Cisco ASA: Introduction to Network Address Translation (NAT)

What is NAT and Why do we use it?
In this article, we will be discussing Network Address Translation (NAT) in general and then specifically, NAT on the Cisco Adaptive Security Appliance (ASA).  As you are probably aware, devices on an IP network require unique IP addresses to communicate. Considering IP version 4 (IPv4), IP addresses can be largely divided into two:

  • Private IP address
  • Public IP address

Note: This classification does not account for special-use IP addresses, Multicast addresses and so on.

The Private IP addresses are what you will assign to devices on your internal network (e.g. Local Area Network, LAN). These IP addresses should never be seen on the Internet because they are “non-routable” on the Internet. To communicate on the Internet, devices need Public IP addresses.

Why did we go through this introduction on IP addresses? It is because one of the main uses of NAT is to convert (translate) private IP addresses to public IP addresses so that devices with private IP addresses can have access to public networks, like the Internet.

Note: We wouldn’t need NAT at all for this purpose if every device that needs Internet access could have a routable address on the Internet. However, IPv4 addresses are just not enough for all the devices that need Internet access – and this problem existed even before the Internet of Things (IoT) era!

Apart from translating private IP addresses to public IP addresses, NAT also has other uses/benefits like:

  • Providing security by hiding the real IP address of a device
  • Overcoming problems in networks that have overlapping IP addresses
  • Translating between IPv4 and IPv6 domains

Types of NAT
While still on the general discussion of NAT, let’s talk about the different types of NAT that can be implemented including:

  • Dynamic NAT
  • Dynamic PAT
  • Static NAT
  • Identity NAT

Dynamic NAT
With Dynamic NAT, a group of real addresses are translated into a pool of mapped addresses on a destination network. The pool of mapped addresses is usually smaller (in quantity) than the number of real addresses being translated meaning that there is the risk of running out of IP addresses if there are more simultaneous connections from real addresses than available mapped addresses.

Tip: Real address means the IP address assigned to/configured on a device. Mapped address means the translated IP address.

In a dynamic NAT configuration, traffic can only be initiated from one side of the translation – only the device with the real address can initiate a connection to the destination network (and will be seen as coming from the mapped address). Devices on the destination network cannot reliably initiate connections to the internal host through the mapped address.

Note: “Reliably” is the keyword here because it is possible (but improbable) for the destination network to initiate connection to the real host.

Dynamic PAT
Dynamic Port Address Translation (PAT) is similar to Dynamic NAT except that you don’t have a pool of mapped addresses; you have only one mapped address. The way it works is the real address and source port is translated to the mapped address and a unique port. This means (theoretically) that one mapped address can be used for approximately 64,000 connections. Dynamic PAT also supports only unidirectional initiation of traffic.

If I were to guess, I’ll say Dynamic PAT is probably the most common type of NAT because you can use it to translate many (private) IP addresses to a single (public) IP address. Remember that public IP addresses cost money and most small companies can only afford a single public IP address.

Static NAT
In the most common form of Static NAT, there is a one-to-one translation of a real address to a mapped address. Since it is one-to-one, Static NAT allows bidirectional initiation of traffic i.e. the host with the real address can initiate traffic to the destination network and the destination network can initiate traffic to the mapped address of the host (if allowed by an access rule).

Note: There are other forms of Static NAT including one-to-many, many-to-one, few-to-many and many-to-few, some of which are not recommended.

The best use case for Static NAT is giving public access to a private server. For example, if an organization has its own Web server on its internal network, how will Internet users access that web server (that hosts the organization’s website)? By using Static NAT to translate the internal IP address of the Web server to a public IP address. Since Static NAT allows bidirectional initiation of traffic, users on the Internet can initiate traffic to that Web server.

Identity NAT
Identity NAT translates a real address to itself. You may wonder why this is even necessary. Let me give you an example. Imagine you have created a dynamic NAT/PAT rule to translate all IP addresses on the network. However, a server with IP address should not be translated. You could configure an Identity NAT rule for this server, to translate its IP address to the same address.

Implementation of NAT on the Cisco ASA
Let’s now come to the specifics of NAT on the Cisco ASA. NAT on the Cisco ASA can be implemented/configured using two methods:

  • Network Object NAT
  • Twice NAT

With Network Object NAT, you configure a network object containing the real address(es) and then create a NAT rule inside that network object for what you want to achieve.

For example, if we wanted to create a dynamic PAT rule that translated inside hosts in the network to when going to the outside network, our Network Object NAT configuration will look something like:

object network inside_real
nat (inside,outside) dynamic

Note: inside and outside are interface names configured on this imaginary Cisco ASA.

On the other hand, with Twice NAT, the NAT rule is standalone – it is not part of the network objects. Instead, the network objects are part of the NAT rule.

If we wanted to achieve the same configuration as we did with Network Object NAT above, the Twice NAT configuration will be something like:

object network inside_real
object network inside_mapped
nat (inside,outside) source dynamic inside_real inside_mapped

Network Object NAT versus Twice NAT
Having seen the two implementations of NAT on the Cisco ASA, why will you use one over the other? Consider the following:

  • Network Object NAT is simpler to configure. If you are not doing any complex configuration, use Network Object NAT – also recommended by Cisco.
  • Network Object NAT cannot be used for some types of configuration. For example, if you want to translate a source address to mapped address A when going to destination A but translate that same source address to mapped address B when going to destination B, you have to use Twice NAT.
  • There is also a difference in the way rules are ordered. The Cisco ASA divides the NAT table into three sections – Section 1, 2 and 3. Section 1 rules are applied first, then Section 2 rules and finally Section 3 rules. Network Object NAT rules are always placed in Section 2 and are automatically ordered. Twice NAT rules are applied in the order they are configured and can either be placed on Section 1 or Section 3. This means if you have traffic that matches both a rule in Section 1 (Twice NAT) and another rule in Section 2 (Network Object NAT), the Section 1 rule will take precedence.

In this article, we have discussed Network Address Translation (NAT). We looked at what NAT is and gave some reasons why we need NAT. We then talked about the different types of NAT including Dynamic NAT, Dynamic PAT and Static NAT. Finally, we focused on the two methods by which NAT can be implemented on the Cisco ASA including Network Object NAT and Twice NAT.

In the next article, we will focus on the technical implementation of NAT on the Cisco ASA by using Network Object NAT to configure different NAT types.

Reference and Further Reading