ASA NAT command explanation?

Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
Hi can someone run through this command with me, i'm well versed in what NAT is etc... Its the actual command i'm interested in:

ASA1(config)# object network LAN ASA1
(config-network-object)# subnet
ASA1(config)# object network VPN_POOL
ASA1(config-network-object)# subnet
ASA1(config)# nat (INSIDE,OUTSIDE) source static LAN LAN destination static VPN_POOL VPN_POOL

I'm assuming it's a NAT exemption rule used to stop the translation of VPN remote access traffic back out the ASA outside interface. What i'm trying to wrap my head around is the actual layout of the command.
This is what i see it as.... If i receive an address from the LAN subnet on the inside interface then translate it (or don't) going out the outside interface.

Why is the "LAN" object inserted twice along with VPN_POOL?
Why is the source "static" as opposed to dynamic?
It doesn't look like any "denying" is done anywhere, so why arent the addresses translated.

Cheers, the NAT command on the ASA has always confused me

This is NAT 8.3 and above by the way


  • mackenzaemackenzae Member Posts: 77 ■□□□□□□□□□
    You are correct that is the format used for NAT exemption. The reason its listed twice is because the first "LAN" statement is the actual source IP address and the second "LAN" object would be your translated IP address (since you don't want it to be translated you see that same object listed again).

    Same for the VPN_Pool Object. The first time listed is the actual destination IP address the 2nd time is the translated address. Again you don't want it to change so thats why the same object is listed again. The Static vs Dynamic are just different NAT types.. Static is used for when you want the source or destination NAT to always use the same NAT address or NO NAT address as your example above you always want the LAN object to NAT to the LAN object and the VPN_Pool to NAT to the VPN_Pool object. Dynamic is used when you have a Pool of addresses you want to NAT to so the Translated address could be 1 of many or if you are doing PAT where you are using the same NAT address but different port translations for each outgoing translation.

    There is much more to NAT than this but just trying to give a quick and dirty explanation.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    Hi Thanks for your reply, while it was very helpful and i think i've wrapped my head around pretty much everything NAT related now, the "Static" and "Dynamic" uses are still frustrating me. For example take this command:

    ASA1(config)# nat (OUTSIDE,OUTSIDE) source dynamic VPN_POOL interface

    Lets say the VPN_POOL object is a subnet and it has already been created etc...It's for traffic coming in on the OUTSIDE interface and leaving the OUTSIDE again straight away and needs to be natted (Remote VPN connection basically). Why use dynamic instead of static and vice versa, i know this question my seem silly but it's so i can wrap my head around the use of this command.I get the whole, static is used for 1 to 1 translation to one address and dynamic NAT is when you have a multiple public IP's to use but i just need a bit more of an explanation for it because it's still confusing, i think i'm almost there though getting it.Cheers
Sign In or Register to comment.