[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Cisco ASA PRE_8.3 and POST_8.3 NAT Operations

Published on
14,432 Points
2 Endorsements
Last Modified:
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a

You may as well want to read official Cisco published ASA 8.3 migration guide:
Please refer to it for all NAT migration explanation

Cisco ASA firewalls support a few types of address translations: most common are the following:

Dynamic NAT translation: It is used for outbound communication only, and the most popular case is when you want your internal LAN to go out to the Internet with a public IP address.

ciscoasa (config)# nat (inside) 1 
ciscoasa (config)# global (outside) 1 interface

Open in new window

As you can see, the "nat" and "global" keywords work together: basically the pix/asa use its outside interface address to let clients go out on the internet by creating a translation rule and hiding their real IP address and managing more connections by creating sockets that remains unique because they are differentiated by the tcp/udp port assigned in each socket.

ciscoasa (config)# object network internal_LAN
ciscoasa (config-network-object)# subnet
ciscoasa (config-network-object)#  nat (inside,outside) dynamic interface

Open in new window

Here you see a big architectural difference: now translations are managed with object-like programming; you no more have the nat-global couple: instead ip addressing is referenced by object. The functional result is really the same, but architectural design of NAT and flexibility in changing configuration is quite different.

Static NAT translation: Static NAT is used for Bidirectional communication. You want to use it when you need to publish a server on the internet.

ciscoasa (config)# static (DMZ , outside) netmask

Open in new window

ciscoasa (config)# object network webserver_PublicIP 
ciscoasa (config-network-object)# host 
ciscoasa (config-network-object)# nat (DMZ , outside) static

Open in new window

Please note that the access-list that will allow traffic on port 80 of the webserver must point to the real IP address ( and this is different from the old configuration (which pointed to the public IP address).

NAT Exempt: it is usually used for vpn connections.

Once you have configured Dynamic NAT on the ASA firewalls to allow the private LAN networks to access the Internet, should you want to implement a vpn tunnel (either site-to-site or remote access), you need to make sure that traffic which will pass through the VPN tunnel will be excluded from any NAT operation. Thus you need to "exempt" NAT from the LANs which you want to connect with IPSEC tunnel: this is done in a different way, depending on the version of ASA (pre or post 8.3).

ciscoasa (config)# access-list NONAT extended permit ip
ciscoasa (config)# nat (inside) 0 access-list NONAT

Open in new window


ASA 1:

ASA1(config)# object network internal_LAN
ASA1(config-network-object)# subnet
ASA1(config-network-object)# exit
ASA1(config)# object network external_LAN
ASA1(config-network-object)# subnet
ASA1(config-network-object)# exit
ASA1(config)# nat (inside,outside) 1 source static internal_LAN internal_LAN destination static external_LAN external_LAN

ASA 2:

ASA2(config)# object network internal_LAN
ASA2(config-network-object)# subnet
ASA2(config-network-object)# exit
ASA2(config)# object network external_LAN
ASA2(config-network-object)# subnet
ASA2(config-network-object)# exit
ASA2(config)# nat (inside,outside) 1 source static internal_LAN internal_LAN destination static external_LAN external_LAN

Just a quick word on NAT-control functionality. Back in the day on the PIX, it was absolutely necessary to NAT between interfaces. The ASA does not have this requirement. The default command no nat-control makes this happen. With no NAT control configured, we have no requirement to NAT. We can still do so if we really want, but it is not mandatory. If we want the ASA to act like the old PIX firewall we can add nat-control to make that happen (but I wouldn't do that, as I never liked it very much).

Hope this helps to clarify the main syntax differences, but I believe that will be worth to go deep into cisco documents and guides to better understand all the implications.


Featured Post

The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

Join & Write a Comment

Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month