Dynamic NAT (on ASA)

Prerequisite – Adaptive security appliance (ASA), Network address translation (NAT), Static NAT (on ASA)
Network Address Translation is used for translation of private IP addresses into Public IP address while accessing the internet .NAT generally operates on router or firewall.

Dynamic NAT –
In this type of NAT, multiple private IP address are mapped to a pool of public IP address . It is used when we know the number of fixed users who wants to access the Internet at a given point of time.

Example: If we have 4 public IP address in a pool then at a time, only 4 users private IP address gets translated into public address.
The private IP who have a request for the translation first will get translated first (like First Come First Serve).If all the IP addresses in the pool are busy and a request for translation is recieved then the packets will be dropped.

Procedure (on ASA) – The Procedure is same as static NAT:

  • Step-1: Configure the access-list –
    Build the access-list stating the permit condition i.e who should be permit and what protocol should be permit.

  • Step-2: Apply the access-list to an interface –
    The access-group command will be used to state the direction (out or in) in which the action (specified above) should be taken place.

  • Step-3: Create network object –
    This will state the host or subnet on which Dynamic NAT will be applied.

    Note that here 2 objects are created. One will specify the hosts or subnet (private IP address) on which NAT should be applied and other will the pool of public IP address.

  • Step-4: Create Dynamic NAT statement –
    This step will specify the direction in which NAT should takes place and on what IP address (Public IP address) the private IP address should be translated.

For example NAT (DMZ, OUTSIDE), Dynamic Private_hosts Public_pool: This states that the Dynamic NAT operation will take place when the traffic is going from DMZ to OUTSIDE and will translate the IP address (specified in the network object Private_hosts) to the available IP address of Pool (Public_pool).

Example –

Three routers namely Router1 (IP address –, Router2 (IP address – and Router3 (IP address – are connected to ASA (IP address-, name – INSIDE and security level – 100 on Gi0/0, IP address –, name – DMZ and security level – 50 on Gi0/1, IP address –, name-OUTSIDE and security level – 0 on Gi0/2) as shown in the above figure.

In this task, we will enable Dynamic NAT for the traffic generating from INSIDE to OUTSIDE and for the traffic going from DMZ to OUTSIDE.
Configuring IP addresses on all routers and ASA.
Configure IP address on Router1.

Router1(config)#int fa0/0
Router1(config-if)#ip address
Router1(config-if)#no shut 

Configuring IP address on Router2.

Router2(config)#int fa0/0
Router2(config-if)#ip address
Router2(config-if)#no shut 

Configuring IP address on Router3.

Router3(config)#int fa0/0
Router3(config-if)#ip address
Router3(config-if)#no shut 

Configuring IP address, name and security level on the interface of ASA.

asa(config)#int Gi0/0
asa(config-if)#no shut
asa(config-if)#ip address
asa(config-if)#nameif INSIDE 
asa(config-if)#security level 100
asa(config)#int Gi0/1
asa(config-if)#no shut
asa(config-if)#ip address
asa(config-if)#nameif DMZ
asa(config-if)#security level 50
asa(config)#int Gi0/2
asa(config-if)#no shut
asa(config-if)#ip address
asa(config-if)#nameif OUTSIDE
asa(config-if)#security level 0

Now giving static routes to the routers.Configuring static route to Router1.

Router1(config)#ip route 

Configuring static route to Router2.

Router2(config)#ip route 

Configuring static route to Router3.

Router3(config)#ip route 

Now, at last configuring static route to ASA.

asa(config)#route INSIDE
asa(config)#route OUTSIDE
asa(config)#route DMZ

Now, for ICMP, either we have to inspect or we have to use ACL to allow the ICMP echo reply from the lower security level to higher security level (This is to be done because by default, no traffic is allowed from lower security level to higher security level).

Configuring access-list:

asa(config)#access-list traffic_out permit icmp any any 
asa(config)#access-list traffic_dmz permit icmp any any 

Here, two access-list has been made:

  1. First access-list name is traffic_out which will allow ICMP traffic from OUTSIDE to INSIDE (having any IP address any mask).
  2. Second access-list has been made named as traffic_dmz which will allow ICMP traffic from OUTSIDE to DMZ (having any IP address any mask).

Now, we have to apply these access-list to the ASA interfaces:

asa(config)#access-group traffic_out in interface OUTSIDE 
asa(config)#access-group traffic_dmz in interface DMZ

First statement states that the access-list traffic_out is applied in the inwards direction to the OUTSIDE interface
Second statement states that the access-list traffic_dmz is applied in the inwards direction to the DMZ interface.
Now, INSIDE devices will be able to ping OUTSIDE and DMZ devices.
Now, the task is to enable Dynamic NAT on ASA whenever the whole subnet ( traffic goes out from INSIDE to OUTSIDE and traffic of network ( from DMZ to OUTSIDE.

asa(config)#object network inside_nat

First, we have specified that which subnet should get translated.

asa(config)#object network NAT_pool

Now, NAT pool has been made which contains public IP address (into which private IP address get translated). Now, direction of NAT translation will be specified.

asa(config)#nat (INSIDE, OUTSIDE) source dynamic inside_nat NAT_pool

Now, applying NAT for traffic going out from DMZ to OUTSIDE.

asa(config)#object network dmz_nat

Now, Creating NAT pool for this traffic.

asa(config)#object network dmz_nat_pool

The pool dmz_nat_pool contains 4 public IP address ranging from ( to Now, the direction for NAT translation is specified.

asa(config)#nat (DMZ, OUTSIDE) source dynamic dmz_nat dmz_nat_pool 

The above command specifies that the subnet in dmz_nat should get translated into one of the IP address of the pool dmz_nat_pool using dynamic NAT.

Attention reader! Don’t stop learning now. Get hold of all the important DSA concepts with the DSA Self Paced Course at a student-friendly price and become industry ready.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.

Article Tags :
Practice Tags :

Be the First to upvote.

Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.