What is Port Address Translation: Cisco ASA

Introduction:

In the last blog article, I explained static NAT, its implementation on Cisco ASA firewall and its purpose. Here in this article, I take up another general purpose NAT called Port Address Translation or PAT. Here internal machines want to communicate to internet when these machines are configured with the private IP addresses.

Port Address Translation (PAT), also known as NAT Overload, is a method used in networking to map multiple private IP addresses to a single public IP address by using different source port numbers. PAT is commonly used to conserve public IP addresses and allow multiple internal hosts to share a single public IP address for outbound traffic. It's often used for scenarios where multiple devices in a network need to access the internet.

Here's a step-by-step guide on how to configure PAT on a Cisco ASA firewall, along with a scenario:

Scenario:

You have an internal network (192.168.1.0/24) with multiple devices such as laptops, and you want them to share a single public IP address (203.0.113.1) when accessing the internet using different source ports.

Initial Configuration:

Before configuring PAT, you need to perform the initial mandatory configuration steps for the Cisco ASA firewall. This includes setting the hostname, configuring interfaces, routing, default access policy, management access, time settings, and passwords. Please refer to my previous blog on "How to Configure Static NAT on Cisco ASA Firewall" that cover these steps.

PAT Configuration Steps:

1. Access the Cisco ASA Firewall:

Connect to the Cisco ASA firewall using SSH, Telnet, or console cable and log in with appropriate privileges.

2. Access Configuration Mode:

Enter configuration mode by typing enable followed by the password, and then configure terminal.

3. Interface Configuration:

Configure the firewall interfaces with IP addresses and security levels. In this scenario, we'll assume you have an "inside" and "outside" interface.

Note: Adjust the IP addresses, subnet masks, and interface names to match your network configuration.

4. NAT Configuration:

Configure Port Address Translation (PAT) using the interface option. In this configuration, object network Internal-Net: Defines an object representing the internal network, subnet 192.168.1.0 255.255.255.0: Specifies the internal network's subnet and nat (inside,outside) dynamic interface: Configures PAT, mapping internal hosts to the outside interface's IP address using different source ports.

5. Access Rules:

Create access rules to allow outbound traffic from the internal network.

6. Apply Access Rules:

Apply the access rules to the inside interface.

7. Save Configuration:

Save your configuration changes using write memory or wr mem.

Testing:

Verify that internal hosts can access the internet using the shared public IP address with different source ports. You should see the translated IP address and port number when viewing outbound traffic logs.

Remember to adapt the configurations to your specific network setup and Cisco ASA software version. Always follow best security practices and refer to Cisco's documentation for the most accurate and up-to-date information.