{"id":1191,"date":"2022-01-26T14:22:37","date_gmt":"2022-01-26T11:22:37","guid":{"rendered":"https:\/\/wiki.volu-t.ru\/?p=1191"},"modified":"2022-02-03T18:37:31","modified_gmt":"2022-02-03T15:37:31","slug":"cisco-firepower-cisco-asa-nat-configuration-guide","status":"publish","type":"post","link":"https:\/\/wiki.m-network.ru\/?p=1191","title":{"rendered":"Cisco Firepower &#038; Cisco ASA \u2013 NAT Configuration Guide"},"content":{"rendered":"\n<h2 id=\"nat-syntax\">Part 1 \u2013 NAT Syntax<\/h2>\n\n\n\n<p>There are two sets of syntax available for configuring address translation on a Cisco ASA. These two methods are referred to as&nbsp;<strong>Auto NAT<\/strong>&nbsp;and&nbsp;<strong>Manual NAT<\/strong>. The syntax for both makes use of a construct known as an&nbsp;<strong><code>object<\/code><\/strong>. The configuration of objects involve the keywords&nbsp;<strong><em>real<\/em><\/strong>&nbsp;and&nbsp;<strong><em>mapped<\/em><\/strong>. In Part 1 of this article we will discuss all five of these terms.<\/p>\n\n\n\n<h3 id=\"configuring-objects\">Objects<\/h3>\n\n\n\n<p>An&nbsp;<strong>object<\/strong>&nbsp;is a construct which represents any&nbsp;<em>single<\/em>&nbsp;item in your network environment. Two types of objects can be configured:<\/p>\n\n\n\n<ul><li>a&nbsp;<strong>network object<\/strong>&nbsp;\u2014 represents&nbsp;<em>one<\/em>&nbsp;IP address, or&nbsp;<em>one<\/em>&nbsp;IP Subnet, or&nbsp;<em>one<\/em>&nbsp;IP address range<\/li><li>a&nbsp;<strong>service object<\/strong>&nbsp;\u2014 represents&nbsp;<em>one<\/em>&nbsp;set of a Protocol, Source Port, and\/or Destination port<\/li><\/ul>\n\n\n\n<p>The idea is to configure and define an&nbsp;<code>object<\/code>, then reference that&nbsp;<em>one<\/em>&nbsp;item in your configuration by the object\u2019s name.<\/p>\n\n\n\n<h4 id=\"network-objects\">Network Objects<\/h4>\n\n\n\n<p>To configure a&nbsp;<strong>network object<\/strong>, first use the following syntax to create the object:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object network &lt;Object Name&gt;<\/code><\/pre>\n\n\n\n<p>Then define the content of the object as either a&nbsp;<em>single<\/em>&nbsp;IP Address, or a&nbsp;<em>single<\/em>&nbsp;IP Subnet, or a&nbsp;<em>single<\/em>&nbsp;IP Address range using&nbsp;<em>either&nbsp;<\/em>of the commands below:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>host &lt;IP Address&gt;\n\nsubnet &lt;Network ID&gt; &lt;Subnet Mask&gt;\n\nrange &lt;Start IP Address&gt; &lt;End IP Address&gt;<\/code><\/pre>\n\n\n\n<p><br>Below are examples of each of the three types of&nbsp;<strong>network objects<\/strong>:<\/p>\n\n\n\n<p>To create a network object which represents your web server\u2019s IP address, you would use the following syntax:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object network WEB-SERVER\n  host 172.16.30.15\n<\/code><\/pre>\n\n\n\n<p>To create a network object which represents your Inside network, you would use the following syntax:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object network INSIDE-NETWORK\n  subnet 172.16.30.0 255.255.255.0\n<\/code><\/pre>\n\n\n\n<p>Lastly, to create a network object which represents a particular IP address range, you would use the following syntax. This will define a range that includes all five IP addresses in the inclusive range of&nbsp;<code>72.6.6.10<\/code>&nbsp;through&nbsp;<code>72.6.6.14<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object network PUBLIC-IPs\n  range 72.6.6.10 72.6.6.14<\/code><\/pre>\n\n\n\n<h4 id=\"service-objects\">Service Objects<\/h4>\n\n\n\n<p>To configure a&nbsp;<strong>service object<\/strong>, first use the following syntax to create the object:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object service &lt;Object Name&gt;<\/code><\/pre>\n\n\n\n<p>The content of the service object&nbsp;<em>must<\/em>&nbsp;include at least a protocol, and can also include a source port, destination port, or both. Here are examples of all four possibilities:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object service PROTOCOL\n  service esp\n\nobject service PROT-DST\n  service tcp destination eq 80\n\nobject service PROT-SRC\t\n  service tcp source gt 1023\n\nobject service PROT-SRC-DST\n  service udp source eq 53 destination eq 53<\/code><\/pre>\n\n\n\n<p>The specific port number the object represents can be identified using certain operators \u2013 the example above uses&nbsp;<strong>eq<\/strong>&nbsp;and&nbsp;<strong>gt<\/strong>. Five different operators exists:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code><strong>eq &lt;Port#&gt;<\/strong><\/code><\/td><td>Port must be&nbsp;<strong>eq<\/strong>ual to&nbsp;<code><strong>&lt;Port#&gt;<\/strong><\/code><\/td><\/tr><tr><td><code><strong>gt &lt;Port#&gt;<\/strong><\/code><\/td><td>Port must be&nbsp;<strong>g<\/strong>reater&nbsp;<strong>t<\/strong>han&nbsp;<code><strong>&lt;Port#&gt;<\/strong><\/code>&nbsp;(equal to&nbsp;<code><strong>&lt;Port#&gt;<\/strong><\/code>&nbsp;will&nbsp;<em>not&nbsp;<\/em>match)<\/td><\/tr><tr><td><code><strong>lt &lt;Port#&gt;<\/strong><\/code><\/td><td>Port must be&nbsp;<strong>l<\/strong>esser&nbsp;<strong>t<\/strong>han&nbsp;<code><strong>&lt;Port#&gt;<\/strong><\/code>&nbsp;(equal to&nbsp;<code><strong>&lt;Port#&gt;<\/strong><\/code>&nbsp;will&nbsp;<em>not&nbsp;<\/em>match)<\/td><\/tr><tr><td><code><strong>neq &lt;Port#&gt;<\/strong><\/code><\/td><td>Port must be&nbsp;<strong><em>n<\/em><\/strong><em>ot<\/em>&nbsp;<strong>eq<\/strong>ual to&nbsp;<code><strong>&lt;Port#&gt;<\/strong><\/code><\/td><\/tr><tr><td><code><strong>range &lt;Start#&gt; &lt;End#&gt;<\/strong><\/code><\/td><td>Port must be in the inclusive&nbsp;<strong>range<\/strong>&nbsp;of&nbsp;<code><strong>&lt;Start#&gt;<\/strong><\/code>&nbsp;to&nbsp;<code><strong>&lt;End#&gt;<\/strong><\/code><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h4 id=\"viewing-objects\">Viewing Objects<\/h4>\n\n\n\n<p>Two commands are available to view objects:<\/p>\n\n\n\n<p>The&nbsp;<strong><code>show run object<\/code><\/strong>&nbsp;command lists the objects essentially as they were configured above:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>asa98#  show run object\nobject service PROTOCOL\n  service esp\nobject service PROT-DST\n  service tcp destination eq www\nobject service PROT-SRC\n  service tcp source gt 1023\nobject service PROT-SRC-DST\n  service udp source eq domain destination eq domain\nobject network WEB-SERVER\n  host 172.16.30.15\t\nobject network INSIDE-NETWORK\n  subnet 172.16.30.0 255.255.255.0\nobject network PUBLIC-IPs\n  range 72.6.6.10 72.6.6.14\n<\/code><\/pre>\n\n\n\n<p>And the&nbsp;<code><strong>show run object&nbsp;<em>in-line<\/em><\/strong><\/code>&nbsp;command displays the same as above, except every object definition will be on the same line as the object name:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>asa98#  <strong>show run object in-line<\/strong>\nobject service PROTOCOL service esp\nobject service PROT-DST service tcp destination eq www\nobject service PROT-SRC service tcp source gt 1023\nobject service PROT-SRC-DST service udp source eq domain destination eq domain\nobject network WEB-SERVER host 172.16.30.15\nobject network INSIDE-NETWORK subnet 172.16.30.0 255.255.255.0\nobject network PUBLIC-IPs range 72.6.6.10 72.6.6.14\n<\/code><\/pre>\n\n\n\n<p>Using the&nbsp;<strong><code>in-line<\/code><\/strong>&nbsp;variant makes it much easier to \u201cpipe include\u201d and search for a specific object name and\/or definition:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>asa98#  show run object in-line <strong>| include WEB<\/strong>\nobject network WEB-SERVER host 172.16.30.15\n<\/code><\/pre>\n\n\n\n<p>If you had done the \u201cpipe include\u201d&nbsp;<em>without<\/em>&nbsp;the&nbsp;<code><strong>in-line<\/strong><\/code>&nbsp;option you just would have received the full name of the object, but not the object\u2019s definition.<\/p>\n\n\n\n<h3 id=\"real-mapped\">Real and Mapped<\/h3>\n\n\n\n<p>NAT configuration on the Cisco ASA will make use of the keywords&nbsp;<strong>real<\/strong>&nbsp;and&nbsp;<strong>mapped<\/strong>. These terms can be applied to IP addresses or interfaces. We will define these with the example of a Static NAT below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"230\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-real-mapped-1024x230.png\" alt=\"\" class=\"wp-image-1192\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-real-mapped-1024x230.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-real-mapped-300x67.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-real-mapped-768x172.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-real-mapped-1536x344.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-real-mapped-150x34.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-real-mapped.png 1632w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>The word&nbsp;<strong>real<\/strong>&nbsp;indicates what is&nbsp;<strong><em>really<\/em>&nbsp;configured on a server<\/strong>.<br><br>For example, the web server at the IP address .15 is&nbsp;<em>really<\/em>&nbsp;configured with the IP address&nbsp;<code>172.16.30.15<\/code>, which means the actual NIC&nbsp;<em>really<\/em>&nbsp;has the IP address&nbsp;<code>172.16.30.15<\/code>&nbsp;configured. Hence,&nbsp;<strong>172.16.30.15 is considered the&nbsp;<em>real IP address<\/em><\/strong>.<br><br>Moreover, the&nbsp;<em>real IP<\/em>&nbsp;exists on the ASA\u2019s&nbsp;<em>Inside<\/em>&nbsp;interface. Hence,&nbsp;<strong>for the translation above, the Inside interface is considered the&nbsp;<em>real interface<\/em><\/strong>.<br><br>The word&nbsp;<strong>mapped<\/strong>&nbsp;indicates attributes&nbsp;<strong>after a translation has occurred<\/strong>.<br><br>For example, the&nbsp;<em>real address<\/em>&nbsp;<code>172.16.30.15<\/code>&nbsp;is being translated to&nbsp;<code>72.6.6.15<\/code>. Which makes&nbsp;<strong><code>72.6.6.15&nbsp;<\/code>the&nbsp;<em>mapped address<\/em><\/strong>. Moreover, the&nbsp;<em>mapped address<\/em>&nbsp;exists on the ASA\u2019s&nbsp;<em>Outside<\/em>&nbsp;interface. Hence&nbsp;<strong>the Outside interface is considered the&nbsp;<em>mapped interface<\/em><\/strong>.<br><br>Another way to remember it is the&nbsp;<strong><em>mapped<\/em><\/strong>&nbsp;attributes only exist because the ASA created them, whereas the&nbsp;<strong><em>real<\/em><\/strong>&nbsp;attributes exist despite any configuration on the ASA.<\/figcaption><\/figure>\n\n\n\n<h3>Auto NAT<\/h3>\n\n\n\n<p>We discussed the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#configuring-objects\">configuration of Objects<\/a>&nbsp;because Auto NAT is configured&nbsp;<em>within<\/em>&nbsp;the Object definition, and we discussed the keywords&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#real-mapped\"><em>Real<\/em>&nbsp;and&nbsp;<em>Mapped<\/em><\/a>&nbsp;because the syntax uses these terms to designate the addresses involved in the translation.<\/p>\n\n\n\n<p>With those items defined, we can finally discuss the definition and syntax of&nbsp;<strong>Auto NAT<\/strong>.