!! NAT order: nat 0 -> Statics -> globals + nats (version 6 - 8.2)
!! nat-control - When enable, NAT is required from low to high security level

!! NONAT - Pix 6 - 8.2
access-list nonat permit ip 192.168.0.0 255.255.0.0 172.16.0.0 255.255.0.0
nat (inside) 0 access-list nonat

!! NONAT - Pix 8.3+
!! For each encryption network, create a "nat" statement like the one below
object network Local_LAN
  subnet 192.168.0.0 255.255.0.0
object network Remote_LAN
  subnet 172.16.0.0 255.255.0.0
nat (inside,outside) source static Local_LAN Local_LAN destination static Remote_LAN Remote_LAN

!! Dynamic NAT - Pix 8.3+
object network HideNATRange
  range 2.2.2.1 2.2.2.10
object network Local_LAN
  subnet 192.168.0.0 255.255.255.0
nat (inside,outside) dynamic HideNATRange

!! Hide NAT (Dynamic PAT) - Pix 6 - 8.2
nat (inside) 1 192.168.0.0 255.255.0.0
global (outside) 1 interface

!! Hide NAT (Dynamic PAT) - Pix 8.3+
object network Local_LAN
  subnet 192.168.0.0 255.255.0.0
nat (inside,outside) dynamic interface

!! Hide NAT Alternative - Pix 8.3+
object network inside-ANY
  subnet 0.0.0.0 0.0.0.0
nat (inside,outside) dynamic outside

!! Static NAT - Pix 6 - 8.2
static (inside,outside) 2.2.2.2 192.168.0.1 net mask 255.255.255.255
access-list outside permit ip any host 2.2.2.2

!! Static NAT - Pix 8.3+
object network 192.168.0.1
  host 192.168.0.1
nat (inside,outside) static 2.2.2.2
access-list outside permit ip any host 192.168.0.1

!! Static NAT with Port Translation - Pix 6 - 8.2
static (inside,outside) tcp interface 8080 192.168.0.1 80 net mask 255.255.255.255

!! Static NAT with Port Translation - Pix 8.3+ (ACL should reflect real ip and real port)
object network http-server
  host 192.168.0.1
nat (inside,outside) static interface service tcp 80 8080
access-list outside permit tcp any host 192.168.0.1 eq 8080

Notes:

  • REGARDING 8.3+ NATS Auto Nat
  • Specified within the object
  • Cannot specify nat conditions based on source and destination together

  • REGARDING 8.3+ NATS Manual Nat
  • Specified outside the object
  • Allows for specifying translating the source and destination based on the source / destination (ie an ACL NAT with nat/global on pre-8.3)

Next Post Previous Post