Here I’ve listed all the different types of Cisco ASA NAT configuration, both for version 8.3 and earlier, and later:

Type 1 : Static NAT

Static translate DMZ-SERVER-PRIVATE (172.16.1.10) to DMZ-SERVER-PUBLIC (200.1.1.1)

Diagram 1

Old:
static (DMZ,OUTSIDE) 200.1.1.1 172.16.1.10 netmask 255.255.255.255

New:
object network DMZ-SERVER-PUBLIC
host 200.1.1.1
!
object network DMZ-SERVER-PRIVATE
host 172.16.1.10
nat (DMZ,OUTSIDE) static DMZ-SERVER-PUBLIC

 

Type 2 : Static PAT

Static translate DMZ-SERVER-PRIVATE (172.16.1.10:8443) to DMZ-SERVER-PUBLIC (200.1.1.1:443)

Diagram 2

Old:
static(DMZ,OUTSIDE) tcp 200.1.1.1 443 172.16.1.10 8443 netmask 255.255.255.255

New:
object network DMZ-SERVER-PUBLIC
host 200.1.1.1
!
object network DMZ-SERVER-PRIVATE
host 172.16.1.10
nat(DMZ,OUTSIDE) static DMZ-SERVER-PUBLIC service tcp 8443 443

 

Type 3 : Dynamic NAT

Dynamic translate a range of addresses, INTERNAL-LAN (10.1.1.0/24) to another range of addresses, OUTSIDE-WAN (200.1.1.1 – 200.1.1.100 / 24)

Diagram 3

Old:
nat (INSIDE) 1 10.1.1.0 255.255.255.0
global (OUTSIDE) 1 200.1.1.1-200.1.1.100 netmask 255.255.255.255

New:
object network OUTSIDE-WAN
range 200.1.1.1 200.1.1.100
!
object network INTERNAL-LAN
subnet 10.1.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) dynamic OUTSIDE-WAN

 

Type 4 : Dynamic PAT

Dynamic translate a range of addresses, INTERNAL-LAN (10.1.1.0/24) to a single IP address, OUTSIDE-WAN (200.1.1.1/32)

Diagram 4

Old:
nat (INSIDE) 1 10.1.1.0 255.255.255.0
global (OUTSIDE) 1 200.1.1.1

New:
object network OUTSIDE-WAN
host 200.1.1.1
!
object network INTERNAL-LAN
subnet 10.1.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) dynamic OUTSIDE-WAN

You could even do this without defining the object, OUTSIDE-WAN, as follows:

object network INTERNAL-LAN
subnet 10.1.1.0 255.255.255.0
nat (INSIDE,OUTSIDE) dynamic 200.1.1.1

 

Type 5 : Dynamic NAT with PAT

Dynamic translate a range of addresses, INTERNAL-LAN (10.1.1.0/24) to another range of IP addresses, OUTSIDE-WAN (200.1.1.1 – 200.1.1.100 / 24) and then fall back to the interface IP address (65.10.20.50 / 24)

Diagram 5

Old:
nat (INSIDE) 1 10.1.1.0 255.255.255.0
global (OUTSIDE) 1 200.1.1.1-200.1.1.100 netmask 255.255.255.0
global (OUTSIDE) 1 interface

New:
object network OUTSIDE-WAN
  range 200.1.1.1 200.1.1.100
!
object network INTERNAL-LAN
  subnet 10.1.1.0 255.255.255.0
  nat (INSIDE,OUTSIDE) dynamic OUTSIDE-WAN interface

 

Another example: Dynamic translate a range of addresses, INTERNAL-LAN (10.1.1.0/24) to two different range of IP addresses – OUTSIDE-WAN-1 (200.1.1.10 – 200.1.1.20 / 24) and OUTSIDE-WAN-2 (200.1.1.40 – 200.1.1.50); and then fall back to the interface IP address (65.10.20.50 / 24)

Diagram 6

Old:
nat (INSIDE) 1 10.1.1.0 255.255.255.0
global (OUTSIDE) 1 200.1.1.10-200.1.1.20 netmask 255.255.255.0
global (OUTSIDE) 1 200.1.1.40-200.1.1.50 netmask 255.255.255.0
global (OUTSIDE) 1 interface

New:
object network OUTSIDE-WAN-1
  range 200.1.1.10 200.1.1.20
!
object network OUTSIDE-WAN-2
  range 200.1.1.40 200.1.1.50
!
object network OUTSIDE-WAN-NAT-GROUP
  network-object object OUTSIDE-WAN-1
  network-object object OUTSIDE-WAN-2
!
object network INTERNAL-LAN
  subnet 10.1.1.0 255.255.255.0
  nat (INSIDE,OUTSIDE) dynamic OUTSIDE-WAN-NAT-GROUP interface

 

Type 6 : NAT Exemption

Exempt (do not translate) INTERNAL-LAN (10.1.1.0/24) when trying to access DMZ-SERVERS (172.16.1.0/28)

Diagram 7 - Copy

Old:
access-list NO-NAT extended permit ip 10.1.1.0 255.255.255.0 172.16.1.0 255.255.255.240
nat (INSIDE) 0 access-list NO-NAT

New:
object network INTERNAL-LAN
  subnet 10.1.1.0 255.255.255.0
!
object network DMZ-SERVERS
  subnet 172.16.1.0 255.255.255.240
!
nat (INSIDE,DMZ) source static INTERNAL-LAN INTERNAL-LAN destination static DMZ-SERVERS DMZ-SERVERS