<\/p>\n\n\n\n<p><strong>Auto NAT can be used anytime you need to make&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/policy-nat-twice-nat\/#decision-criteria\" target=\"_blank\" rel=\"noreferrer noopener\">a NAT decision<\/a>&nbsp;based upon only the Source of traffic<\/strong>. Which means each of the four types of translations (<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/static-nat\/\" target=\"_blank\" rel=\"noreferrer noopener\">Static NAT<\/a>,&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/static-pat\/\" target=\"_blank\" rel=\"noreferrer noopener\">Static PAT<\/a>,&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/dynamic-pat\/\" target=\"_blank\" rel=\"noreferrer noopener\">Dynamic PAT<\/a>,&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/dynamic-nat\/\" target=\"_blank\" rel=\"noreferrer noopener\">Dynamic NAT<\/a>) can be configured with Auto NAT.<\/p>\n\n\n\n<h3 id=\"autonat-syntax\">Auto NAT Syntax<\/h3>\n\n\n\n<p>This is the syntax for Auto NAT is as follows (remember, this will be applied&nbsp;<em>within<\/em>&nbsp;the object definition):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>  nat (&lt;REAL-INTERFACE&gt;,&lt;MAPPED-INTERFACE&gt;) &lt;static|dynamic&gt; &lt;MAPPED-IP&gt;<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code><strong>nat<\/strong><\/code><\/td><td>The configuration for Auto NAT starts with the&nbsp;<code><strong>nat<\/strong><\/code>&nbsp;command&nbsp;<em>within<\/em>&nbsp;an object definition<\/td><\/tr><tr><td><em><code><strong>&lt;REAL-INTERFACE&gt;<\/strong><\/code><\/em><\/td><td>The interface on the ASA which faces the the&nbsp;<em><code><strong>&lt;real-ip&gt;<\/strong><\/code><\/em>&nbsp;(defined within the object)<\/td><\/tr><tr><td><em><code><strong>&lt;MAPPED-INTERFACE&gt;<\/strong><\/code><\/em><\/td><td>The interface on the ASA which faces the&nbsp;<em><code><strong>&lt;mapped-ip&gt;<\/strong><\/code><\/em><\/td><\/tr><tr><td><code><strong>&lt;static|dynamic&gt;<\/strong><\/code><\/td><td>Use&nbsp;<code><strong>static<\/strong><\/code>&nbsp;for Static NAT or Static PAT, use&nbsp;<code><strong>dynamic<\/strong><\/code>&nbsp;for Dynamic NAT or Dynamic PAT<\/td><\/tr><tr><td><em><code><strong>&lt;MAPPED-IP&gt;<\/strong><\/code><\/em><\/td><td>The IP address to which the object is being translated. This can be specified as an IP address directly or using the name of another object. You also have the option of specifying the&nbsp;<strong>interface<\/strong>&nbsp;keyword to use the IP address assigned to the mapped-interface<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Notice the elements of the syntax did&nbsp;<em>not<\/em>&nbsp;include specifying a&nbsp;<em><code>&lt;real-ip&gt;<\/code><\/em>&nbsp;\u2013 it is inherited from the object\u2019s definition. Consequently, Auto NAT can only be configured directly&nbsp;<em>within<\/em>&nbsp;an object.<\/p>\n\n\n\n<p>This is a complete example configuration of a Static NAT for the Web server from the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#real-mapped\">image above<\/a>. The&nbsp;<em>real-IP<\/em>&nbsp;<code>172.16.30.15<\/code>&nbsp;is being translated to the&nbsp;<em>mapped-IP<\/em>&nbsp;<code>72.6.6.15<\/code>&nbsp;when packets are traveling between the&nbsp;<em>real-interface<\/em>&nbsp;<code>inside<\/code>&nbsp;and the&nbsp;<em>mapped-interface<\/em>&nbsp;<code>outside<\/code>&nbsp;(and vice versa).<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object network WEB-SERVER\n  host 172.16.30.15\n<strong>  nat (inside,outside) static 72.6.6.15<\/strong><\/code><\/pre>\n\n\n\n<p>This is a complete example configuration of a Dynamic PAT for the Inside segment from the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#real-mapped\">image above<\/a>. The&nbsp;<em>real-ip<\/em>&nbsp;addresses in the&nbsp;<code>172.16.30.0\/24<\/code>&nbsp;network are sharing the IP address of the&nbsp;<em>mapped-interface<\/em>&nbsp;<code>outside<\/code>.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object network INSIDE-NETWORK\n  subnet 172.16.30.0 255.255.255.0\n<strong>  nat (inside,outside) dynamic interface<\/strong><\/code><\/pre>\n\n\n\n<h3 id=\"autonat-ports\">Auto NAT with a Port Translation<\/h3>\n\n\n\n<p>The syntax above did&nbsp;<em>not<\/em>&nbsp;include the arguments necessary to allow you to map one port to another \u2013 namely, to configure a Static&nbsp;<em><a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#nat-pat\" target=\"_blank\" rel=\"noreferrer noopener\">PAT<\/a><\/em>.<\/p>\n\n\n\n<p>In order to translate ports, you must add the&nbsp;<strong><code>service<\/code><\/strong>&nbsp;section to the end of your AutoNAT command. Giving us an updated syntax as follows (again, this is configured&nbsp;<em>within<\/em>&nbsp;an&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#configuring-objects\">object<\/a>):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nat (&lt;REAL-INTF&gt;, &lt;MAPPED-INTF&gt;) static &lt;MAPPED-IP&gt; &#91;service &lt;tcp|udp&gt; &lt;REAL-PORT&gt; &lt;MAPPED-PORT&gt;]<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code><strong>service<\/strong><\/code><\/td><td>indicates a translation of port numbers<\/td><\/tr><tr><td><code><strong>&lt;tcp|udp&gt;<\/strong><\/code><\/td><td>specifying whether this translation affects TCP or UDP ports<\/td><\/tr><tr><td><em><code><strong>&lt;REAL-PORT&gt;<\/strong><\/code><\/em><\/td><td>identifies the port number associated with the real IP address<\/td><\/tr><tr><td><em><code><strong>&lt;MAPPED-PORT&gt;<\/strong><\/code><\/em><\/td><td>designates the port number associated with the mapped IP address<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>There is&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#static-dynamic\" target=\"_blank\" rel=\"noreferrer noopener\">no such thing as a \u201cdynamic\u201d&nbsp;<em>explicit<\/em>&nbsp;translation between ports<\/a>, so a Static PAT translation will always use the&nbsp;<strong><code>static<\/code><\/strong>&nbsp;designation.<\/p>\n\n\n\n<p>This is a complete example configuration of a Static PAT for the Web Server. The Web Server\u2019s SSH port (<code>TCP\/22<\/code>) is being hidden behind a&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/static-pat\/#non-standard-ports\" target=\"_blank\" rel=\"noreferrer noopener\">non-standard port<\/a>&nbsp;on the Outside (<code>TCP\/2222<\/code>):<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object network <strong>WEB-SERVER-SSH<\/strong>\n  host 172.16.30.15\n  nat (inside,outside) static 72.6.6.15 <strong>service tcp 22 2222<\/strong><\/code><\/pre>\n\n\n\n<p>Notice, we had to create a new object \u2013&nbsp;<strong>each object can only contain&nbsp;<em>one<\/em>&nbsp;translation<\/strong>, and we were already using the object&nbsp;<code><strong>WEB-SERVER<\/strong><\/code>&nbsp;for the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat-syntax\">Static NAT example above<\/a>.<\/p>\n\n\n\n<h3 id=\"manualnat\">Manual NAT<\/h3>\n\n\n\n<p>There are two primary differences between&nbsp;<strong>Manual NAT<\/strong>&nbsp;and&nbsp;<strong>Auto NAT<\/strong>:<\/p>\n\n\n\n<ul><li>Auto NAT can only make a NAT decision based upon the Source* of traffic.<\/li><li>Auto NAT can only translate the Source* of traffic.<\/li><\/ul>\n\n\n\n<ul><li>Manual NAT can make a NAT decision based upon the Source, or upon&nbsp;<em>both<\/em>&nbsp;the Source and Destination.<\/li><li>Manual NAT can translate the Source, the Destination, or even&nbsp;<em>both<\/em>&nbsp;the Source&nbsp;<em>and<\/em>&nbsp;Destination at the same time.<\/li><\/ul>\n\n\n\n<p>In short, Manual NAT can do everything that Auto NAT can, and a little extra \u2013 namely,&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/policy-nat-twice-nat\/\" target=\"_blank\" rel=\"noreferrer noopener\">Policy NAT and Twice NAT<\/a>.<\/p>\n\n\n\n<p>Of course, this doesn\u2019t make Auto NAT obsolete. Instead, the \u201cmuch simpler to configure\u201d Auto NAT should be used whenever the additional features of Manual NAT are not needed.<\/p>\n\n\n\n<p>Moreover, Auto NAT statements automatically sort themselves into a (generally) sensible order. Whereas the ordering of Manual NAT statements has to be manually considered. The details of this NAT precedence implication will be discussed later in this article.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote\"><p>                   *Note: Source of traffic from the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/static-nat\/#source-or-destination\" target=\"_blank\">perspective of outbound traffic<\/a>.<\/p><\/blockquote>\n\n\n\n<p>The syntax of Manual NAT requires using&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#configuring-objects\">objects<\/a>&nbsp;for every reference to IP addresses and Ports. The&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#configuring-objects\">configuration of objects<\/a>&nbsp;was covered earlier in this article. You may also use&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.cisco.com\/c\/en\/us\/td\/docs\/security\/asa\/asa84\/configuration\/guide\/asa_84_cli_config\/acl_objects.html#Information_About_Object_Groups\" target=\"_blank\">object-groups<\/a>, which are constructs that combine multiple objects together.<\/p>\n\n\n\n<h3 id=\"manualnat-src\">Manual NAT Syntax \u2013 Source Only<\/h3>\n\n\n\n<p>The syntax for Manual NAT statements which only affects the Source of traffic is as follows.&nbsp; Note that every term in italics below is the name of an&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#network-objects\">Object<\/a>&nbsp;which identifies a particular IP or set of IP Addresses:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>nat <em>(&lt;REAL-INTF&gt;<\/em>,<em>&lt;MAPPED-INTF&gt;<\/em>) source &lt;static|dynamic&gt; &lt;<em>REAL-SRC&gt; &lt;MAPPED-SRC&gt;<\/em><\/strong><\/code><\/pre>\n\n\n\n<p>The syntax is similar to Auto NAT, except for a key difference: Manual NAT is&nbsp;<em>not<\/em>&nbsp;configured&nbsp;<em>within<\/em>&nbsp;an Object \u2014 it is configured directly from global configuration mode (aka,&nbsp;<code>configure terminal<\/code>).<\/p>\n\n\n\n<p>This is the definition of each argument in the Manual NAT syntax:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code><strong>nat<\/strong><\/code><\/td><td>All manual NAT statements start with the command&nbsp;<code><strong>nat<\/strong><\/code><\/td><\/tr><tr><td><em><code><strong>&lt;REAL-INTF&gt;<\/strong><\/code><\/em><\/td><td>The interface which faces the addresses contained in the object&nbsp;<em><code><strong>&lt;REAL-SRC&gt;<\/strong><\/code><\/em><\/td><\/tr><tr><td><em><code><strong>&lt;MAPPED-INTF&gt;<\/strong><\/code><\/em><\/td><td>The interface which faces the addresses contained in the object&nbsp;<em><code><strong>&lt;MAPPED-SRC&gt;<\/strong><\/code><\/em><\/td><\/tr><tr><td><code><strong>source<\/strong><\/code><\/td><td>Indicating the next three arguments are matching and translating the&nbsp;<code><strong>source<\/strong><\/code>&nbsp;of outbound traffic<\/td><\/tr><tr><td><code><strong>&lt;static|dynamic&gt;<\/strong><\/code><\/td><td>Use&nbsp;<code><strong>static<\/strong><\/code>&nbsp;for Static NAT or Static PAT, use&nbsp;<code><strong>dynamic<\/strong><\/code>&nbsp;for Dynamic NAT or Dynamic PAT<\/td><\/tr><tr><td><em><code><strong>&lt;REAL-SRC&gt;<\/strong><\/code><\/em><\/td><td>An object which defines the&nbsp;<em>pre-<\/em>translation IP Address(es)<\/td><\/tr><tr><td><em><code><strong>&lt;MAPPED-SRC&gt;<\/strong><\/code><\/em><\/td><td>An object which defines the&nbsp;<em>post-<\/em>translation IP Address(es)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The examples above of a&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat-syntax\">Static NAT and Dynamic PAT with AutoNAT<\/a>&nbsp;can be re-written using Manual NAT as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>object network WEB-SERVER\n  host 172.16.30.15\n\nobject network WEB-SERVER_PUBLIC\n  host 72.6.6.15\n\nnat (inside,outside) source static WEB-SERVER WEB-SERVER_PUBLIC\n<\/code><\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>object network INSIDE-NETWORK\n  subnet 172.16.30.0 255.255.255.0\n\nnat (inside,outside) source dynamic INSIDE-NETWORK interface\n<\/code><\/pre>\n\n\n\n<p>Note that the Manual NAT statement is configured&nbsp;<em>external<\/em>&nbsp;of the Object definition. In addition, note that you can still use the&nbsp;<code><strong>interface<\/strong><\/code>&nbsp;keyword to designate using the IP address of the&nbsp;<em><code><strong>&lt;MAPPED-INTF&gt;<\/strong><\/code><\/em>&nbsp;for the&nbsp;<em><code><strong>&lt;MAPPED-SRC&gt;<\/strong><\/code><\/em>.