Different NAT Types

There are three types of NAT on the ASA which have different processing orders and functions.  To understand the different ASA NAT types, we should first go over the the different types of NAT in general.

General Types of NAT

  • Static NAT—A consistent mapping between a real and mapped IP address. Allows bidirectional traffic initiation.
  • Dynamic NAT—Maps a group of IP addresses to another group of IP addresses (possibly smaller). This is done based on which ever IP initiates traffic first. Only the ‘real’ hosts can initiate traffic.
  • Dynamic Port Address Translation (PAT)—Maps a group of IP addresses to a single IP address with a unique source port of that IP address. Only the ‘real’ hosts can initiate traffic.
  • Identity NAT—Lets you translate a real address to itself, essentially bypassing NAT. You might want to configure NAT this way when you want to translate a large group of addresses, but then want to exempt a smaller subset of addresses.
  • Twice NAT—A NAT which can perform all the functions of the other NATs but NATs both the Source and Destination IP addresses. Sometimes called Selective NAT if you NAT the Source but NAT the Destination to itself. Selective NAT is useful when you need to NAT the Source to a different Mapped Address based on Destination.


  • Manual NAT—A NAT on the ASA to perform all of the NAT types mentioned above. Manual NATs are processed first and executed on the ASA in the order in which they are configured. These are often used in conjunction with VPNs as Identity NATs to exclude VPN traffic from being NAT’d
  • Auto NAT—Auto NAT can be used as any NAT type above except for Twice NAT or Selective NAT since the Destination IP address can not be specified. These are generally used for Static NATs and are processed after Manual NATs. These do not necessarily perform in their configured order on the ASA, but rather, perform in Alphabetical order. This can be troublesome if you plan on performing PATs within Auto Nats. You can see the processing order of Auto NATs if you do a ‘show xlate’ on the ASA.
  • After Auto Nat—After Auto NATs are processed last but are written and performed similar to Manual NATs. These can have both Source and Destination IP Address but this type of NAT is generally used for PATs.


Not every scenario will be covered, nor every possible type of NAT, but NAT is a powerful tool on the ASA if one understands the way it functions. You can do something as simple as allowing a LAN out to the Internet by using a PAT or do something more complicated. For example, allow your Local LAN to communicate to many Remote LANs (VPNs for example) which have the exact same Local LAN as the Local environment. With NAT, we can fully control everything on the ASA without requesting the Remote side to make complicated NAT changes on their end or requesting that someone play rock paper scissors on who gets to re-IP their networks.

Manual Nat(Source only):

Here, we will use Manual NAT as a Static NAT. We will NAT our local internal IP to the External IP of

object network Web1-

object network Web1-External-

     nat (inside,outside) source static Web1- Web1-External-

With Manual NATs, the IPs are referenced using objects or object-groups. You are not able to just type the IP addresses with these types of NATs so we need an object for every IP or IP network.

Notice the coloring of the text as this will help you identify which IP is for which segment. If the IP comes into the inside segment and its traffic is destined for the outside segment, then it will NAT as The same is true in the reverse if traffic is destined for the on the outside interface. Note that the first segment in the (), in this case is the inside segment, is the sourcing interface. The next interface, in this case outside, is used as the destination so this will NAT anything Destined for  to the in the inside segment.

Manual NAT(Source and Destination):

Manual NAT is best used when you need to NAT your traffic differently for a specific Destination. In this example, I will be doing Selective NAT (Twice NAT). We want to NAT to only when our destination is To do this, we will reuse our NAT from earlier but add a destination.

object network Web1-

object network Web1-External-

object network Destination-

     nat (inside,outside) source static Web1- Web1-External- destination static Destination- Destination-

Notice that I have colored the Destination both light blue and blueThis is because of how this NAT functions and which IP in the NAT talks to which IP. In this case, the inside address is using the first object (IP) referenced in the Destination portion of the NAT. The same is true for the outside portion of the NAT which talks to the second object (IP) referenced in the Destination. Always understand this order as it helps if we need to do a full Twice NAT where we map our Destination as a different IP.

Let’c complicate the same NAT a bit and NAT our Destination to a different remote host. We will state that when our address is destined to that we want to map this to googles DNS Server

object network Google-

     nat (inside,outside) source static Web1- Web1-External- destination static Destination- Google-

With this addition to our NAT, when our is destined for, it will NAT to At the same time, it will NAT to using this type of NAT, will see our Web1 Server as but our Web1 Server sourcing as will think it is talking to

Auto NAT:

Auto NAT is simpler to configure then Manual NAT and is mainly used for static NATs. We can perform PATs and other NAT types with Auto NAT but I would recommend that Auto NAT is only used for static NATs. As I stated before, these are processed in alphabetical order so if you try to make more specific port forwarding NATs etc with these, you may not get the outcome you want if you name your objects in the wrong alphabetical order.

Lets configure the same Static NAT we did earlier but with Auto NAT.

object network Web1-
     nat (inside,outside) static

You will notice it took less configuration to get the same desired outcome for the Static NAT. This NAT is configured within your object that you specify your host or subnet that you wish to be NAT’d. I will only cover Static NAT for Auto NAT as this is really the only time we should use Auto NAT.

After-Auto NAT:

After Auto NAT is the last NAT to be processed on the ASA. Since this is the last NAT to be processed, these are generally used as a catch all PAT type of NAT. Lets configure a PAT where we take our entire Subnet and NAT (PAT) it to

object network Inside-Subnet
object network Default-PAT-Outbound

     nat (inside,outside) after-auto source dynamic Inside-Subnet Default-PAT-Outbound

Notice that this NAT looks a lot like the Manual NAT we did earlier except now we see the after-auto keyword. This is what makes a Manual NAT into an After-Auto NAT. I also changed the keyword static to dynamic which is what makes a NAT act as a PAT on the ASA. As with Auto-NAT, I will only cover PATs with After-Auto NATs as this is really the only time these should be used. Try to keep all of your more complicated NATs within Manual NATs since those are processed first and processed in configured order.

If you would like to know more or see more articles on NAT please let me know. You can contact me and I will do what I can to help.


karthikeyan boopathy · December 19, 2017 at 2:25 pm

thank you so much thinknetsec group. This article is the best when it comes to understanding nat.

    John Finnegan · January 4, 2018 at 1:53 pm

    You are very welcome! I apologize for not responding right away. This was a project I started and got pulled away from for a while. I want to start writing more articles so if you have anything in mind that you would like more information on please let me know. I will do my best to provide content that everyone is interested in so that we can all learn together.

Victor Alvarado · April 15, 2018 at 4:46 pm

Please could send topology

    John Finnegan · April 15, 2018 at 4:54 pm

    Are you asking for me to send a Topology or are you asking if you could send me a Topology?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Bitnami banner
Close Bitnami banner