Skip to content
Related Articles
Open in App
Not now

Related Articles

Port Address Translation (PAT) on Adaptive Security Appliance (ASA)

Improve Article
Save Article
Like Article
  • Last Updated : 24 Nov, 2022
Improve Article
Save Article
Like Article

Port Address Translation (PAT) is a type of Network address translation (NAT) used when there is a shortage of public IP addresses .One of the public IP address of the same subnet or the interface address is used for translation. Port Address Translation (PAT): This is also known as NAT overload. In this, many local (private) IP addresses get translated to single public IP address .Sometimes, the private addresses are translated into the interface address (single). In this, Port numbers are used to distinguish the traffic i.e which traffic belongs to which IP address. Procedure: The procedure is almost same as done in Dynamic NAT but remember in PAT, more than one Private IP address is translated into a single public IP address.

  • Step-1: Configure the access-list Build the access-list stating the permit condition i.e who should be permit and what protocol should be permit.
  • Step-2: Apply the access-list to an interface The access-group command will be used to state the direction (out or in) in which the action (specified above) should be taken place.
  • Step-3: Create network group or network object Network group will state the subnet or different subnets on which PAT will be applied. While the network object states a single subnet which can be further used in the PAT process for translation. It can be said that network group contains more than one network object.
  • Step-4: PAT statement This step will specify the direction in which PAT should takes place and on what IP address (Public IP address) the private IP address should be translated.

Configuration: Three routers namely Router1 (IP address –, Router2 (IP address – and Router3 (IP address – are connected to ASA (IP address-, name – INSIDE and security level – 100 on Gi0/0, IP address –, name – DMZ and security level – 50 on Gi0/1, IP address –, name-OUTSIDE and security level – 0 on Gi0/2) as shown in the above figure. In this task, we will enable PAT for the traffic generating from INSIDE to OUTSIDE and for the traffic going from DMZ to OUTSIDE. Configuring IP addresses on all routers and ASA. Configure IP address on Router1:

Router1(config)#int fa0/0
Router1(config-if)#ip address
Router1(config-if)#no shut 

Configuring IP address on Router2:

Router2(config)#int fa0/0
Router2(config-if)#ip address
Router2(config-if)#no shut 

Configuring IP address on Router3:

Router3(config)#int fa0/0
Router3(config-if)#ip address
Router3(config-if)#no shut 

Configuring IP address, name and security level on the interface of ASA:

asa(config)#int Gi0/0
asa(config-if)#no shut
asa(config-if)#ip address
asa(config-if)#nameif INSIDE 
asa(config-if)#security level 100
asa(config)#int Gi0/1
asa(config-if)#no shut
asa(config-if)#ip address
asa(config-if)#nameif DMZ
asa(config-if)#security level 50
asa(config)#int Gi0/2
asa(config-if)#no shut
asa(config-if)#ip address
asa(config-if)#nameif OUTSIDE
asa(config-if)#security level 0

Now giving static routes to the routers. Configuring static route to Router1:

Router1(config)#ip route 

Configuring static route to Router2:

Router2(config)#ip route 

Configuring static route to Router3:

Router3(config)#ip route 

At last configuring static route to ASA:

asa(config)#route INSIDE
asa(config)#route OUTSIDE
asa(config)#route DMZ

For ICMP, either inspect or use ACL to allow the ICMP echo reply from the lower security level to higher security level (This is to be done because by default, no traffic is allowed from lower security level to higher security level). Configuring access-list:

asa(config)#access-list traffic_out permit icmp any any 
asa(config)#access-list traffic_dmz permit icmp any any 

Here, two access-list has been made. First access-list name is traffic_out which will allow ICMP traffic from OUTSIDE to INSIDE (having any IP address any mask). Second access-list has been made named as traffic_dmz which will allow ICMP traffic from OUTSIDE to DMZ (having any IP address any mask) . Apply these access-list to the ASA interfaces:

asa(config)#access-group traffic_out in interface OUTSIDE 
asa(config)#access-group traffic_dmz in interface DMZ

First statement states that the access-list traffic_out is applied in the inwards direction to the OUTSIDE interface Second statement states that the access-list traffic_dmz is applied in the inwards direction to the DMZ interface. INSIDE devices will be able to ping OUTSIDE and DMZ devices. The task is to enable PAT on ASA whenever the whole subnet ( traffic goes out from INSIDE to OUTSIDE and traffic of network ( from DMZ to OUTSIDE, it should get translated into OUTSIDE interface address.

asa(config)#object network inside_nat

First, specify that which subnet should get translated. Direction of NAT translation will be specified:

asa(config)#nat (INSIDE, OUTSIDE) source dynamic INSIDE interface

Applying NAT for traffic going out from DMZ to OUTSIDE:

asa(config)#object network dmz_nat

Creating NAT pool for this traffic:

asa(config)#object network dmz_nat_pool

Direction for nat translation is specified.

asa(config)#nat (DMZ, OUTSIDE) source dynamic DMZ interface 

The above command specifies that the subnet in dmz_nat should get translated into the IP address of the DMZ interface using PAT. By this, the process of configuring PAT is almost similar to dynamic NAT. The main difference is that to configure the outside interface IP address instead of a NAT pool from which one of the IP address will get translated. Advantages: This is most frequently used as it is cost effective as thousands of users can be connected to the Internet by using only one real global (public) IP address.

My Personal Notes arrow_drop_up
Like Article
Save Article
Related Articles

Start Your Coding Journey Now!