<\/p>\n\n\n\n<p>The Manual NAT statement above is the simplest form of the Manual NAT syntax. Later, we will add two more clauses to this statement: a clause that considers the destination and a clause that considers ports.<\/p>\n\n\n\n<p>However, first we must understand how to read the Manual NAT statement in its simplest form. Use this technique to turn Manual NAT syntax into more human-readable language.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"335\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-only-1024x335.png\" alt=\"\" class=\"wp-image-1194\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-only-1024x335.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-only-300x98.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-only-768x252.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-only-1536x503.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-only-150x49.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-only.png 1575w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Every variation of the Manual NAT statement that follows will start with the exact syntax above. In each case, we will also expand the \u201chow to read\u201d section to simplify understanding what is being translated and how it is being translated.<\/p>\n\n\n\n<h3 id=\"manualnat-src-dst\">Manual NAT Syntax \u2013 Source and Destination<\/h3>\n\n\n\n<p>The syntax for Manual NAT that considers both the Source and Destination of traffic is as follows:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nat <em>(&lt;REAL-INTF&gt;<\/em>,<em>&lt;MAPPED-INTF&gt;<\/em>) source &lt;static|dynamic&gt; &lt;<em>REAL-SRC&gt; &lt;MAPPED-SRC&gt; <\/em><strong>destination static <em>&lt;REAL-DST&gt;<\/em> <em>&lt;MAPPED-DST&gt;<\/em><\/strong><\/code><\/pre>\n\n\n\n<p>You\u2019ll notice the syntax is&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#manualnat-src\">identical to \u201csource-only\u201d Manual NAT<\/a>&nbsp;in the preceding section. The only addition is this part at the end:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>... destination static <em>&lt;REAL-DST&gt;<\/em> <em>&lt;MAPPED-DST&gt;<\/em><\/strong><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code><strong>destination<\/strong><\/code><\/td><td>Indicates the next three arguments are matching and\/or translating the Destination of outbound traffic<\/td><\/tr><tr><td><code><strong>static<\/strong><\/code><\/td><td>The destination of outbound traffic can only be translated explicitly \u2013 dynamic is not an option<\/td><\/tr><tr><td><em><code><strong>&lt;REAL-DST&gt;<\/strong><\/code><\/em><\/td><td>An object which defines the&nbsp;<em>pre-<\/em>translation destination IP Address(es)<\/td><\/tr><tr><td><em><code><strong>&lt;MAPPED-DST&gt;<\/strong><\/code><\/em><\/td><td>An object which defines the&nbsp;<em>post-<\/em>translation destination IP address(es)<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Later in this article, we will provide use cases for Manual NAT statements that include both the Source and the Destination. For now, we just want to thoroughly define the syntax and how to interpret Manual NAT statements.<\/p>\n\n\n\n<p>We can extend the technique in the previous section which makes Manual NAT syntax more human-readable.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"498\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-1024x498.png\" alt=\"\" class=\"wp-image-1195\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-1024x498.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-300x146.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-768x373.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-150x73.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst.png 1414w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Notice, the translation will only occur if the traffic matches&nbsp;<em>both<\/em>&nbsp;the Source and Destination designated in the objects&nbsp;<strong><em><code>&lt;REAL-SRC&gt;<\/code><\/em><\/strong>&nbsp;and&nbsp;<strong><em><code>&lt;REAL-DST&gt;<\/code><\/em><\/strong>.<\/p>\n\n\n\n<h3 id=\"manualnat-ports\">Manual NAT Syntax \u2013 Port Translations<\/h3>\n\n\n\n<p>The syntax for Manual NAT that involves translating TCP or UDP ports as well as IP Addresses is as follows:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nat <em>(&lt;REAL-INTF&gt;<\/em>,<em>&lt;MAPPED-INTF&gt;<\/em>) source &lt;static|dynamic&gt; &lt;<em>REAL-SRC&gt; &lt;MAPPED-SRC&gt; <\/em>[destination static <em>&lt;REAL-DST&gt;<\/em> <em>&lt;MAPPED-DST&gt;<\/em>]<strong><em> service &lt;REAL-PORT&gt; &lt;MAPPED-PORT&gt;<\/em><\/strong><\/pre>\n\n\n\n<p>This command is configured on one line. But for the sake of simplicity, we will present&nbsp;<em>the same&nbsp;<\/em>syntax with each clause on its own line:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nat (<em>&lt;REAL-INTF&gt;<\/em>,<em>&lt;MAPPED-INTF&gt;<\/em>)\n  source &lt;static|dynamic&gt; <em>&lt;REAL-SRC&gt; &lt;MAPPED-SRC&gt;<\/em>\n    <\/pre>\n\n\n\n<p><strong>service <em>&lt;REAL-PORT&gt; &lt;MAPPED-PORT&gt;<\/em><\/strong><\/p>\n\n\n\n<p>You\u2019ll notice the syntax is&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#manualnat-src-dst\">identical to \u201csource and destination\u201d Manual NAT<\/a>&nbsp;in the preceding section. The only differences are that the&nbsp;<code><strong>destination<\/strong><\/code>&nbsp;clause is optional and the&nbsp;<strong><code>service<\/code><\/strong>&nbsp;clause is appended to the end:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><strong>... service <em>&lt;REAL-PORT&gt; &lt;MAPPED-PORT&gt;<\/em><\/strong><\/code><\/pre>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code><strong>service<\/strong><\/code><\/td><td>Indicates this translation will also translate ports, i.e. this will be a&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#ipport-to-ipport\" target=\"_blank\" rel=\"noreferrer noopener\">PAT<\/a><\/td><\/tr><tr><td><code><strong><em>&lt;REAL-PORT&gt;<\/em><\/strong><\/code><\/td><td>A&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#service-objects\">service object<\/a>&nbsp;which defines the&nbsp;<em>pre-<\/em>translation ports and protocols<\/td><\/tr><tr><td><code><strong><em>&lt;MAPPED-PORT&gt;<\/em><\/strong><\/code><\/td><td>A&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#service-objects\">service object<\/a>&nbsp;which defines the&nbsp;<em>post-<\/em>translation ports and protocols<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>Earlier we provided an example of a&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat-ports\">Static PAT using Auto NAT<\/a>. We can create an identical translation using Manual NAT with the following code:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">object network WEB-SERVER\n  host 172.16.30.15\n\nobject network WEB-SERVER_PUBLIC\n  host 72.6.6.15\n\nobject service TCP22\n  service tcp source eq ssh\n\nobject service TCP2222\n  service tcp source eq 2222\n\nnat (inside,outside) source static WEB-SERVER WEB-SERVER_PUBLIC service TCP22 TCP2222\n<\/pre>\n\n\n\n<p>Recall, every reference to IP addresses or Ports in a Manual NAT statement must use an&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#configuring-objects\">object<\/a>.<\/p>\n\n\n\n<p>Moreover, note that the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#service-objects\">service objects<\/a>&nbsp;were defined specifying a&nbsp;<em><code>source<\/code><\/em>&nbsp;port. NAT statements are written from the perspective of&nbsp;<em>outbound<\/em>&nbsp;traffic (traveling from&nbsp;<em>inside<\/em>&nbsp;to&nbsp;<em>outside<\/em>).<\/p>\n\n\n\n<p>In our Static PAT example, our goal was to translate destination port&nbsp;<code>TCP\/2222<\/code>&nbsp;on the&nbsp;<em>outside<\/em>&nbsp;to&nbsp;<code>TCP\/22<\/code>&nbsp;on the&nbsp;<em>inside<\/em>&nbsp;for&nbsp;<em>inbound traffic<\/em>. In&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/static-pat\/#response\" target=\"_blank\" rel=\"noreferrer noopener\">the&nbsp;<em>outbound<\/em>&nbsp;packet the&nbsp;<em>source<\/em>&nbsp;port will change<\/a>&nbsp;from&nbsp;<code>TCP\/22<\/code>&nbsp;to&nbsp;<code>TCP\/2222<\/code>. Our NAT statement above simply matches the&nbsp;<em>response<\/em>&nbsp;traffic.<\/p>\n\n\n\n<p>As before, we will extend the human-readable Manual NAT technique to include the&nbsp;<code>service<\/code>&nbsp;section (again, the command is all on one line, but each clause is listed on its own line below for simplicity):<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"592\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-service-1024x592.png\" alt=\"\" class=\"wp-image-1196\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-service-1024x592.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-service-300x174.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-service-768x444.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-service-150x87.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-src-dst-service.png 1414w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Again, traffic will only be translated if all three designations of the&nbsp;<em>real<\/em>&nbsp;attributes match:&nbsp;<strong><em><code>&lt;REAL-SRC&gt;<\/code><\/em><\/strong>,&nbsp;<strong><em><code>&lt;REAL-DST&gt;<\/code><\/em><\/strong>, and&nbsp;<strong><em><code>&lt;REAL-PORT&gt;<\/code><\/em><\/strong>.<\/p>\n\n\n\n<p>The infographic above represents the complete Manual NAT syntax and might make a handy cheat sheet or print out to simplify the configuration and interpretation of Manual NAT statements.<\/p>\n\n\n\n<h2 id=\"nat-config\">Part 2 \u2013 NAT Configuration Examples<\/h2>\n\n\n\n<p>In&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#nat-syntax\">Part 1<\/a>&nbsp;of this article series, we discussed the syntax and use cases for&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat\">Auto NAT<\/a>&nbsp;and&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#manualnat\">Manual NAT<\/a>. In this section we will provide configuration examples for every type of address translation using both Auto NAT and Manual NAT on a Cisco ASA or Cisco ASAx Firewall.<\/p>\n\n\n\n<p>In addition to the configuration commands, we will also list the output of the&nbsp;<code><strong>show nat<\/strong><\/code>,&nbsp;<code><strong>show run nat<\/strong><\/code>, and&nbsp;<code><strong>show run object<\/strong><\/code>&nbsp;commands for each entry below.<\/p>\n\n\n\n<p class=\"has-medium-font-size\">We extracted the<em> output of the show commands from a lab device. As a result, all the&nbsp;<code>translation<\/code>&nbsp;and&nbsp;<code>un-translation<\/code>&nbsp;counters will be zero. To simplify the output, these lines have been omitted.