Dynamic NAT maps a group of mapped addresses to a pool of real addresses on a one-to-one relationship for the duration of the connection. Typically mapped addresses are outside public addresses, and real addresses are inside private addresses. They are referred to as real because they are the actual addresses used by the host.
Typically the mapped group will have fewer public addresses compared to the inside real pool. For example, the mapped group might be a /29 public range and the real pool a /24 private range – although you do not have to use an exact subnet. For example, you could have three mapped addresses.
When a real inside host initiates a connection to an outbound IP it is temporarily assigned an unused IP from the mapped group. This association lasts for as long as the connection and is then torn down. If the same host initiates a new connection a different IP from the mapped group may be used.
Because the mapped IP changes, remote outside hosts cannot make a reliable inbound connection – even if this were allowed by an inbound access-list.
Pros
Dynamic NAT lends itself well to some IP protocols that cannot use PAT (Port Address Translation) such as GRE version 0. Also multimedia applications do not work well with PAT.
Cons
In the typical scenario where the mapped group has fewer IPs than the real pool, you can quickly run out of available IP.
It may be difficult obtaining a sufficient number of mapped public addresses for your needs.
Configuring Dynamic NAT
Dynamic NAT can be configured globally (i.e. using legacy NAT statements) or via Object NAT (i.e. configured from within the Network Object).
Example 1 – Configure Dynamic NAT globally
In this example, we create two Network Objects and configure NAT using global commands
asa1(config)# object network range1-mapped
asa1(config-network-object)# range 192.168.0.244 192.168.0.245
asa1(config)# object network range1-real
asa1(config-network-object)# range 10.1.1.201 10.1.1.220
asa1(config)# nat (inside,outside) ?
home-asa/pri/act(config)# nat (inside,outside) source dynamic range1-real range1-mapped
asa1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic range1-real range1-mapped
translate_hits = 0, untranslate_hits = 0
To verify the configuration we can use the packet-tracer tool. Below you can see that the real IP 10.1.1.220 is translated to 192.168.0.245
asa1# packet-tracer input inside icmp 10.1.1.220 0 8 4.2.2.4 Phase: 1 Type: ROUTE-LOOKUP Subtype: input Result: ALLOW Config: Additional Information: in 0.0.0.0 0.0.0.0 outside Phase: 2 Type: NAT Subtype: Result: ALLOW Config: nat (inside,outside) source dynamic range1-real range1-mapped Additional Information: Dynamic translate 10.1.1.220/0 to 192.168.0.245/0
Example 2 – Configure Dynamic NAT globally using two mapped ranges
In this example, we create two mapped Network Objects and place these inside a Network Object Group. The first Network Object will be processed first followed by the second Network Object. Note the real pool, in this case, is configured as a /28 subnet
asa1(config)# object network range1-mapped
asa1(config-network-object)# range 192.168.0.244 192.168.0.245
asa1(config)# object network range2-mapped
asa1(config-network-object)# range 192.168.0.241 192.168.0.242
asa1(config)# object-group network range1-2-mapped
asa1(config-network-object-group)# network-object object range1-mapped
asa1(config-network-object-group)# network-object object range2-mapped
asa1(config)# object network subnet1-real
asa1(config-network-object)# range subnet 10.1.1.208 255.255.255.248
asa1(config)# nat (inside,outside) source dynamic subnet1-real range1-2-mapped
asa1# show nat
Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic subnet1-real range1-2-mapped
translate_hits = 0, untranslate_hits = 0
Example 3 – Configuring Dynamic NAT under the Network Object.
In this example, we first configure the mapped and real network objects and then configure NAT under the real object
asa1(config)# object network range1-mapped
asa1(config-network-object)# range 192.168.0.244 192.168.0.245
asa1(config)# object network range1-real
asa1(config-network-object)# range 10.1.1.201 10.1.1.220
asa1(config-network-object)# nat dynamic range1-mapped
asa1# show nat
<snip>
Auto NAT Policies (Section 2)
1 (any) to (any) source dynamic range1-real range1-mapped
translate_hits = 0, untranslate_hits = 0
Note that any NAT configured under the Network Object (also known as Auto NAT) will appear in “section 2”. This means that any NAT matches in “section 1” will take preference. To understand the concept of sections click here.
The Traceroute Blog 