Understanding NAT on Cisco Secure Firewall

Cisco Secure Firewall supports the same robust NAT (Network Address Translation) configuration options as classic ASA platforms, making it a flexible and powerful solution for modern network environments. We will walk through the NAT rule types, their behavior, and best practices when working with Cisco Secure Firewall NAT policies.

 

NAT Rule Types in Secure Firewall

Secure Firewall allows you to define NAT rules in three distinct sections, which correspond closely to how classic ASA NAT sections are structured:

  • NAT Rules Before
    This section is functionally equivalent to Twice NAT Section 1 on ASA. These rules are typically used for high-priority, complex translations and are often referred to as Manual NAT.
  • Auto NAT Rules
    This section matches Section 2 (Object NAT) on ASA. Object NAT is configured directly within the object definition itself and is commonly referred to as Auto NAT.
  • NAT Rules After
    This mirrors Twice NAT Section 3 on ASA and is also used for Manual NAT rules, but applied after Auto NAT rules.

 

Key Differences Between ASA and Secure Firewall

  • Interface References: On classic ASA, NAT rules require the use of nameif values to refer to interfaces. On Secure Firewall, you must reference Security Zones or Interface Groups instead.
  • Terminology
    • Object NAT and Auto NAT refer to the same concept: NAT defined within an object.
    • Twice NAT is synonymous with Manual NAT, where source and destination translations can be explicitly defined with greater flexibility.

 

NAT Rule Priority and Behavior

Manual NAT (Twice NAT) takes precedence over Auto NAT. This means even if Auto NAT rules are listed earlier, a Manual NAT rule with higher priority will be processed first.

Manual NAT rules can also be placed after Auto NAT in the processing order, allowing advanced configuration strategies where manual control is needed only in fallback or post-processing scenarios.

Manual NAT is the most flexible NAT model available. It enables granular control over both source and destination address translations, at the cost of slightly increased complexity. Meanwhile, Auto NAT provides a simpler, object-based approach, ideal for straightforward NAT needs, but with limited flexibility and less control over rule ordering.

 

 

Configuring Dynamic NAT

Dynamic NAT (Network Address Translation) allows internal devices to access external networks—typically the internet—using a dynamically assigned public IP from a preconfigured address pool. This method is ideal when the translated IPs don’t need to remain consistent across sessions.

 

What is Dynamic NAT?

Dynamic NAT uses a pool of public IP addresses for outgoing traffic initiated by internal devices. These IPs are not permanently assigned; instead, they are leased temporarily. The next time a device initiates a session, it may be translated to a different IP from the pool.

 

Use Case

You want to allow inside users (e.g., on the 10.0.0.0/8 network) to reach the internet using a pool of public addresses, such as 192.1.20.101 – 192.1.20.250.

Configuration Steps

Follow these steps using the Secure Firewall Management Center (FMC):

Step 1: Create a NAT Policy

  • Navigate to Devices > NAT  and click the New Policy button
  • Name the NAT policy and assign it to the appropriate Secure Firewall device.
  • Click Save to create the NAT policy.

 

 

Step 2: Add a Dynamic NAT Rule

  • Inside the policy, click the Add Rule button.

 

  • Under NAT Rule Type, select:
    • Auto NAT Rule (this is Object NAT)
    • Type: Dynamic

 

  • Under the Interface Objects tab:
    • Select inside interface as the source interface.
    • Select outside interface as the destination interface.

 

 

Step 3: Configure the Translation

  • Switch to the Translation tab.
  • Under Original Source, choose the object representing your internal network (e.g., obj_10.0.0.0).
  • Under Translated Source, choose:
    • Type: Address
    • Object: 1.2.3.4 (representing your public IP pool)

This defines how internal IPs will be dynamically mapped to the pool during outbound traffic.

 

 

Step 4: Finalize and Deploy

  • Click OK to save the rule.
  • The rule will now appear under the Auto NAT Rules section.
  • It should be a one-way rule for outbound traffic from Inside to Outside.

 

Dynamic NAT in Cisco Secure Firewall is an effective way to provide scalable internet access for a large number of internal users without assigning a unique public IP to each device. It’s especially useful when IP persistence isn’t required and efficient address utilization is a priority.

 

 

Configuring Static NAT

Static NAT is used when you need a one-to-one mapping between a private IP address and a public IP address. Unlike Dynamic NAT, which assigns public IPs from a pool dynamically, Static NAT ensures the same internal IP always maps to the same public IP—ideal for hosting servers that need consistent external access.

 

Use Case

You want a device in your DMZ, such as 192.168.1.11, to be reachable from the outside using a specific public IP, such as 192.1.20.51.

 

Static NAT Configuration Steps

Follow these steps in Cisco Secure Firewall Management Center:

Step 1: Create the NAT Rule

  • Navigate to your existing NAT policy and click Add Rule.
  • Choose:
    • NAT Rule: Auto NAT Rule
    • Type: Static

 

  • Under the Interface Objects tab:
    • Select your dmz interface as the Source Interface
    • Select outside interface as the Destination Interface

 

 

Step 2: Define the Translation

  • Switch to the Translation tab.
  • Under Original Source:
    • Select the object representing the internal host (e.g., InWkst1)
  • Under Translated Source:
    • Set the translation type to Address
    • Select or create an object for the public IP address (e.g., 198.19.30.10)

This ensures the internal server always maps to the same public IP for external access.

 

 

Step 3: Save and Apply

  • Click OK to add the rule and click Save. 
  • Deploy the configuration to your Secure Firewall device.

Your static NAT rule is now in effect, and external users can reach your internal host using the assigned public IP.