<\/em><\/p>\n\n\n\n<h3 id=\"staticnat\">Static NAT<\/h3>\n\n\n\n<p>A&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/static-nat\/\" target=\"_blank\" rel=\"noreferrer noopener\">Static NAT<\/a>&nbsp;is a translation in which&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#ip-to-ip\" target=\"_blank\" rel=\"noreferrer noopener\">only the IP addresses are being modified<\/a>, and the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#static_example\" target=\"_blank\" rel=\"noreferrer noopener\">mapping between pre-translation and post-translation IP addresses is explicitly defined<\/a>.<\/p>\n\n\n\n<p>This is the illustration of a Static NAT from the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat\/\" target=\"_blank\">NAT article series<\/a>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"245\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-static-nat-1024x245.png\" alt=\"\" class=\"wp-image-1197\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-nat-1024x245.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-nat-300x72.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-nat-768x184.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-nat-150x36.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-nat.png 1528w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Static NAT can be configured using&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat\">Auto NAT<\/a>&nbsp;or&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#manualnat\">Manual NAT<\/a>.<\/p>\n\n\n\n<h4 id=\"staticnat-autonoat\">Static NAT with Auto NAT<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">object network WEB33\n  host 10.2.2.33\n  nat (inside,outside) static 73.8.2.33<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat<\/strong>\nAuto NAT Policies (Section 2)\n1 (inside) to (outside) source static WEB33 73.8.2.33<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show run nat<\/strong>\n!\nobject network WEB33\n nat (inside,outside) static 73.8.2.33\n\nasa98# show run object\nobject network WEB33\n host 10.2.2.33\n<\/pre>\n\n\n\n<h3 id=\"staticnat-manualnat\">Static NAT with Manual NAT<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">object network WEB33\n  host 10.2.2.33\n\nobject network WEB33-Public\n  host 73.8.2.33\n\nnat (inside,outside) source static WEB33 WEB33-Public<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat<\/strong>\nManual NAT Policies (Section 1)\n1 (inside) to (outside) source static WEB33 WEB33-Public\n\nasa98# show run nat\nnat (inside,outside) source static WEB33 WEB33-Public\n\nasa98# show run object\nobject network WEB33\n host 10.2.2.33\nobject network WEB33-Public\n host 73.8.2.33\n<\/pre>\n\n\n\n<p>The choice between using Auto NAT or Manual NAT to configure Static NAT has to do with NAT order of operations \u2013 this will be discussed in the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#nat-precedence\">NAT Precedence<\/a>&nbsp;section.<\/p>\n\n\n\n<h3 id=\"staticpat\">Static PAT<\/h3>\n\n\n\n<p>A&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/static-pat\/\" target=\"_blank\" rel=\"noreferrer noopener\">Static PAT<\/a>&nbsp;is a translation in which the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#ipport-to-ipport\" target=\"_blank\" rel=\"noreferrer noopener\">IP Addresses&nbsp;<em>and<\/em>&nbsp;Port numbers are being modified<\/a>, and the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#static_example\" target=\"_blank\" rel=\"noreferrer noopener\">mapping between pre-translation and post-translation attributes is explicitly defined<\/a>.<\/p>\n\n\n\n<p>This is the illustration of a Static PAT from the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat\/\" target=\"_blank\">NAT article series<\/a>. Click the tabs to view the Inbound or Outbound flow:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"205\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-inbound-1024x205.png\" alt=\"\" class=\"wp-image-1198\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-inbound-1024x205.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-inbound-300x60.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-inbound-768x154.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-inbound-1536x308.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-inbound-150x30.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-inbound.png 1932w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"205\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-outbound-1024x205.png\" alt=\"\" class=\"wp-image-1199\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-outbound-1024x205.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-outbound-300x60.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-outbound-768x154.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-outbound-1536x308.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-outbound-150x30.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-static-pat-outbound.png 1932w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 id=\"staticpat-autonat\">Static PAT with Auto NAT<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">object network WEB41-www\n  host 10.4.4.41\n  nat (inside,outside) static 73.8.2.44 service tcp 8080 80\n\nobject network WEB42-https\n  host 10.4.4.42\n  nat (inside,outside) static 73.8.2.44 service tcp 443 443<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat<\/strong>\nAuto NAT Policies (Section 2)\n1 (inside) to (outside) source static WEB41-www 73.8.2.44 service tcp 8080 www\n2 (inside) to (outside) source static WEB42-https 73.8.2.44 service tcp https https\n\nasa98# show run nat\nobject network WEB41-www\n nat (inside,outside) static 73.8.2.44 service tcp 8080 www\nobject network WEB42-https\n nat (inside,outside) static 73.8.2.44 service tcp https https\n\nasa98# show run object\nobject network WEB41-www\n host 10.4.4.41\nobject network WEB42-https\n host 10.4.4.42\n\n<\/pre>\n\n\n\n<h3 id=\"staticpat-manualnat\">Static PAT with Manual NAT<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">object network WEB41\n  host 10.4.4.41\n\nobject network WEB42\n  host 10.4.4.42\n\nobject network PUBLIC-WEB\n  host 73.8.2.44\n\nobject service TCP8080\n  service tcp source eq 8080\n\nobject service TCP80\n  service tcp source eq 80\n\nobject service TCP443\n  service tcp source eq 443\n\nnat (inside,outside) source static WEB41 PUBLIC-WEB service TCP8080 TCP80\nnat (inside,outside) source static WEB42 PUBLIC-WEB service TCP443 TCP443<\/pre>\n\n\n\n<p>Notice, for the second translation we are reusing the object&nbsp;<code><strong>TCP443<\/strong><\/code>&nbsp;to indicate a translation to the same port \u2014 in essence, not translating the port, but still&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/static-pat\/#port-forwarding\" target=\"_blank\">creating a \u201cchannel\u201d through 73.8.2.44 on port 443<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat<\/strong>\nManual NAT Policies (Section 1)\n1 (inside) to (outside) source static WEB41 PUBLIC-WEB service TCP8080 TCP80\n2 (inside) to (outside) source static WEB42 PUBLIC-WEB service TCP443 TCP443\n\nasa98# show run nat\nnat (inside,outside) source static WEB41 PUBLIC-WEB service TCP8080 TCP80\nnat (inside,outside) source static WEB42 PUBLIC-WEB service TCP443 TCP443\n\nasa98# show run object\nobject network WEB41\n host 10.4.4.41\nobject network WEB42\n host 10.4.4.42\nobject network PUBLIC-WEB\n host 73.8.2.44\nobject service TCP8080\n service tcp source eq 8080\nobject service TCP80\n service tcp source eq www\nobject service TCP443\n service tcp source eq https<\/pre>\n\n\n\n<h3 id=\"dynamicpat\">Dynamic PAT<\/h3>\n\n\n\n<p>A&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/dynamic-pat\/\" target=\"_blank\" rel=\"noreferrer noopener\">Dynamic PAT<\/a>&nbsp;is a translation in which the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#ipport-to-ipport\" target=\"_blank\" rel=\"noreferrer noopener\">IP addresses&nbsp;<em>and<\/em>&nbsp;Port numbers are being modified<\/a>, and the mapping between pre-translation and post-translation attributes is&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#dynamic_example\" target=\"_blank\" rel=\"noreferrer noopener\">dynamically determined by the Firewall<\/a>.<\/p>\n\n\n\n<p>Said another way, a Dynamic PAT allows multiple internal hosts with Private IP addresses to&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/why-nat\/#nat-neighborhood\" target=\"_blank\" rel=\"noreferrer noopener\">share one (or more) Public IP addresses<\/a>.<\/p>\n\n\n\n<p>This is the illustration of a Dynamic PAT from the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat\/\" target=\"_blank\">NAT article series<\/a>. Click the tabs to view the Outbound or Inbound flow.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"329\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-inbound-1024x329.png\" alt=\"\" class=\"wp-image-1200\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-inbound-1024x329.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-inbound-300x96.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-inbound-768x246.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-inbound-1536x493.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-inbound-150x48.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-inbound.png 1932w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"329\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-outbound-1024x329.png\" alt=\"\" class=\"wp-image-1201\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-outbound-1024x329.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-outbound-300x96.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-outbound-768x246.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-outbound-1536x493.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-outbound-150x48.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-pat-outbound.png 1932w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 id=\"dynamicpat-autonat\">Dynamic PAT with Auto NAT<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">object network INSIDE66\n  subnet 10.6.6.0 255.255.255.0\n  nat (inside,outside) dynamic 32.8.2.66\n<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat<\/strong>\nAuto NAT Policies (Section 2)\n1 (inside) to (outside) source dynamic INSIDE66 32.8.2.66\n\nasa98# show run nat\nobject network INSIDE66\n nat (inside,outside) dynamic 32.8.2.66\n\nasa98# show run object\nobject network INSIDE66\n subnet 10.6.6.0 255.255.255.0\n<\/pre>\n\n\n\n<h3 id=\"dynamicpat-manualnat\">Dynamic PAT with Manual NAT<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">object network INSIDE66\n  subnet 10.6.6.0 255.255.255.0\n\nobject network DPAT-IP\n  host 32.8.2.66\n\nnat (inside,outside) source dynamic INSIDE66 DPAT-IP<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat<\/strong>\nManual NAT Policies (Section 1)\n1 (inside) to (outside) source dynamic INSIDE66 DPAT-IP\n\nasa98# show run nat\nnat (inside,outside) source dynamic INSIDE66 DPAT-IP\n\n\n\nasa98# show run object\nobject network INSIDE66\n subnet 10.6.6.0 255.255.255.0\nobject network DPAT-IP\n host 32.8.2.66<\/pre>\n\n\n\n<p>The choice between using Auto NAT or Manual NAT to configure Dynamic PAT has to do with NAT order of operations \u2013 we will discuss this in the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#nat-precedence\" target=\"_blank\" rel=\"noreferrer noopener\">NAT Precedence<\/a>&nbsp;section.