NAT on ASA 8.4 - Dynamic NAT

In previous post, I talked about how to configure static NAT on ASA 8.4 in the case public an inside server for accessing from Internet. In this post, I'll show you how to configure NAT in the case that you allow users in LAN to access to Internet. I assume you have a range of public ip addresses. This type of NAT called Dynamic NAT.

In details:
-Internal subnet: 192.168.1.0/24
-Public addresses range: 113.22.14.20 - 113.22.14.30
-Security level:
   +inside: 100
   +dmz: 50
   +outside: 0

Scenario: 

INSIDE host will serve as an internal host with IP address: 192.168.1.2/24

Step 1: Define network objects, one for LAN, one for public IP addresses

ASA84(config)# show run object
object network PUBLIC-RANGE
 range 113.22.14.20 113.22.14.30
object network LAN-RANGE
 subnet 192.168.1.0 255.255.255.0
ASA84(config)#

Step 2: Create NAT on LAN-RANGE object, using dynamic keyword

ASA84(config)# show run nat
!
object network LAN-RANGE
 nat (inside,outside) dynamic PUBLIC-RANGE
 

In here, PUBLIC-RANGE is an predefined object used to serve IP addresses for LAN-RANGE.

Step 3: Create an access list and apply to particular interface.

ASA84(config)# SHOW RUN ACCESS-List
access-list ALLOW-LAN-INTERNET extended permit tcp object LAN-RANGE any
access-list ALLOW-LAN-INTERNET extended deny tcp any any log
ASA84(config)#

Test connections from INSIDE host.

As you can see here, host from inside zone using 113.22.14.27 - an address in configured range.