Category: ASA Network Object NAT

ASA Network Object NAT

Any NAT configuration that is configured from within a network object is considered to be Network Object NAT.

For example. Let’s suppose you create the network Object “host1-real”

asa1(config)# object network host1-real
asa1(config-network-object)# host 10.1.1.201

If you query for sub-commands you will see NAT as an option:

asa1(config-network-object)# ?

  description Specify description text
  fqdn Enter this keyword to specify an FQDN
  help Help for network object configuration commands
  host Enter this keyword to specify a single host object
  nat Enable NAT on a singleton object
  no Remove an object or description from object
  range Enter this keyword to specify a range
  subnet Enter this keyword to specify a subnet
  home-asa/pri/act(config-network-object)#

If you then query NAT options specifically you will see the following:

asa1(config-network-object)# nat ?

  network-object mode commands/options:
    (        Open parenthesis for (<real_if_name>,<mapped_if_name>) pair where
             <real_if_name> is the prenat interface and <mapped_if_name> is the
             postnat interface
    dynamic  Specify NAT type as dynamic
    static   Specify NAT type as static

  configure mode commands/options:
    (               Open parenthesis for (<internal_if_name>,<external_if_name>)
                    pair where <internal_if_name> is the Internal or prenat
                    interface and <external_if_name> is the External or postnat
                    interface
    <1-2147483647>  Position of NAT rule within before auto section
    after-auto      Insert NAT rule after auto section
    source          Source NAT parameters

Object NAT is typically configured on the real inside IP address, referencing the mapped outside address e.g.

asa-1(config-network-object)# nat static host1-mapped ?

network-object mode commands/options:
  dns           Use the created xlate to rewrite DNS record
  net-to-net    Use Net to net mapping of IPv4 to IPv6 address(es)
  no-proxy-arp  Disable proxy ARP on the egress interface
  service       Define port mapping
  <cr>

Network Object NAT can be configured on any network object. However, it is important to note that you can only NAT the source IP. If you wish to NAT both the source and destination at-the-same-time then you would need to configure Twice NAT