<\/p>\n\n\n\n<h3 id=\"dynamicnat\">Dynamic NAT<\/h3>\n\n\n\n<p>A&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/dynamic-nat\/\" target=\"_blank\" rel=\"noreferrer noopener\">Dynamic NAT<\/a>&nbsp;is a translation in which&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#ip-to-ip\" target=\"_blank\" rel=\"noreferrer noopener\">only the IP addresses are being modified<\/a>, and the mapping between pre-translation and post-translation IP addresses is&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat-terminology\/#dynamic_example\" target=\"_blank\" rel=\"noreferrer noopener\">dynamically determined by the Firewall<\/a>.<\/p>\n\n\n\n<p>Said another way, a Dynamic NAT allows multiple internal hosts with Private IP addresses to&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/dynamic-nat\/#benefits\" target=\"_blank\">temporarily own a dedicated Public IP address<\/a>&nbsp;so long as they have an active session.<\/p>\n\n\n\n<p class=\"has-medium-font-size\"><em>Traditionally when multiple internal hosts need to share IP addresses, a&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-nat-configurations-ios-router\/#dynamic-pat\" target=\"_blank\">Dynamic&nbsp;PAT<\/a>&nbsp;is used (despite often being mistakenly called Dynamic&nbsp;NAT). True Dynamic&nbsp;NAT&nbsp;is&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/dynamic-nat\/#disadvantages\" target=\"_blank\">rarely used in the industry<\/a>.<\/em><\/p>\n\n\n\n<p>This is the illustration of the Dynamic NAT from the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/nat\/\" target=\"_blank\">NAT article series<\/a>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"316\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-nat-1024x316.png\" alt=\"\" class=\"wp-image-1203\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-nat-1024x316.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-nat-300x93.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-nat-768x237.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-nat-1536x474.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-nat-150x46.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-dynamic-nat.png 1933w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 id=\"dynamicnat-autonat\">Dynamic NAT with Auto NAT<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">object network DNAT-RANGE\n  range 54.5.4.1 54.5.4.3\n\nobject network INSIDE77\n  subnet 10.7.7.0 255.255.255.0\n  nat (inside,outside) dynamic DNAT-RANGE<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat<\/strong>\nAuto NAT Policies (Section 2)\n1 (inside) to (outside) source dynamic INSIDE77 DNAT-RANGE\n\nasa98# show run nat\nobject network INSIDE77\n nat (inside,outside) dynamic DNAT-RANGE\n\nasa98# show run object\nobject network INSIDE77\n subnet 10.7.7.0 255.255.255.0\nobject network DNAT-RANGE\n range 54.5.4.1 54.5.4.3\n<\/pre>\n\n\n\n<p>Looking at the configuration above, it might appear to be identical to the Dynamic&nbsp;<em>PAT<\/em>&nbsp;configuration in the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#dynamicpat-autonat\">preceding section<\/a>. There is, however, a key difference:<\/p>\n\n\n\n<p>To configure a Dynamic&nbsp;<em>NAT<\/em>, you must designate the&nbsp;<em>mapped-IP<\/em>&nbsp;address&nbsp;<strong>using an object defined with a&nbsp;<code>range<\/code>&nbsp;of addresses<\/strong>. If you use an IP address directly, or an object defined with&nbsp;<strong><code>host<\/code><\/strong>&nbsp;or&nbsp;<code><strong>subnet<\/strong><\/code>, the ASA will perform a Dynamic&nbsp;<em>PAT<\/em>.<\/p>\n\n\n\n<p>You also have the option to configure the Dynamic NAT as you did above, while designating that all remaining hosts can share an interface IP address \u2013 this is known as configuring a fallback IP address.<\/p>\n\n\n\n<p>To configure the Interface IP as a fallback, simply append the argument&nbsp;<strong><code>interface<\/code><\/strong>&nbsp;to the Dynamic NAT command:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">object network INSIDE77\n  nat (inside,outside) dynamic DNAT-RANGE <strong>interface<\/strong><\/pre>\n\n\n\n<h3>Dynamic NAT with Manual NAT<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">object network DNAT-RANGE\n  range 54.5.4.1 54.5.4.3\n\nobject network INSIDE77\n  subnet 10.7.7.0 255.255.255.0\n\nnat (inside,outside) source dynamic INSIDE77 DNAT-RANGE<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat<\/strong>\nManual NAT Policies (Section 1)\n1 (inside) to (outside) source dynamic INSIDE77 DNAT-RANGE<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show run nat<\/strong>\nnat (inside,outside) source dynamic INSIDE77 DNAT-RANGE\n\nasa98# show run object\nobject network DNAT-RANGE\n range 54.5.4.1 54.5.4.3\nobject network INSIDE77\n subnet 10.7.7.0 255.255.255.0<\/pre>\n\n\n\n<p>Just like in the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#dynamicnat-autonat\">preceding Auto NAT configuration<\/a>, the fact that the&nbsp;<em>mapped-IP<\/em>&nbsp;is a&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#network-objects\"><code><strong>network object<\/strong><\/code><\/a>&nbsp;defined with a&nbsp;<strong><code>range<\/code><\/strong>&nbsp;makes this a Dynamic&nbsp;<em>NAT<\/em>&nbsp;(instead of a Dynamic&nbsp;<em>PAT<\/em>).<\/p>\n\n\n\n<p>The same option exists to use the Interface IP of the Mapped interface as the Dynamic PAT fallback option:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nat (inside,outside) source dynamic INSIDE77 DNAT-RANGE <strong>interface<\/strong><\/code><\/pre>\n\n\n\n<p>The choice between using Auto NAT or Manual NAT to configure Dynamic NAT has to do with NAT order of operations \u2013 this will be discussed in the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#nat-precedence\">NAT Precedence<\/a>&nbsp;section.<\/p>\n\n\n\n<h2 id=\"advanced-nat\">Part 3 \u2013 Advanced NAT<\/h2>\n\n\n\n<p>In Part 1, we explored the syntax of&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#configuring-objects\">configuring Objects<\/a>, the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#real-mapped\">terms&nbsp;<em>Real<\/em>&nbsp;and&nbsp;<em>Mapped<\/em><\/a>, the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat\">syntax of Auto NAT<\/a>, and the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#manualnat\">syntax of Manual NAT<\/a>.<\/p>\n\n\n\n<p>In Part 2, we provided configuration examples on a Cisco ASA firewall for each type of address translation:&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#staticnat\">Static NAT<\/a>,&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#staticpat\">Static PAT<\/a>,&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#dynamicpat\">Dynamic PAT<\/a>,&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#dynamicnat\">Dynamic NAT<\/a>.<\/p>\n\n\n\n<p>In Part 3, we will continue our exploration of Network Address Translation on a Cisco ASA or Cisco ASA-X Firewall by looking at some advanced concepts.<\/p>\n\n\n\n<p>Namely, we will define and look at configuration examples for&nbsp;<strong>Policy NAT<\/strong>&nbsp;and&nbsp;<strong>Twice NAT<\/strong>, then discuss the concept of&nbsp;<strong>Identity NAT<\/strong>, and finally&nbsp;<strong>explain the NAT order of operation<\/strong>&nbsp;on a Cisco ASA or Cisco ASA-X Firewall.<\/p>\n\n\n\n<h3 id=\"asa-policy-nat\">Policy NAT<\/h3>\n\n\n\n<p>Each of the four types of translations we illustrated above involved&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/policy-nat-twice-nat\/#decision-criteria\" target=\"_blank\" rel=\"noreferrer noopener\">making a NAT decision based upon only matching the source<\/a>&nbsp;of incoming traffic. This causes all traffic from a particular source to be translated the same way.<\/p>\n\n\n\n<p>There are times when it might be beneficial to conditionally translate traffic based upon its destination. In those cases, you are performing what is known as a Policy NAT.<\/p>\n\n\n\n<p>A&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/policy-nat-twice-nat\/#policy-nat\">Policy NAT<\/a>&nbsp;is any of the four types of address translation we have already discussed (Static NAT, Static PAT, Dynamic PAT, Dynamic NAT), except the translation decision is based upon both the Source and the Destination.<\/p>\n\n\n\n<p>To configure a Policy NAT on a Cisco ASA, you would use the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#manualnat-src-dst\">Manual NAT syntax which includes the Source and Destination clauses<\/a>. A Policy NAT&nbsp;<em>cannot<\/em>&nbsp;be configured using Auto NAT syntax \u2014&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat\">Auto NAT only considers the Source<\/a>.<\/p>\n\n\n\n<p>We will provide a Policy NAT configuration example using the following scenario:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"251\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1024x251.png\" alt=\"\" class=\"wp-image-1204\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1024x251.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-300x74.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-768x188.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1536x377.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-150x37.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat.png 1940w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>The configuration in the illustration above involves two parts: A Policy Dynamic PAT and a regular Dynamic PAT. The regular Dynamic PAT is the same one that we showed in the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#dynamicpat\">Dynamic PAT example above<\/a>&nbsp;\u2013 those commands have already been provided and won\u2019t be repeated below.<br><br>The commands for the&nbsp;<strong>Policy Dynamic PAT<\/strong>&nbsp;are as follows:<\/figcaption><\/figure>\n\n\n\n<pre class=\"wp-block-preformatted\">  subnet 10.6.6.0 255.255.255.0\n\nobject network HOST45\n  host 45.5.4.9\n\nobject network PDPAT-HOST45\n  host 32.8.2.77\n\nnat (inside,outside) source dynamic INSIDE66 PDPAT-HOST45 destination static HOST45 HOST45<\/pre>\n\n\n\n<p><br>If we apply what we learned in the human-readable technique for Manual NAT statement to the commands above, we can infer exactly what is happening:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"550\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-policy-nat-example-1024x550.png\" alt=\"\" class=\"wp-image-1205\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-policy-nat-example-1024x550.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-policy-nat-example-300x161.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-policy-nat-example-768x413.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-policy-nat-example-150x81.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-policy-nat-example.png 1277w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Essentially, the&nbsp;<code><strong>source<\/strong><\/code>&nbsp;is being&nbsp;<code><strong>dynamically<\/strong><\/code>&nbsp;translated from&nbsp;<code><strong>INSIDE66<\/strong><\/code>&nbsp;to&nbsp;<code><strong>PDPAT-HOST45<\/strong><\/code>, and the&nbsp;<code><strong>destination<\/strong><\/code>&nbsp;is being&nbsp;<code><strong>statically<\/strong><\/code>&nbsp;translated from&nbsp;<code><strong>HOST45<\/strong><\/code>&nbsp;to&nbsp;<code><strong>HOST45<\/strong><\/code>&nbsp;as the traffic traverses from&nbsp;<code><strong>inside<\/strong><\/code>&nbsp;to&nbsp;<code><strong>outside<\/strong><\/code>.