Network Address Translation on the Cisco ASA is the single most common source of "why does this not work" tickets. The reason is not that NAT is hard, it is that the ASA syntax changed substantially in software 8.3 and a lot of older documentation, blog posts, and training material still teaches the pre-8.3 model. This article covers the modern model: Auto NAT (object NAT) and Manual NAT (twice NAT), how they differ, the order they are evaluated, and when to reach for each one.
This is part of the Cisco ASA Complete Guide on PingLabz. After this read, the deeper articles cover Dynamic PAT, Static NAT, Twice NAT, Identity NAT for VPN, and the must-know NAT Order of Operations.
The Two NAT Types: Auto and Manual
Modern ASA software has exactly two NAT configuration models. Every NAT rule on a current ASA is one or the other.
| Type | Also called | Configured under | What it can match | What it can do |
|---|---|---|---|---|
| Auto NAT | Object NAT, network-object NAT | Inside an object network definition | One source object only (the network-object itself) | Static, dynamic, PAT, dynamic-with-fallback |
| Manual NAT | Twice NAT | Global config under nat (real-int,mapped-int) ... | Source AND destination, optional service ports | Same as auto, plus identity NAT, NAT exemption, conditional translation |
The simple mental model: use Auto NAT for unconditional translations (one source, always translate this way) and Manual NAT when the translation depends on what the destination is.
Auto NAT Syntax
Auto NAT is configured inside the network-object that represents the source. The translation is attached to the object, not declared globally. Example - dynamic PAT for the inside subnet going to outside:
object network INSIDE-NET
subnet 10.10.10.0 255.255.255.0
nat (inside,outside) dynamic interfaceThat single object does three things: defines a source network, declares the NAT rule, and references the egress interface PAT pool (interface means "use the outside interface IP"). Static NAT has the same shape, with static instead of dynamic and a target address instead of interface:
object network DMZ-WEB
host 192.168.50.10
nat (dmz,outside) static 198.51.100.10This publishes the DMZ web server at 192.168.50.10 as the public IP 198.51.100.10. Anyone on the outside hitting 198.51.100.10 gets translated to 192.168.50.10 by the ASA.
That is essentially the entire Auto NAT model. One object, one NAT rule, one direction of translation.
Manual NAT Syntax
Manual NAT (twice NAT) is declared at global config level outside any object, and it can match both source AND destination. Example - exempt traffic going from the inside subnet to a remote VPN subnet from being PATted (NAT exemption / identity NAT):
object network INSIDE-NET
subnet 10.10.10.0 255.255.255.0
object network REMOTE-VPN-NET
subnet 10.20.0.0 255.255.255.0
nat (inside,outside) source static INSIDE-NET INSIDE-NET destination static REMOTE-VPN-NET REMOTE-VPN-NET no-proxy-arp route-lookupRead the nat line as: "On a packet ingressing inside and egressing outside, if the source matches INSIDE-NET and the destination matches REMOTE-VPN-NET, translate the source from INSIDE-NET to itself (no change) and the destination from REMOTE-VPN-NET to itself." Both translations are identity (no actual translation), the effect is to bypass any other NAT rule that would otherwise PAT the source.
Manual NAT is also the syntax for any conditional translation - "translate the source to X only when the destination is Y." That kind of rule is impossible in Auto NAT and is the reason Manual NAT exists. We cover it in Twice NAT Explained with Real Examples.
The Evaluation Order: Three Sections, First Match Wins
This is the part that surprises every engineer who learned pre-8.3 NAT. Modern ASA evaluates NAT rules in three sections in this fixed order:
| Section | Contents | Order within section |
|---|---|---|
| 1. Manual NAT | All nat (real,mapped) source ... commands declared without the after-auto keyword | Configuration order. First match wins. |
| 2. Auto NAT | All NAT rules declared inside object network ... blocks | By specificity (most specific first), then by configuration order within a tier |
| 3. Manual NAT (after-auto) | All nat (real,mapped) source ... after-auto commands | Configuration order. First match wins. |
The first NAT rule that matches the packet wins. The remaining rules are not evaluated. Auto NAT (Section 2) auto-orders by specificity so a host object always matches before a subnet object that contains it - no manual ordering needed. Manual NAT (Sections 1 and 3) is evaluated in configuration order, so you must place the most specific rule first.
You can see the compiled NAT rule order with show nat detail:
ASA-PERIM# show nat detail
Auto NAT Policies (Section 2)
1 (dmz) to (outside) source static DMZ-WEB 198.51.100.10
translate_hits = 87, untranslate_hits = 134
Source - Origin: 192.168.50.10/32, Translated: 198.51.100.10/32
2 (inside) to (outside) source dynamic INSIDE-TRANSIT interface
translate_hits = 0, untranslate_hits = 0
Source - Origin: 10.10.0.0/24, Translated: 203.0.113.2/30
3 (inside) to (outside) source dynamic INSIDE-NET interface
translate_hits = 4521, untranslate_hits = 0
Source - Origin: 10.10.10.0/24, Translated: 203.0.113.2/30This output is from our ASAv 9.23 lab. Section 2 (Auto NAT) evaluates in specificity order: the DMZ-WEB host (most specific, /32) is rule 1, the INSIDE-TRANSIT subnet (/24) is rule 2, the INSIDE-NET subnet (also /24) is rule 3. The /32 host always matches before any /24 subnet that contains it, even though we configured DMZ-WEB last. That is the auto-ordering Auto NAT does for you. The hit counters tell you which rules are actually firing - in this snapshot, INSIDE-NET has 4521 forward translations to the outside interface IP (PAT), DMZ-WEB has 87 forward and 134 reverse hits (a public-facing web server gets more inbound than outbound traffic).
