You also have the option of specifying the interface keyword to use the IP address assigned to the mapped-interface This can be specified as an IP address directly or using the name of another object. The IP address to which the object is being translated. Use static for Static NAT or Static PAT, use dynamic for Dynamic NAT or Dynamic PAT The interface on the ASA which faces the The interface on the ASA which faces the the (defined within the object) The configuration for Auto NAT starts with the nat command within an object definition This is the syntax for Auto NAT is as follows (remember, this will be applied within the object definition): Which means each of the four types of translations ( Static NAT, Static PAT, Dynamic PAT, Dynamic NAT) can be configured with Auto NAT. With those items defined, we can finally discuss the definition and syntax of Auto NAT.Īuto NAT can be used anytime you need to make a NAT decision based upon only the Source of traffic. We discussed the configuration of Objects because Auto NAT is configured within the Object definition, and we discussed the keywords Real and Mapped because the syntax uses these terms to designate the addresses involved in the translation. Hence the Outside interface is considered the mapped interface.Īnother way to remember it is the mapped attributes only exist because the ASA created them, whereas the real attributes exist despite any configuration on the ASA. Moreover, the mapped address exists on the ASA’s Outside interface. Which makes 72.6.6.15 the mapped address. The word mapped indicates attributes after a translation has occurred.įor example, the real address 172.16.30.15 is being translated to 72.6.6.15. Hence, for the translation above, the Inside interface is considered the real interface. Moreover, the real IP exists on the ASA’s Inside interface. Hence, 172.16.30.15 is considered the real IP address. 15 is really configured with the IP address 172.16.30.15, which means the actual NIC really has the IP address 172.16.30.15 configured. The word real indicates what is really configured on a server.įor example, the web server at the IP address. We will define these with the example of a Static NAT below: These terms can be applied to IP addresses or interfaces. NAT configuration on the Cisco ASA will make use of the keywords real and mapped.
If you had done the “pipe include” without the in-line option you just would have received the full name of the object, but not the object’s definition. Object network WEB-SERVER host 172.16.30.15 To configure a network object, first use the following syntax to create the object:Īsa98# show run object in-line | include WEB The idea is to configure and define an object, then reference that one item in your configuration by the object’s name.
These two methods are referred to as Auto NAT and Manual NAT. There are two sets of syntax available for configuring address translation on a Cisco ASA. Or any version of Cisco Firepower firewalls.
Next I'm going to swing over to the ASDM to make it easier for anyone following along to set up some basic setting.This article is applicable to the Command Line Interface (CLI) configuration of Cisco ASA and Cisco ASA-X firewalls running code versions 8.4 and above. Network 10.0.0.0 (Yes, I'm not being very neat with my routing - it's a lab) In the Layer 3 switch, I'll go ahead and configure the EIGRP process: Jumping into it, I'm going to start with the basic interface, IP, domain name and NAT configuration: This post isn't much of a deep dive but more informational in the even someone is building a lab similar to mine. I have an ASA 5506 running in my lab and I wanted to establish the basic configuration for it first before I jump into the TrustSec configuration.