<\/p>\n\n\n\n<p>In all cases, the&nbsp;<code><strong>real<\/strong><\/code>&nbsp;attributes are being translated to their&nbsp;<code><strong>mapped<\/strong><\/code>&nbsp;counterparts.<\/p>\n\n\n\n<p>The destination is being translated to itself \u2013 in other words, not being translated. We\u2019ll expand on this type of \u201ctranslation\u201d later in this article.<\/p>\n\n\n\n<p>The effect of the configuration above makes it so when the Inside network (<code>10.6.6.0\/24<\/code>) is speaking to the IP&nbsp;<code>45.5.4.9<\/code>, the traffic will be translated using Dynamic PAT to&nbsp;<code>32.8.2.77<\/code>. If the traffic from the Inside network is not going to the&nbsp;<code>45.5.4.9<\/code>&nbsp;IP address, the regular&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#dynamicpat\">Dynamic PAT configuration<\/a>&nbsp;would continue to translate the packet to&nbsp;<code>32.8.2.66<\/code>.<\/p>\n\n\n\n<p>Note, since the above configuration involves two separate configuration items that work together, we must consider the order in which the NAT statements are processed. We will explore these considerations in the NAT Precedence section that follows.<\/p>\n\n\n\n<h3 id=\"asa-twice-nat\">Twice NAT<\/h3>\n\n\n\n<p>The Policy NAT in the preceding section provided an example of&nbsp;<em>translating<\/em>&nbsp;the source, based upon&nbsp;<em>matching<\/em>&nbsp;the source and destination. Note that&nbsp;<em>only the source was translated<\/em>.<\/p>\n\n\n\n<p>There are times when it is beneficial to translate&nbsp;<em>both<\/em>&nbsp;the&nbsp;<em>source and destination<\/em>&nbsp;\u2013 in those cases you would use what is called a&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/policy-nat-twice-nat\/#twice-nat\" target=\"_blank\" rel=\"noreferrer noopener\">Twice NAT<\/a>&nbsp;\u2013 i.e, performing NAT&nbsp;<em>two<\/em>&nbsp;times: once on the source and once on the destination.<\/p>\n\n\n\n<p>The configuration for a Twice NAT is very similar to the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#asa-policy-nat\">Policy NAT above<\/a>. We will use the scenario below:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"235\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-twice-nat-1024x235.png\" alt=\"\" class=\"wp-image-1206\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-twice-nat-1024x235.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-twice-nat-300x69.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-twice-nat-768x176.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-twice-nat-1536x352.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-twice-nat-150x34.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-twice-nat.png 1691w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The scenario for the image above is explained in the&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/www.practicalnetworking.net\/series\/nat\/policy-nat-twice-nat\/#policy-twice-nat\" target=\"_blank\">Twice NAT article from which it was taken<\/a>:<br><em>You are in charge of a Router with hosts on a private network (<code>10.6.6.0\/24<\/code>) that have chosen to use Google\u2019s Public DNS Resolving Server (<code>8.8.8.8<\/code>). However, company policy states DNS requests must be made using the Corporate DNS server (<code>32.9.1.8<\/code>). One option is \u2026 to translate any outbound requests to&nbsp;<code>8.8.8.8<\/code>&nbsp;into a request for&nbsp;<code>32.9.1.8<\/code>.<\/em><\/p>\n\n\n\n<p>Notice&nbsp;<strong>the configuration of a Twice NAT also involves a Policy NAT<\/strong>. The Policy NAT portion will match DNS traffic from the Inside network destined to&nbsp;<code>8.8.8.8<\/code>, and the Twice NAT portion will translate the source using Dynamic PAT and the destination using Static NAT.<\/p>\n\n\n\n<p>Since we only want this rule to match on DNS traffic, we will use the syntax of&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#manualnat-ports\">Manual NAT which includes the service section<\/a>.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">object network INSIDE66\n  subnet 10.6.6.0 255.255.255.0\n\nobject network DPAT-IP-DNS\n  host 32.8.2.55\n\nobject network GOOGLE-DNS\n  host 8.8.8.8\n\nobject network CORP-DNS\n  host 32.9.1.8\n\nobject service UDP53\n  service udp destination eq 53\n\nnat (inside,outside) source dynamic INSIDE66 DPAT-IP-DNS destination static GOOGLE-DNS CORP-DNS service UDP53 UDP53<\/pre>\n\n\n\n<p>Notice the&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#service-objects\">service object<\/a>&nbsp;definition uses&nbsp;<em>destination<\/em>&nbsp;<code>UDP\/53<\/code>&nbsp;in this case. DNS traffic leaving the Inside network will have a protocol of&nbsp;<code>UDP<\/code>&nbsp;and a destination port of&nbsp;<code>53<\/code>&nbsp;\u2013 this is the outbound traffic we are intending to match.<\/p>\n\n\n\n<p>We can apply our technique to make the Manual NAT statement human-readable to easily interpret what is occurring:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"654\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-twice-nat-example-1024x654.png\" alt=\"\" class=\"wp-image-1207\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-twice-nat-example-1024x654.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-twice-nat-example-300x192.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-twice-nat-example-768x490.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-twice-nat-example-150x96.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-howtoread-manualnat-twice-nat-example.png 1272w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Essentially, the&nbsp;<code><strong>source<\/strong><\/code>&nbsp;is being&nbsp;<code><strong>dynamically<\/strong><\/code>&nbsp;translated from&nbsp;<code><strong>INSIDE66<\/strong><\/code>&nbsp;to&nbsp;<code><strong>DPAT-IP-DNS<\/strong><\/code>, and the&nbsp;<code><strong>destination<\/strong><\/code>&nbsp;is being&nbsp;<code><strong>statically<\/strong><\/code>&nbsp;translated from&nbsp;<code><strong>GOOGLE-DNS<\/strong><\/code>&nbsp;to&nbsp;<code><strong>CORP-DNS<\/strong><\/code>&nbsp;if the traffic matches the ports specified by&nbsp;<code><strong>UDP53<\/strong><\/code>, which will also be \u201ctranslated\u201d to&nbsp;<code><strong>UDP53<\/strong><\/code>.<\/p>\n\n\n\n<p>In all cases, the&nbsp;<code><strong>real<\/strong><\/code>&nbsp;attributes are being translated to their&nbsp;<code><strong>mapped<\/strong><\/code>&nbsp;counterparts. The order of the items in the manual NAT statement remains constant: Always&nbsp;<code><strong>real<\/strong><\/code>, then&nbsp;<code><strong>mapped<\/strong><\/code>.<\/p>\n\n\n\n<p>To summarize four different concepts are collaborating in the illustration and configuration example above:<\/p>\n\n\n\n<ul><li>We are making a&nbsp;<em>decision<\/em>&nbsp;based upon the source and destination, which makes it a&nbsp;<strong>Policy NAT<\/strong>.<\/li><li>Both the source and destination of traffic are being&nbsp;<em>translated&nbsp;<\/em>\u2014 this is, by definition, a&nbsp;<strong>Twice NAT<\/strong>.<\/li><li>The source is being translated with a&nbsp;<strong>Dynamic PAT<\/strong><\/li><li>The destination is being translated with a&nbsp;<strong>Static NAT<\/strong>.<\/li><\/ul>\n\n\n\n<h3 id=\"nat-precedence\">NAT Precedence<\/h3>\n\n\n\n<p>The ASA processes address translation statements in a very specific order. You must understand this order, along with the configuration syntax outlined above, to truly become a master of address translation on the Cisco ASA and Cisco ASA-X Firewalls.<\/p>\n\n\n\n<p>The core of how it works is as follows:<\/p>\n\n\n\n<p>Every Manual NAT statement takes precedence over every Auto NAT statement. However, there is a way to de-prioritize specific Manual NAT statements to occur&nbsp;<em>after<\/em>&nbsp;the Auto NAT statements.<\/p>\n\n\n\n<p>This creates three sections that all NAT statements fall into \u2013 which constitute the NAT order of operation:<\/p>\n\n\n\n<ul><li>Section 1: All Manual NAT Statements<\/li><li>Section 2: All Auto NAT Statements<\/li><li>Section 3: All Manual NAT Statements de-prioritized to occur after Auto-NAT<\/li><\/ul>\n\n\n\n<p><a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#staticnat-autonat\">You<\/a>&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#staticpat-manualnat\">may<\/a>&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#dynamicpat-autonat\">have<\/a>&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#dynamicnat-manualnat\">seen<\/a>&nbsp;<code>Section 1<\/code>&nbsp;and&nbsp;<code>Section 2<\/code>&nbsp;in the output from the&nbsp;<code><strong>show nat<\/strong><\/code>&nbsp;command above.<\/p>\n\n\n\n<p>The idea behind the three sections is that since Manual NAT statements have the option of making decisions on Source and Destination, they tend to be more specific than Auto NATs (which can only make a decision based on source). As a result, Manual NAT statements should have higher priority than Auto NAT statements.<\/p>\n\n\n\n<p>However, there might be times when you want to use a Manual NAT statement for a generic translation (maybe one that&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#manualnat-src\">only makes a decision on the Source<\/a>), but have it apply&nbsp;<em>after<\/em>&nbsp;more specific Auto NAT statements.<\/p>\n\n\n\n<p>We will illustrate this using the same image we used for Policy NAT earlier, but we will add two additional Static NAT translations for Host A and Host B (these translations are not depicted on the image):<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"251\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1-1024x251.png\" alt=\"\" class=\"wp-image-1208\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1-1024x251.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1-300x74.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1-768x188.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1-1536x377.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1-150x37.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-policy-nat-dynamic-pat-1.png 1940w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>First, let\u2019s create all the objects we will need:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">object network INSIDE66\n  subnet 10.6.6.0 255.255.255.0\n\nobject network HOST45\n  host 45.5.4.9\n\nobject network PDPAT-HOST45\n  host 32.8.2.77\n\nobject network HOST-A\n  host 10.6.6.61\n\nobject network HOST-B\n  host 10.6.6.62\n\nobject network DPAT-IP\n  host 32.8.2.66<\/pre>\n\n\n\n<p>Then we will create four translation statements using the newly created objects:<\/p>\n\n\n\n<ul><li>A Policy NAT so traffic from the Inside to&nbsp;<code>45.5.4.9<\/code>&nbsp;will be translated using Dynamic PAT to&nbsp;<code>32.8.2.77<\/code><\/li><li>A Static NAT for Host A to translate&nbsp;<code>10.6.6.61<\/code>&nbsp;to&nbsp;<code>32.8.2.61<\/code><\/li><li>A Static NAT for Host B to translate&nbsp;<code>10.6.6.62<\/code>&nbsp;to&nbsp;<code>32.8.2.62<\/code><\/li><li>A Dynamic PAT for the remaining traffic from the Inside network using Manual NAT syntax using the IP&nbsp;<code>32.8.2.66<\/code><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">nat (inside,outside) source dynamic INSIDE66 PDPAT-HOST45 destination static HOST45 HOST45\n \nobject network HOST-A\n  nat (inside,outside) static 32.8.2.61\n\nobject network HOST-B\n  nat (inside,outside) static 32.8.2.62\n\nnat (inside,outside) <strong>after-auto<\/strong> source dynamic INSIDE66 DPAT-IP<\/pre>\n\n\n\n<p>Notice, the final Manual NAT statement includes the keyword&nbsp;<code><strong>after-auto<\/strong><\/code>. This is what \u201cde-prioritizes\u201d the statement, causing it to occur&nbsp;<em>after<\/em>&nbsp;the Auto NAT statements.