NATing like it’s Nineteen Ninety Nine

–Network Address Translation, ASA 8.2

NAT is required for a number of scenarios and can be used in the most unusual places. Most common is translation of a private RFC 1918 address into a globally routed public IP address. An example of this would be a home device with an address of being translated to when going to the internet. The translation table keeps a record of this conversation and then when the destination packet returns to it is sent back to the device it originated from – There are a number of different NAT styles and syntax styles. Syntax changes between 8.2 and 8.3 caused commotion among ASA users. This section will clearly state which NAT method is being used.

Order of Operations – 8.2 ASA

The interface order of operations is important to understand where NAT takes its place in connection criteria.

  1. NAT Exemption
  2. Static NAT and Static PAT
  3. Policy Dynamic NAT
  4. Regular Dynamic NAT
  5. NAT Control on and no match will drop packet

Dynamic NAT – 8.2 ASA

Dynamic NAT will translate an IP address into a pre-defined pool of addresses for communication. Generally this is employed in a situation of higher security to lower security. An address is generally reserved for PAT in case the pool defined fills.

nat (inside) 1
global (outside) 1
global (outside) 1

The above example of 8.2 Dynamic NAT will take addresses from the inside source range of and translate them to an address on range. This occurs when traffic goes from inside to outside. If the translation pool fills the address is there to perform PAT.

The ASDM configuration window resides at Configuration > Firewall > NAT Rules. Then select Add Dynamic NAT Rule.

Static NAT – 8.2 ASA

Static NAT’s recommended use is where an application based server needs to be accessed from an external network. Due to a translation is always present in the table, remote connections can establish. It is best used when connections need to be established from an outside interface which has a lower-security level than the host being accessed. The addresses listed are what we will use for our example. The server has an internal address of on interface dmz-mail and outside requests hit on interface isp-a.

static (dmz-mail,isp-a)

A good way to remember static 8.2 NAT is the following structure defined in the table below.

Real IP Mapped IP Mapped IP Real IP
dmz-mail isp-a isp-a dmz-mail


The ASDM configuration window resides at Configuration > Firewall > NAT Rules. Then select Add Static NAT Rule.

Static Exemption, Exemption and Identity NAT – 8.2 ASA

The following examples are devices that do not need NAT translations to take place.

Static identity NAT creates a slot in the translation table as it is configured.

static (dmz-c,outside) netmask

Dynamic identity NAT will create a dynamic identity in the translation table. This is where the local and global addresses are the same. Used when clients access less secure interfaces.

nat (inside) 0

Remember that a pool ID of 0 is a specific command to the ASA software not to translate.

Finally is NAT exemption. This mode behaves differently due to the fact it bypasses NAT operations in the Order of Operations.

nat (inside) 0 access-list CI-VPN

The ASDM configuration window resides at Configuration > Firewall > NAT Rules. Then select Add Static NAT Rule. Ensure NAT Exempt Outbound Traffic from Interface “inside” to Lower Security Interfaces (Default) is enabled for Exemption.

NAT caveats for 8.2

NAT control was a feature of 8.2. It ensured that NAT rules had to be in place when enabled; Traffic would be dropped if no translation rule was found. NAT exemption was the other way for traffic to traverse a firewall when NAT control was enabled. This did lead to excess configuration on the firewalls. In ASA 8.3 this feature was removed completely. If a connection cannot find a translation it is allowed and is subject to other access policies.

Leave a Reply

Your email address will not be published. Required fields are marked *