Cisco ASA: Dynamic PAT

adminkasep

Overview

  • Translate Group of real address to single ip address that is routable to network.
  • uni-directional (source ip and source port is translated).
  • we can also define based on destination port do translation.
  • with PAT we dont have to use multiple group public ip or more ip, it will use unique source port to identify each state of NAT .

Topology

Testing Scenarios

  1. All traffic from inside to outside must be dynamically PAT translated using the outside IP address of the ASAx1. This rule should be configured globally.
  2. All traffic sourced from 192.168.0.0/24 to any destination on the outside must be PAT translated using the IP address 200.0.0.125. This rule should be configured globally.
  3. All traffic sourced from 192.168.0.0/24 to any destination on the outside must be PAT translated using the IP address 200.0.0.150 if the destination port is 23.

Configurations

Scenario 1

  1. Directly define NAT rule for the scenario 1
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

Scenario 2

  1. Define object group
object network O-192.168
 subnet 192.168.0.0 255.255.255.0
object network O-200.125
 host 200.0.0.125

2. Define rule for NAT this scenario

nat (INSIDE,OUTSIDE) source dynamic O-192.168 O-200.125

Scenario 3

  1. Define object group
object network Public-200.150
 host 200.0.0.150
object service P-23
 service tcp destination eq telnet

2. Define NAT for this scenario, this rule must be applied first sequence because its more specific rule.

nat (INSIDE,OUTSIDE) 1 source dynamic O-192.168 Public-200.150 service P-23 P-23

Verifications

  1. check all object created
show run | b object

2. check nat created with this command

show nat

3. Testing Rule for each scenario:

Scenario 1:

packet-tracer input inside tcp 10.10.0.100 12345 3.3.3.3 23

Scenario 2:

packet-tracer input inside tcp 192.168.0.100 12345 3.3.3.3 80

Scenario 3

packet-tracer input inside tcp 192.168.0.100 12345 3.3.3.3 23

Conclusions

we can use this Dynamic PAT to provide multiple access ip group to single ip address and we also can define more specific to which destination port service to do the translations.

If you found this useful, subscribe to newsletter

Related Posts