ASA NAT command explanation?

Robbo777Robbo777 Senior MemberMember Posts: 331 ■■■□□□□□□□
Hi can someone run through this command with me, i'm well versed in what NAT is etc... Its the actual command i'm interested in:

ASA1(config)# object network LAN ASA1
(config-network-object)# subnet
ASA1(config)# object network VPN_POOL
ASA1(config-network-object)# subnet
ASA1(config)# nat (INSIDE,OUTSIDE) source static LAN LAN destination static VPN_POOL VPN_POOL

I'm assuming it's a NAT exemption rule used to stop the translation of VPN remote access traffic back out the ASA outside interface. What i'm trying to wrap my head around is the actual layout of the command.
This is what i see it as.... If i receive an address from the LAN subnet on the inside interface then translate it (or don't) going out the outside interface.

Why is the "LAN" object inserted twice along with VPN_POOL?
Why is the source "static" as opposed to dynamic?
It doesn't look like any "denying" is done anywhere, so why arent the addresses translated.

Cheers, the NAT command on the ASA has always confused me

This is NAT 8.3 and above by the way


  • txraider09txraider09 Member Member Posts: 69 ■■□□□□□□□□
    This is a “No NAT” statement. The way that it’s written, it is going from Inside to Outside. The reason the objects are inserted twice is because you are not translating the address. So it’s basically saying from LAN to VPN_POOL, translate it to make it look like from LAN to VPN_POOL. Hence the “No Nat”
Sign In or Register to comment.