Cisco ASA Dynamic NAT Configuration

Just like the Cisco IOS routers we can configure NAT / PAT on our Cisco ASA firewall. In this
lesson I will explain how to configure dynamic NAT. If you are unsure of how NAT/PAT exactly
works then I recommend to read my Introduction to NAT/PAT first.
Having said that, lets take a look at dynamic NAT on the ASA. We will use this topology:

In the middle we have our ASA, its E0/0 interface belongs to the inside and the e0/1 interface
belongs to the outside. Im using routers so that I have something to connect to. Lets start with
the interface first.
ASA1(config)# interface e0/0
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.1.254 255.255.255.0
ASA1(config-if)# no shutdown
ASA1(config)# interface e0/1
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config-if)# no shutdown

Now we can focus on configuring dynamic NAT

Dynamic NAT Configuration

The following example is for ASA 8.3 and later. First we will configure a network object that
defines the pool with public IP addresses that we want to use for translation:
ASA1(config)# object network PUBLIC_POOL
ASA1(config-network-object)# range 192.168.2.100 192.168.2.200

As an example Ill use the 192.168.2.100 200 range from the 192.168.2.0 /24 subnet that we
use on the outside interface. The next step is to configure a network object for the hosts that we
want to translate:
ASA1(config)# object network INTERNAL
ASA1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA1(config-network-object)# nat (INSIDE,OUTSIDE) dynamic PUBLIC_POOL

The network object called INTERNAL specifies the subnet that we want to translate (the entire
192.168.1.0 /24) subnet and also has the NAT rule. When traffic from the inside goes to the
outside, we will translate it to the public pool that we created earlier.

When all hosts on the 192.168.1.0 /24 subnet try to access the outside network we will run out of
IP addresses in the public pool, if you want you can enable NAT fallback. This means that when
the public pool runs out of IP addresses, we will use the IP address on the outside interface
(192.168.2.254) for translation. Heres how to do it: