Notes on ASA 8.3 NAT

October 13, 2010 at 11:19 am (TechTips) (, )

Cisco ASA 8.3 has introduced major changes in how NAT is configured and operates.

This video is a excellent resource for a basic introduction to NAT on ASA 8.3 software:

Here are some quick notes that I have gathered for my reference.  Feel free to post any additional comments and notes you may have to share:


show run objects

(Displays network and service objects that are in the running confg)

show run object id

(Displays a specific object)

show run nat

(Displays running config NAT configurations)

show nat

(Displays NAT policies and counters)

Use packet-tracer for testing NAT (and other things)

packet-tracer input inside tcp 4444 80

    Configure Auto-NAT:

object network inside
   nat (inside,outside) dynamic interface

Note: This will configure PAT onto the outside interface for the inside subnet, while at the same time configuring the network object for the inside subnet.

    Configure Twice(manual) NAT:
nat (inside,outside) source dynamic inside-net translated-ip destination static cisco-dot-com cisco-dot-com

Note: You must first define the network objects for the source and destination before configuring manual NAT. In this example, the source IP address of the inside host is translated to “translated-ip” only when the dynamic host is sending a packet that is destined to “cisco-dot-com”. cisco-dot-com is entered twice because we are not translating the destination. If we wanted to translate the destination, we would do it here.

    Exempt subnets from NAT because of VPN tunnel:
nat (inside,outside) static inside-net inside-net destination static vpn-subnets vpn-subnets

This statement will catch traffic on the inside trying to go to the outside. Traffic that matches the source and destination is operated on but no change is made.

    General Notes:

ASA 8.3 has two types of NAT: Auto-NAT and Twice (manual) NAT. You can use Auto-NAT for most NAT/PAT operations, except for ones that need to make a decision based upon the destination address of a packet.

With ASA 8.3, a new change called “Real IP” was introduced. Real IP means that NAT translation happens BEFORE a ACL is checked. Therefore ACLs must contain the real IP address of the host that the inbound packet is headed towards. In other words, do not write the ACL to match on the “mapped” IP address. The real IP address is normally a non-routable IP address.



  1. Vijay said,

    Very good and useful notes. Thank you

  2. davey said,

    Another good guide can be found here :

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: