ASA Manual NAT and Auto NAT
- Auto NAT is always configured within an object definition.
- Auto NAT is used whenever a NAT decision must be made based only on the source address
- Static and Dynamic NAT, and Static and Dynamic PAT can be configured with Auto NAT
The syntax for Auto NAT is as follows:
nat (<REAL-INTERFACE>,<MAPPED-INTERFACE>) <static|dynamic> <MAPPED-IP>
Notice that none of the elements of the syntax include a real IP address. The real IP address is inherited from the object’s definition.
Now let’s take a look at Manual NAT and see the differences:
- Auto NAT can only make a NAT decision based upon the Source of traffic.
- Auto NAT can only translate the Source of traffic.
- Manual NAT can make a NAT decision based upon the Source, or upon both the Source and Destination.
- Manual NAT can translate the Source, the Destination, or even both the Source and Destination at the same time.
Manual NAT can do everything that Auto NAT can do, plus Policy NAT and Twice NAT, which both require the destination address to be involved in the process.
What is the best practice? Use Auto NAT whenever possible, because it is much simpler to configure. Also, Auto NAT places NAT statements automatically into a sensible order, while Manual NAT statement order must be manually considered.
The syntax of Manual NAT requires using an object for every reference to IP addresses and ports. Here is an example of Manual NAT configuration where only the source address is considered:
nat (<REAL-INTF>,<MAPPED-INTF>) source <static|dynamic> <REAL-SRC> <MAPPED-SRC>
Notice that it is similar to Auto NAT except for the fact that Manual NAT is not configured within an object. It is configured directly in global configuration mode.
Here is an example of Manual NAT syntax where both source and destination are considered:
nat (<REAL-INTF>,<MAPPED-INTF>) source <static|dynamic> <REAL-SRC> <MAPPED-SRC> destination static <REAL-DST> <MAPPED-DST>