Cisco ASA 5500 – Performing NAT for Two (or More) internal IP’s to a Spare Public IP

KB ID 0001057 


I was in the PIX/ASA area at EE last night, and a poster asked if they could perform NAT on a couple of internal IP addresses to a spare public IP that they had. I had done this for a client some time last year when I performed and upgrade from 8.2. Anyone who has ever done a large upgrade on an ASA to the ‘new’ NAT system, will appreciate this is usually the area where the upgrade has a problem. So at the time ran through all the NAT/PAT rules on their firewall and worked out how to do the same with the new NAT code. That way if the upgrade failed I’d have all the new NAT rules per-written, (time spent on reconnaissance is seldom wasted!) Anyway when this question was asked I could not find the config I’d written so I ran up GNS3 and tested it.

ASA Two to one NAT


In the example (above), I’m going to PAT both the internal servers to a public IP address of The firewall already translates all other outgoing traffic to its external IP of Note: I’m just translating two internal IP addresses, but you can translate as many internal hosts to this rule as you like.

1. Create a ‘group’ for your internal IP addresses;

Petes-ASA(config)# object-group network Obj-Source-Addresses Petes-ASA(config-network-object-group)# network-object host Petes-ASA(config-network-object-group)# network-object host

2. Create an ‘object’ for the spare public IP address;

Petes-ASA(config-network-object-group)# object network Obj-Public-NAT Petes-ASA(config-network-object)# host

3. Finally tie the two together with a NAT rule (that PAT’s the internal IP addresses to the spare public IP address). Remember this is a PAT not a NAT, hence the reason I use the ‘dynamic’ keyword below, and I don’t use ‘static’ as I would have done for a one-to-one NAT.

Note: The reason there’s a number ‘1’ in the command, is to put it at the top of the NAT processing order, so this rule will ‘fire’ before the global PAT rule I already have on the firewall.

Petes-ASA(config-network-object)# nat (inside,outside) 1 source dynamic Obj-Source-Addresses Obj-Public-NAT

4. At this point your internal servers may already have some NAT/PAT information cached on the firewall, before we test it let’s clear that out;

Petes-ASA(config)# clear xlate

5. Now give it a test, you can check your public IP with the tool at the top of our ‘index page’, press the button that says ‘What’s is my IP‘. Once you are happy everything is working, save the changes on the firewall with a ‘write mem‘ command.

Related Articles, References, Credits, or External Links


Author: Migrated

Share This Post On