<\/p>\n\n\n\n<p>We can see the exact order in which NAT will occur using the&nbsp;<strong><code>show nat<\/code><\/strong>&nbsp;statement. Once again, since this output is from a lab device, the&nbsp;<code>translate<\/code>&nbsp;and&nbsp;<code>untranslated<\/code>&nbsp;hits will be 0, so those lines have been excluded:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat | exlude hits<\/strong>\nManual NAT Policies <strong>(Section 1)<\/strong>\n1 (inside) to (outside) source dynamic INSIDE66 PDPAT-HOST45 destination static HOST45 HOST45\n\nAuto NAT Policies <strong>(Section 2)<\/strong>\n1 (inside) to (outside) source static HOST-A 32.8.2.61\n2 (inside) to (outside) source static HOST-B 32.8.2.62\n\nManual NAT Policies <strong>(Section 3)<\/strong>\n1 (inside) to (outside) source dynamic INSIDE66 DPAT-IP<\/pre>\n\n\n\n<p>With the output from the&nbsp;<strong><code>show nat<\/code><\/strong>&nbsp;command, we see very clearly the three sections.&nbsp;<code>Section 1<\/code>&nbsp;included our Policy NAT applied with Manual NAT syntax.&nbsp;<code>Section 2<\/code>&nbsp;included&nbsp;<em>both<\/em>&nbsp;our Static NAT statements applied with Auto NAT.&nbsp;<code>Section 3<\/code>&nbsp;included any Manual NAT statement applied with the&nbsp;<strong><code>after-auto<\/code><\/strong>&nbsp;keyword.<\/p>\n\n\n\n<p>Had we&nbsp;<em>not<\/em>&nbsp;used the&nbsp;<strong><code>after-auto<\/code><\/strong>&nbsp;keyword for our Dynamic PAT, it would have appeared in&nbsp;<code>Section 1<\/code>. If that was the case, the Dynamic PAT statement would have taken precedence over the Static NAT statements (in&nbsp;<code>Section 2<\/code>) and all traffic from Host A and Host B would be translated to&nbsp;<code>32.8.2.66<\/code>, instead of their dedicated Static NAT IP addresses.<\/p>\n\n\n\n<p>Using the&nbsp;<strong><code>after-auto<\/code><\/strong>&nbsp;keyword, however, allowed the generic Dynamic PAT statement to occur&nbsp;<em>after<\/em>&nbsp;<code>Section 2<\/code>, allowing Host A and B to use their dedicated Static NAT addresses. And Host C\/D\/E (etc\u2026 \u2014 not pictured) would use the generic Dynamic PAT statement in&nbsp;<code>Section 3<\/code>&nbsp;to speak through the Firewall.<\/p>\n\n\n\n<p>And of course, in all cases, the very specific Policy Dynamic PAT occurring in&nbsp;<code>Section 1<\/code>&nbsp;will always take precedence over the other translations.<\/p>\n\n\n\n<p>The example above describes the three sections of NAT precedence on Cisco ASA and Cisco ASA-X Firewalls. But&nbsp;<em>within<\/em>&nbsp;each Section there is also an order of NAT operations to consider.<\/p>\n\n\n\n<h3 id=\"manualnat-precedence\">NAT Precedence within the Manual NAT Sections<\/h3>\n\n\n\n<p>Both&nbsp;<code>Section 1<\/code>&nbsp;and&nbsp;<code>Section 3<\/code>&nbsp;include Manual NAT statements. The priority&nbsp;<em>within<\/em>&nbsp;either of these sections is determined by the order they appear in the configuration.<\/p>\n\n\n\n<p>To help control this, each statement receives an incrementing line number automatically. Take a look at this example:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nat (inside,outside) source static AAA AAA destination static BBB BBB\nnat (inside,outside) source static CCC CCC destination static DDD DDD\nnat (inside,outside) source static EEE EEE destination static FFF FFF<\/pre>\n\n\n\n<p>When this configuration is applied (assuming the mock objects&nbsp;<code>AAA<\/code>\u2013<code>FFF<\/code>&nbsp;have been created), we would see this in the&nbsp;<code><strong>show nat<\/strong><\/code>&nbsp;output:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat | exclude hits<\/strong>\nManual NAT Policies <strong>(Section 1)<\/strong>\n1 (inside) to (outside) source static AAA AAA destination static BBB BBB\n2 (inside) to (outside) source static CCC CCC destination static DDD DDD\n3 (inside) to (outside) source static EEE EEE destination static FFF FFF<\/pre>\n\n\n\n<p>Notice, the first statement was placed at Line&nbsp;<strong><code>1<\/code><\/strong>, the second at Line&nbsp;<strong><code>2<\/code><\/strong>, and the third at Line&nbsp;<strong><code>3<\/code><\/strong>&nbsp;\u2013 they simply followed the order they were configured.<\/p>\n\n\n\n<p>Had we used the&nbsp;<code><strong>after-auto<\/strong><\/code>&nbsp;keyword for each statement, they would have appeared as Lines&nbsp;<strong><code>1<\/code><\/strong>,&nbsp;<strong><code>2<\/code><\/strong>, and&nbsp;<strong><code>3<\/code><\/strong>&nbsp;of&nbsp;<strong><code>Section 3<\/code><\/strong>.<\/p>\n\n\n\n<p>We can insert a Manual NAT statement at a specific line number by simply specifying the desired line number. The syntax is as follows:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nat (<em>&lt;REAL-INTF&gt;<\/em>,<em>&lt;MAPPED-INTF&gt;<\/em>) [after-auto] [<em>Line Number<\/em>] source ...<\/pre>\n\n\n\n<p>Notice the location of the optional&nbsp;<strong><code>[after-auto]<\/code><\/strong>&nbsp;keyword, and the&nbsp;<code><strong>[<em>Line Number<\/em>]<\/strong><\/code>&nbsp;occur directly after specifying the real and mapped interfaces in parenthesis. Once again, the line number denotes the NAT Precedence within&nbsp;<em>either<\/em>&nbsp;<code>Section 1<\/code>&nbsp;or&nbsp;<code>Section 3<\/code>&nbsp;\u2013&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#nat-precedence\">the two Manual NAT sections<\/a>.<\/p>\n\n\n\n<p>Using the line number, we can specify a particular Manual NAT statement to occur at Line 2:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nat (inside,outside) <strong>2<\/strong> source static GGG GGG destination static HHH HHH<\/pre>\n\n\n\n<p>We can verify the effect using&nbsp;<strong><code>show nat<\/code><\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98(config)# <strong>show nat | exclude hits<\/strong>\nManual NAT Policies (Section 1)\n1 (inside) to (outside) source static AAA AAA destination static BBB BBB\n<strong>2 (inside) to (outside) source static GGG GGG destination static HHH HHH<\/strong>\n3 (inside) to (outside) source static CCC CCC destination static DDD DDD\n4 (inside) to (outside) source static EEE EEE destination static FFF FFF<\/pre>\n\n\n\n<p>The new line was inserted at line 2. And all the other Manual NAT statements simply shifted down: the original Line 2 became Line 3, and the original Line 3 became line 4.<\/p>\n\n\n\n<h3 id=\"autonat-precedence\">NAT Precedence within the Auto NAT Section<\/h3>\n\n\n\n<p>NAT precedence within the Auto NAT section comes down to four rules. We will provide examples of each rule by configuring these five Auto NAT statements:<\/p>\n\n\n\n<ul><li>A Dynamic PAT for the&nbsp;<code>10.9.9.0\/24<\/code>&nbsp;network to the IP&nbsp;<code>72.9.9.24<\/code><\/li><li>A Dynamic PAT for the&nbsp;<code>10.9.9.48\/29<\/code>&nbsp;network to the IP&nbsp;<code>72.9.9.29<\/code><\/li><li>A Static NAT for the Web Server at&nbsp;<code>10.9.9.80<\/code>&nbsp;to&nbsp;<code>72.9.9.80<\/code><\/li><li>A Static NAT for the Database Server at&nbsp;<code>10.9.9.33<\/code>&nbsp;to&nbsp;<code>72.9.9.33<\/code><\/li><li>A Static PAT for the Database Server so&nbsp;<code>10.9.9.33:22<\/code>&nbsp;maps to&nbsp;<code>72.9.9.33:2222<\/code><\/li><\/ul>\n\n\n\n<p>The configuration is applied with these commands, in this order:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">object network INSIDE-24\n  subnet 10.9.9.0 255.255.255.0\n  nat (inside,outside) dynamic 72.9.9.24\n\nobject network INSIDE-29\n  subnet 10.9.9.48 255.255.255.248\n  nat (inside,outside) dynamic 72.9.9.29\n\nobject network WEB-SERVER\n  host 10.9.9.80\n  nat (inside,outside) static 72.9.9.80\n\nobject network DB-SERVER\n  host 10.9.9.33\n  nat (inside,outside) static 72.9.9.33\n\nobject network DB-SERVER-SSH\n  host 10.9.9.33\n  nat (inside,outside) static 72.9.9.33 service tcp 22 2222<\/pre>\n\n\n\n<p>Notice, these are all Auto NAT statements, which means they will all appear in&nbsp;<code>Section 2<\/code>. We will look at the output of the&nbsp;<strong><code>show nat detail<\/code><\/strong>&nbsp;command to see exactly what is being translated. And again we will exclude the lines which include all the translate hits and untranslated hits:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat detail | exclude hits<\/strong>\nAuto NAT Policies <strong>(Section 2)<\/strong>\n<strong>1<\/strong> (inside) to (outside) source <strong>static DB-SERVER<\/strong> 72.9.9.33\n Source - Origin: <strong>10.9.9.33\/32<\/strong>, Translated: 72.9.9.33\/32\n<strong>2<\/strong> (inside) to (outside) source <strong>static DB-SERVER-SSH<\/strong> 72.9.9.33 service tcp ssh 2222\n Source - Origin: <strong>10.9.9.33\/32<\/strong>, Translated: 72.9.9.33\/32\n Service - Protocol: <strong>tcp Real: ssh Mapped: 2222<\/strong>\n<strong>3<\/strong> (inside) to (outside) source <strong>static<\/strong> WEB-SERVER 72.9.9.80\n Source - Origin: <strong>10.9.9.80\/32<\/strong>, Translated: 72.9.9.80\/32\n<strong>4<\/strong> (inside) to (outside) source <strong>dynamic<\/strong> INSIDE-29 72.9.9.29\n Source - Origin: <strong>10.9.9.48\/29<\/strong>, Translated: 72.9.9.29\/32\n<strong>5<\/strong> (inside) to (outside) source <strong>dynamic<\/strong> INSIDE-24 72.9.9.24\n Source - Origin: <strong>10.9.9.0\/24<\/strong>, Translated: 72.9.9.24\/32<\/pre>\n\n\n\n<p>The first thing to notice is all three static translations (line 1,2,3) took higher priority than both dynamic translations (line 4 and 5). This brings us to the first rule of precedence within Auto NAT:&nbsp;<strong>Rule #1 is static translations always take higher priority than dynamic translations<\/strong>.<\/p>\n\n\n\n<p>Next, if you look at the dynamic translations (line 4 and 5), the one translating the&nbsp;<code>\/29<\/code>&nbsp;network took higher priority than the one translating the&nbsp;<code>\/24<\/code>&nbsp;network. Which brings us to&nbsp;<strong>Rule #2, more specific translations take precedence over less specific translations (based on the Real IP)<\/strong>. A&nbsp;<code>\/29<\/code>&nbsp;includes eight IP addresses and a&nbsp;<code>\/24<\/code>&nbsp;includes 256, which makes the&nbsp;<code>\/29<\/code>&nbsp;more specific.<\/p>\n\n\n\n<p>All three static translations (line 1,2,3) specify a&nbsp;<em>single<\/em>&nbsp;Real IP, so they tie on Rule #2. What determines the order for these is simply the fact that the IP address&nbsp;<code>10.9.9.33<\/code>&nbsp;is numerically lower than&nbsp;<code>10.9.9.80<\/code>.&nbsp;<strong>Rule #3 is that numerically lower Real IP take precedence over numerically higher Real IP<\/strong>.<\/p>\n\n\n\n<p>And finally, take a look at line 1 and 2. Both of them are static translations, both of them have the same specificity (one IP), both of them have the&nbsp;<em>same<\/em>&nbsp;Real IP (<code>10.9.9.33<\/code>). Line 1 and 2 tie on all three rules we\u2019ve covered so far.<\/p>\n\n\n\n<p>The final rule, which will arbitrarily break any remaining ties is&nbsp;<strong>Rule #4, alphabetically based on object\u2019s name<\/strong>. The name&nbsp;<em><code>DB-SERVER<\/code><\/em>&nbsp;is alphabetically before the name&nbsp;<code><em>DB-SERVER-SSH<\/em><\/code>&nbsp;\u2013 hence, the Static NAT is taking precedence over the Static PAT (which is typically undesirable \u2013 we\u2019ll explore that in the next section).