USD ($)
$
United States Dollar
India Rupee

What is Port Address Translation: Cisco ASA

Created by Deepak Sharma in Articles 5 May 2024
Share

Introduction:

In the last blog article, I explained static NAT, its implementation on Cisco ASA firewall and its purpose. Here in this article, I take up another general purpose NAT called Port Address Translation or PAT. Here internal machines want to communicate to internet when these machines are configured with the private IP addresses.

Port Address Translation (PAT), also known as NAT Overload, is a method used in networking to map multiple private IP addresses to a single public IP address by using different source port numbers. PAT is commonly used to conserve public IP addresses and allow multiple internal hosts to share a single public IP address for outbound traffic. It's often used for scenarios where multiple devices in a network need to access the internet.

Here's a step-by-step guide on how to configure PAT on a Cisco ASA firewall, along with a scenario:

Scenario:

You have an internal network (192.168.1.0/24) with multiple devices such as laptops, and you want them to share a single public IP address (203.0.113.1) when accessing the internet using different source ports.


Initial Configuration:

Before configuring PAT, you need to perform the initial mandatory configuration steps for the Cisco ASA firewall. This includes setting the hostname, configuring interfaces, routing, default access policy, management access, time settings, and passwords. Please refer to my previous blog on "How to Configure Static NAT on Cisco ASA Firewall" that cover these steps.

PAT Configuration Steps:

1. Access the Cisco ASA Firewall:

Connect to the Cisco ASA firewall using SSH, Telnet, or console cable and log in with appropriate privileges.

2. Access Configuration Mode:

Enter configuration mode by typing enable followed by the password, and then configure terminal.

3. Interface Configuration:

Configure the firewall interfaces with IP addresses and security levels. In this scenario, we'll assume you have an "inside" and "outside" interface.


interface GigabitEthernet0/0

 nameif outside

 security-level 0

 ip address 203.0.113.1 255.255.255.0

!

interface GigabitEthernet0/1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0


Note: Adjust the IP addresses, subnet masks, and interface names to match your network configuration.

4. NAT Configuration:

Configure Port Address Translation (PAT) using the interface option. In this configuration, object network Internal-Net: Defines an object representing the internal network, subnet 192.168.1.0 255.255.255.0: Specifies the internal network's subnet and nat (inside,outside) dynamic interface: Configures PAT, mapping internal hosts to the outside interface's IP address using different source ports.


object network Internal-Net

 subnet 192.168.1.0 255.255.255.0

!

nat (inside,outside) dynamic interface


5. Access Rules:

Create access rules to allow outbound traffic from the internal network.


access-list inside_access_out extended permit ip any any


6. Apply Access Rules:

Apply the access rules to the inside interface.


access-group inside_access_out out interface inside


7. Save Configuration:

Save your configuration changes using write memory or wr mem.


write memory


Testing:

Verify that internal hosts can access the internet using the shared public IP address with different source ports. You should see the translated IP address and port number when viewing outbound traffic logs.

Remember to adapt the configurations to your specific network setup and Cisco ASA software version. Always follow best security practices and refer to Cisco's documentation for the most accurate and up-to-date information.


Don't Miss to Checkout our Next Articles

Essentials of Wireless Communication: Concise Overview

How Home WiFi Wireless Internet Functions        


Other Popular & Useful Articles

Configuring DHCP Snooping on a Cisco Switch

Cisco Switch: Configure DHCP Scenario

Deepak Sharma

He is a senior solution network architect and currently working with one of the largest financial company. He has an impressive academic and training background. He has completed his B.Tech and MBA, which makes him both technically and managerial proficient. He has also completed more than 450 online and offline training courses, both in India and ...

More... | Author`s Bog | Book a Meeting

Comments (1)

sanchit thareja Student
12 Oct 2023 | 11:42 pm

Good, short and crispy.

Share

Share this post with others

Contact learning advisor

New Cisco ACI Training Live Batch Starts June 15th!
New Cisco ACI Training Live Batch Starts June 15th!
Advance your career? Don't miss out on our Cisco Application Centric Infrastructure (ACI) training ...
Enroll Now