,outside) source dynamic VPC4-5 dynamic-nat


ciscoasa(config)# show nat detail
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic VPC4-5 dynamic-nat translate_hits = 67, untranslate_hits = 0
Source – Origin:,, Translated:


Dynamic PAT

Dynamic Port Address Translation (PAT) translates multiple RFC 1918 addresses as well as the source port to one publicly routable IP address with a unique source port.


An example of dynamic PAT configuration is shown below:
ciscoasa(config)# object network NAT_POOL
ciscoasa(config-network-object)# range
ciscoasa(config)# object network IPv4_POOL 
ciscoasa(config-network-object)# range
ciscoasa(config)# nat (inside,outside) source dynamic IPv4_POOL NAT_POOL


Identity NAT

Identity NAT is a form of network address translation that will translate an IP address to itself, basically bypassing NAT. One particular use case for this is when you have an internal server that makes use of NAT but you don’t want the server to use NAT when communicating with other internal hosts.




An example of dynamic PAT configuration is shown below:

nat (inside,DMZ) source static VPC3 VPC3
ciscoasa# show nat detail
2 (inside) to (DMZ) source static VPC3 VPC3
translate_hits = 0, untranslate_hits = 0
Source – Origin:, Translated:
The accompanying video below will demonstrate the different types of NAT that have been discussed in this article.


Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply