Cisco Support Community

ASA 9.1 Difference between nat object sub command & standalone nat



This document describes the difference between 2 methods of NAT asked by an user. 


User is configuring a couple of new 5515X ASAs. He wish to know:

  • Major differences between the following two NAT syntax methods?  
  • Do they both work in lab environment

Method 1:

object network Test-DMZ-Server_EXT 
object network LOCAL-RANGE_EXT 
object network LOCAL-RANGE 
 nat (inside,outside) static LOCAL-RANGE_EXT
object network Test-DMZ-Server 
 nat (DMZ,any) static Test-DMZ-Server_EXT
object network ANY
 nat (any,outside) dynamic interface
Method 2:
object network LOCAL-RANGE 
object network Test-DMZ-Server 
object network Test-DMZ-Server_EXT 
object network LOCAL-RANGE_EXT 
nat (DMZ,any) source static Test-DMZ-Server Test-DMZ-Server_EXT
nat (insdie,outside) static source LOCAL-RANGE LOCAL-RANGE_EXT
nat (any,outside) source dynamic any interface


b.)  Both of the configuration when implemented achieve the same thing. 

a.) In first set of configuration Auto NAT / Network Object NAT where the user configures the whole "nat" configuration under the created "object". Such type is used to do configuration for Dynamic PAT , Static NAT and Static PAT.
The second configuration deals with scenario of "Double NAT" or "Twice NAT "/ "Manual NAT". It uses configurations to list the real/mapped addresses in the NAT configurations by 
creating different "object" and "object-group". This "nat" configuration is not located under any objects but rather uses them. Typically this configuration format is used to configure NAT0 or Policy type NAT configurations.
Another major difference is the way of implementation post 8.3. The NAT configurations are divided into 3 Sections which defines their priority in the "nat" configurations
Flow is mentioned below:
Section 1 = Manual NAT / Twice NAT
Section 2 = Auto NAT / Network Object NAT
Section 3 = Manual NAT / Twice NAT

Another big difference between Auto NAT and Manual NAT is
Auto NAT only does translation for the source address (might seem weird depending on which side you are looking the situation from) while Manual NAT performs translation for both the source and the destination IP address. 

Source Discussion

CSC Discussion

Related info