<\/p>\n\n\n\n<p>So to summarize,&nbsp;<strong>the four rules for NAT Precedence within&nbsp;<code>Section 2<\/code>&nbsp;\u2013 the Auto NAT section \u2013 are as follows<\/strong>:<\/p>\n\n\n\n<ul><li><strong>Static<\/strong>&nbsp;takes precedence over&nbsp;<strong>Dynamic<\/strong><\/li><li><strong>Most Specific<\/strong>&nbsp;Real IP<\/li><li><strong>Numerically<\/strong>&nbsp;by Real IP<\/li><li><strong>Alphabetically<\/strong>&nbsp;by Object Name<\/li><\/ul>\n\n\n\n<h3 id=\"autonat-pat-precedence\">Auto NAT Port Translations and NAT Precedence<\/h3>\n\n\n\n<p>If you look at the output from the example above, you will notice the Static NAT took precedence over the Static PAT.<\/p>\n\n\n\n<p>This means if the Firewall receives a packet on the Outside interface destined to the IP address&nbsp;<code>72.9.9.33<\/code>&nbsp;and the TCP port&nbsp;<code>2222<\/code>, it would be translated to the IP&nbsp;<code>10.9.9.33<\/code>&nbsp;and the port would remain&nbsp;<code>TCP\/2222<\/code>. This is not ideal because we intended for traffic on port&nbsp;<code>2222<\/code>&nbsp;to be redirected internally to port&nbsp;<code>22<\/code>.<\/p>\n\n\n\n<p>Unfortunately, because of how Precedence works in Section 2, since&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat-rule1\">both translations are static<\/a>, and&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat-rule2\">both specify a single address<\/a>, and&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat-rule3\">both translate the same Real IP<\/a>, the only rule left which breaks ties is&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#autonat-rule4\">Rule #4: Alphabetically based on Object name<\/a>.<\/p>\n\n\n\n<p>To that end, it is a good idea to have a consistent structure for how you name your Static NAT and Static PAT statements using Auto NAT syntax to facilitate the PAT taking precedence over the NAT.<\/p>\n\n\n\n<p>The Alphabetic priority is determined by the&nbsp;<a href=\"https:\/\/en.wikipedia.org\/wiki\/ASCII#ASCII_printable_characters\" target=\"_blank\" rel=\"noreferrer noopener\">ASCII character codes<\/a>. This means if you tend to name objects using words and numbers (<code>A-Z<\/code>,&nbsp;<code>a-z<\/code>,&nbsp;<code>0-9<\/code>) that the following special characters alphabetically precede any letter or number:&nbsp;<strong><code>! \" # $ % &amp; ' ( ) * + , - . \/<\/code><\/strong>&nbsp;. Of these characters, the slash and the comma are not eligible for Object Names. This means any of the following will always precede any letters or words:&nbsp;<code><strong>! \" # $ % &amp; ' ( ) * + -&nbsp;<\/strong><\/code>.<\/p>\n\n\n\n<p>Applying that knowledge to the Auto NAT configuration above leads us to the following practical application of a Static PAT and a Static NAT:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">object network DB-SERVER\n  host 10.9.9.33\n  nat (inside,outside) static 72.9.9.33\n\nobject network <strong>+DB-SERVER<\/strong>\n  host 10.9.9.33\n  nat (inside,outside) static 72.9.9.33 service tcp 22 2222<\/pre>\n\n\n\n<p>We can verify the NAT precedence using&nbsp;<strong><code>show nat<\/code><\/strong>:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat detail | exclude hits<\/strong>\nAuto NAT Policies (Section 2)\n1 (inside) to (outside) source static <strong>+DB-SERVER<\/strong> 72.9.9.33 service tcp ssh 2222\n Source - Origin: 10.9.9.33\/32, Translated: 72.9.9.33\/32\n<strong> Service - Protocol: tcp Real: ssh Mapped: 2222<\/strong>\n2 (inside) to (outside) source static DB-SERVER 72.9.9.33\n Source - Origin: 10.9.9.33\/32, Translated: 72.9.9.33\/32<\/pre>\n\n\n\n<p>Notice, the Auto NAT rule within the object name&nbsp;<strong><code>+DB-SERVER<\/code><\/strong>&nbsp;took precedence over the AutoNAT rule within the object name&nbsp;<code><strong>DB-SERVER<\/strong><\/code>. This successfully prioritizes the Static PAT over the Static NAT within&nbsp;<code>Section 2<\/code>.<\/p>\n\n\n\n<h3 id=\"asa-identity-nat\">Identity NAT<\/h3>\n\n\n\n<p>Throughout this article we have had a few examples of Identity NAT but have not formally referred to them as such. This was intentional because the term Identity NAT sounds more complicated than it really is.<\/p>\n\n\n\n<p><strong>Identity NAT is nothing more than translating addresses to themselves<\/strong>. The end effect of which is&nbsp;<strong>essentially not translating certain traffic<\/strong>.<\/p>\n\n\n\n<p>For example, when we provided a&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#asa-policy-nat\">configuration example of a Policy NAT<\/a>, we used the following syntax:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nat (inside,outside) source dynamic INSIDE66 PDPAT-HOST45 destination static <strong>HOST45 HOST45<\/strong><\/pre>\n\n\n\n<p>Notice the&nbsp;<strong>Real Destination<\/strong>&nbsp;and the&nbsp;<strong>Mapped Destination<\/strong>&nbsp;used the same object name (<strong><code>HOST45<\/code><\/strong>). We were translating the object&nbsp;<strong><code>HOST45<\/code><\/strong>&nbsp;to the object&nbsp;<strong><code>HOST45<\/code><\/strong>&nbsp;\u2013 translating it to itself, i.e. not translating it. This was an example of an Identity NAT.<\/p>\n\n\n\n<p>Specifically, we performed a&nbsp;<strong>Dynamic PAT<\/strong>&nbsp;on the&nbsp;<strong><code>source<\/code><\/strong>, and an&nbsp;<strong>Identity NAT<\/strong>&nbsp;on the&nbsp;<strong><code>destination<\/code><\/strong>.<\/p>\n\n\n\n<p>The&nbsp;<strong>configuration of Identity NAT simply involves&nbsp;<em>re-using<\/em>&nbsp;an object as both the&nbsp;<em>real<\/em>&nbsp;object&nbsp;<em>and<\/em>&nbsp;the&nbsp;<em>mapped<\/em>&nbsp;object<\/strong>.<\/p>\n\n\n\n<h3 id=\"asa-nat-exemption\">NAT Exemption on a Cisco ASA or Cisco ASA-X Firewall<\/h3>\n\n\n\n<p>Identity NAT is how you configure what is known as&nbsp;<strong>NAT Exemption<\/strong>&nbsp;\u2013 the concept of&nbsp;<strong>designating certain traffic to be&nbsp;<em>exempt<\/em>&nbsp;from address translation<\/strong>. Or said another way,&nbsp;<strong>designating certain traffic to&nbsp;<em>not<\/em>&nbsp;be translated<\/strong>.<\/p>\n\n\n\n<p>For example, below is an ASA configured with a generic Dynamic PAT which translates the entire Seattle network (<code>10.1.1.0\/24<\/code>) to the IP&nbsp;<code>72.3.3.77<\/code>&nbsp;when speaking to the Internet.<\/p>\n\n\n\n<p>However, the ASA also has a VPN tunnel built to the Denver site. We want traffic from Seattle (<code>10.1.1.0\/24<\/code>) to Denver (<code>10.2.2.0\/24<\/code>) to be&nbsp;<em>exempted<\/em>&nbsp;from the generic Dynamic PAT so these two sites can speak to each other directly using private IP addresses.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" width=\"1024\" height=\"236\" src=\"https:\/\/wiki.volu-t.ru\/wp-content\/uploads\/2022\/01\/asanat-nat-exemption-identity-nat-1024x236.png\" alt=\"\" class=\"wp-image-1209\" srcset=\"https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-nat-exemption-identity-nat-1024x236.png 1024w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-nat-exemption-identity-nat-300x69.png 300w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-nat-exemption-identity-nat-768x177.png 768w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-nat-exemption-identity-nat-1536x354.png 1536w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-nat-exemption-identity-nat-150x35.png 150w, https:\/\/wiki.m-network.ru\/wp-content\/uploads\/2022\/01\/asanat-nat-exemption-identity-nat.png 1606w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>In such cases, you would configure a NAT Exemption on the ASA for traffic from&nbsp;<code>10.1.1.0\/24<\/code>&nbsp;to&nbsp;<code>10.2.2.0\/24<\/code>. As mentioned before, the NAT Exemption configuration involves configuring an Identity NAT, i.e. translating traffic to itself:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">object network SEATTLE\n  subnet 10.1.1.0 255.255.255.0\n  nat (inside,outside) dynamic 72.3.3.77\n\nobject network DENVER\n  subnet 10.2.2.0 255.255.255.0\n\nnat (inside,outside) source static SEATTLE SEATTLE destination static DENVER DENVER<\/pre>\n\n\n\n<p>With the configuration above, the Manual NAT statement would appear in Section 1 and take&nbsp;<a href=\"https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#nat-precedence\">precedence<\/a>&nbsp;over the Auto NAT statement which would appear in Section 2:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">asa98# <strong>show nat detail | exclude hits<\/strong>\nManual NAT Policies <strong>(Section 1)<\/strong>\n1 (inside) to (outside) source static SEATTLE SEATTLE destination static DENVER DENVER\n<strong> Source - Origin: 10.1.1.0\/24, Translated: 10.1.1.0\/24<\/strong>\n<strong> Destination - Origin: 10.2.2.0\/24, Translated: 10.2.2.0\/24<\/strong>\n\nAuto NAT Policies <strong>(Section 2)<\/strong>\n1 (inside) to (outside) source dynamic SEATTLE 72.3.3.77\n<strong> Source - Origin: 10.1.1.0\/24, Translated: 72.3.3.77\/32<\/strong><\/pre>\n\n\n\n<p>Traffic from Seattle to Denver would match the Manual NAT statement and&nbsp;<em>not<\/em>&nbsp;be translated (Identity NAT), and traffic from Seattle to anywhere else on the Internet would match the Auto NAT statement and be translated using Dynamic PAT to&nbsp;<code>72.3.3.77<\/code>.<\/p>\n\n\n\n<h2 id=\"summary\">Cisco ASA NAT \u2013 Summary<\/h2>\n\n\n\n<p>The Cisco ASA and Cisco ASA-X firewalls provides nearly infinite flexibility in so far as their NAT configuration. From the modularity of using objects, to the simplicity of configuring Auto NAT, to the granularity of Manual NAT, to the precision of NAT precedence&nbsp; \u2014 the ASA can do it all.<\/p>\n\n\n\n<p>This article covers each of these concepts in detail, explaining what they mean, when to use them, and how to apply them. If you read it from start to finish, and were able to follow with the examples and illustrations, then you can decidedly consider yourself an address translation expert on the Cisco ASA platform.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>\u041e\u0440\u0438\u0433\u0438\u043d\u0430\u043b\u044c\u043d\u0430\u044f \u0441\u0442\u0430\u0442\u044c\u044f https:\/\/www.practicalnetworking.net\/stand-alone\/cisco-asa-nat\/#nat-syntax<a href=\"https:\/\/www.practicalnetworking.net\/wp-content\/uploads\/2018\/04\/asanat-twice-nat.png\"><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Part 1 \u2013 NAT Syntax There are two sets of syntax available for configuring address translation on a Cisco ASA. These two methods are referred to as&nbsp;Auto NAT&nbsp;and&nbsp;Manual NAT. The syntax for both makes use of a construct known as an&nbsp;object. The configuration of objects involve the keywords&nbsp;real&nbsp;and&nbsp;mapped. In Part 1 of this article we ..<\/p>\n<div class=\"clear-fix\"><\/div>\n<p><a href=\"https:\/\/wiki.m-network.ru\/?p=1191\" title=\"read more...\">Read more<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[217,205,210,142],"tags":[],"_links":{"self":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts\/1191"}],"collection":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1191"}],"version-history":[{"count":4,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts\/1191\/revisions"}],"predecessor-version":[{"id":1211,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts\/1191\/revisions\/1211"}],"wp:attachment":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}