Static NAT in Cisco Secure Firewall is best suited for services like web servers, mail servers, or any device that must always be reachable using a known public IP. It’s easy to configure and guarantees a consistent IP translation every time.

 

 

Configuring Dynamic PAT

Dynamic PAT, often referred to as overloaded NAT, enables many internal devices to share a single public IP address by mapping different internal sessions to unique source ports. This is the most commonly used NAT configuration for general internet access.

 

Use Case

You want users in the Inside network (e.g., 10.11.11.0/24) to access the internet using the outside interface IP address of the Secure Firewall – this is Dynamic PAT to the interface.

Configuration Steps

Follow these steps using the Secure Firewall Management Center (FMC):

Step 1: Create a NAT Rule

  • Navigate to: Devices > NAT > NAT Policy
  • Click Add Rule
  • Choose the following:
    • NAT Rule: Auto NAT Rule
    • Type: Dynamic

 

 

Step 2: Define Interfaces

  • Under the Interface Objects tab:
    • Select the inside interface as the source interface
    • Select the outside interface as the destination interface

 

 

Step 3: Configure the Translation

  • Switch to the Translation tab.
  • For Original Source, select the internal subnet (e.g., 10.0.0.0/8)
  • For Translated Source, choose:
    • Destination Interface IP – This uses the IP address assigned to the outside interface for translation.

 

 

Step 4: Save and Deploy

  • Click OK to close the dialog box and save the policy.
  • Deploy the policy to your Secure Firewall device.

The rule will now NAT all inside traffic to the outside interface IP using different port mappings.

Dynamic PAT is the most scalable NAT configuration for outbound internet traffic. It lets hundreds or thousands of internal hosts share a single external IP, making it perfect for most enterprise internet access use cases.

 

 

Configuring Destination NAT (Twice NAT)

Twice NAT (also called Manual NAT) enables the translation of both the source and destination addresses within a single rule. This is especially useful when both sides of a connection must be NATed simultaneously. For example, when devices in a DMZ reach internal systems that must appear as different IPs to external hosts.

 

Use Case

A device in the DMZ (192.168.1.3) communicates with a device represented by 192.168.1.25, which is internally NATed from 199.1.1.1. You want both the source and destination IPs to be translated:

  • Source: 192.168.1.3 → 192.1.20.3
  • Destination: 192.168.1.25 → 199.1.1.1

 

Configuration Steps

Step 1: Create the Manual NAT Rule

  • Navigate to Devices > NAT > NAT Policy
  • Click Add Rule
  • Select:
    • NAT Rule: Manual NAT Rule
    • Type: Static

 

 

Step 2: Define Interfaces

  • Under the Interface Objects tab:
    • Choose the dmz interface as the Source Interface
    • Choose the outside as the Destination Interface

 

 

Step 3: Configure the Translation

  • Navigate to the Translation  tab
  • Configure the following:
    • Original Packet Section:
      • Original Source: obj_192.168.1.3
      • Original Destination: obj_192.168.1.25
    • Translated Packet Section
      • Translated Source: obj_192.1.20.3
      • Translated Destination: obj_199.1.1.1

 

This ensures traffic from the internal host is NATed as it leaves the DMZ and reaches its destination, which is also NATed back to the actual internal address.

 

 

Step 4: Save and Deploy

  • Click OK and save the policy.
  • Deploy your configuration to the target Secure Firewall device

Manual NAT (Twice NAT) gives you the highest degree of NAT control on Cisco Secure Firewall. It’s ideal when both source and destination need to be rewritten—something that Object NAT and Dynamic PAT can’t do in one rule.

 

 

Configuring NAT64

NAT64 enables communication between IPv6-only clients and IPv4-only servers by translating IPv6 packet headers into IPv4 format and vice versa. On Cisco Secure Firewall, NAT64 is configured using a Manual NAT Rule with type Dynamic, allowing you to define both IPv6 and IPv4 address mappings.

 

Use Case

You want to allow an IPv6-only host (e.g., 2001:172:16:32::/64) to access an IPv4-only server (e.g., 1.2.3.128) by translating the traffic appropriately at the firewall.

 

Configuration Steps

Step 1: Add a New Manual NAT Rule

  • Navigate to your NAT policy at Devices > NAT 
  • Click Add Rule
  • Select:
    • NAT Rule Type: Manual NAT Rule
    • Type: Dynamic
  • Under the Interface Objects tab:
    • Assign the inside interface as the Source Interface
    • Assign the outside interface as the Destination Interface

 

Step 2: Configure the Translation

  • Navigate to the Translation  tab
  • Configure the following:
    • Original Source (IPv6)
      • Create a new object for the real IPv6 address (e.g., 2001:172:16:32::/64) and assign it as the Original Source.
    • Translated Source (IPv4)
      • Set Translated Source to an IPv4 address object (e.g., obj_1.2.3.128)

 

 

Step 3: Map Destination Addresses

  • Configure the following under the Translations tab:
    • Original Destination (IPv6)
      • Create and assign a new object for the desired mapped IPv6 subnet (e.g., 2001::/96) as the Original Destination.
    • Translated Destination (IPv4)
      • For Translated Destination, use the prebuilt object any to allow all IPv4 destinations.

 

 

Step 4: Save and Deploy

  • Click OK and save the policy
  • Deploy the NAT policy to your Secure Firewall device

 

This completes the NAT64 configuration. IPv6 clients can now reach IPv4-only services through seamless address translation.

Cisco Secure Firewall’s NAT64 support bridges modern IPv6 networks with legacy IPv4 systems using flexible Manual NAT rules. You define both ends of the translation and leverage object-based configuration for clean, scalable design.