If you also have Manual NAT rules, show nat detail would print them under Manual NAT Policies (Section 1) first, before the Auto NAT block, and any after-auto manual rules under Manual NAT Policies (Section 3) at the end. The order of the sections in the output mirrors the evaluation order.
Auto NAT vs Manual NAT: How to Choose
| Scenario | Use | Why |
|---|---|---|
| PAT inside hosts going to internet | Auto NAT | Unconditional source-only translation |
| Publish a DMZ web server publicly | Auto NAT (static) | Unconditional, simple source-to-translated-source mapping |
| VPN traffic must skip NAT | Manual NAT, Section 1 | Translation depends on destination (the VPN subnet) |
| Different translation depending on which destination | Manual NAT | Auto NAT cannot match destination |
| Twice NAT (translate both source and destination differently) | Manual NAT | Only Manual NAT supports this |
| "Translate everything that does not match a more specific rule" | Manual NAT, Section 3 (after-auto) | Catches packets after Auto NAT, useful as a default-PAT fallback in complex deployments |
The 90% answer is Auto NAT. Reach for Manual NAT when you need to match destination, or when you need a rule to win before Auto NAT (Section 1) or after Auto NAT (Section 3).
Get the Cisco ASA Field Reference - 9 pages, free
Everything you'd want to remember about Cisco ASA on nine printable pages. Per-packet pipeline diagram, NAT 8.3+ section ordering, six-branch troubleshooting decision tree, real lab show-output annotated, paste-ready three-zone config. Free for PingLabz members - just sign up with your email.
Real IP vs Mapped IP: The ACL Catch
One critical detail that touches every ACL on the ASA: ACLs reference real IPs, not mapped IPs. If your DMZ web server is published as 198.51.100.10 (mapped) but lives at 192.168.50.10 (real), the ACL on the outside interface should permit traffic to 192.168.50.10, not 198.51.100.10. The ASA untranslates the destination first (UN-NAT phase) and then evaluates the ACL against the real IP.
This catches engineers who came from older ASA software (pre-8.3) where ACLs used the mapped IP. Modern ASA documentation calls this "the real IP rule" and it applies everywhere. Confirm it for any flow with packet-tracer - the UN-NAT phase prints both the mapped and real IPs, then the ACCESS-LIST phase shows what was actually compared.
Verifying NAT in Real Time: show xlate
show xlate shows the live NAT translation table - every active translation right now, including the source mapping, destination mapping, and timeout.
ASA-PERIM# show xlate
1 in use, 1 most used
Flags: D - DNS, e - extended, I - identity, i - dynamic, r - portmap,
s - static, T - twice, N - net-to-net
NAT from dmz:192.168.50.10 to outside:198.51.100.10
flags s idle 0:00:30 timeout 0:00:00This is real output from our ASAv 9.23 lab right after configuration with no live traffic. One static NAT entry: the DMZ web server (flag s = static, no timeout because static NAT is always installed regardless of traffic). When inside hosts start passing traffic, dynamic PAT entries appear with flags ri (r = portmap, i = dynamic) and a 30-second idle timeout. For incident triage, show xlate tells you whether the ASA actually translated the flow you expected.
Common NAT Mistakes
- Writing the ACL against the mapped (public) IP. Use the real IP. Always. ASA untranslates first.
- Putting NAT exemption in the wrong section. NAT exemption for VPN must be in Section 1 (manual NAT, before auto), otherwise the auto PAT rule wins first.
- Forgetting
no-proxy-arpon identity NAT. Without it, the ASA proxy-ARPs for the destination, which can cause traffic loops or IP conflicts. - Mixing pre-8.3 syntax with modern syntax. If you see
global (outside) 1 interfaceandnat (inside) 1 ...in the config, you are looking at pre-8.3. Modern config never uses NAT IDs. - Assuming order does not matter. In Manual NAT, configuration order is the evaluation order. The most specific rule must be configured first.
- Not checking hit counters.
show nat detailincludes per-rule hit counters. Zero hits on a rule that should be firing is a strong signal something is misordered.
Related Articles
- Cisco ASA Dynamic PAT Configuration for Internet Access - the most common Auto NAT pattern.
- Cisco ASA Static NAT for Publishing a Server in the DMZ - the second-most-common Auto NAT pattern.
- Cisco ASA Twice NAT Explained with Real Examples - Manual NAT walkthrough.
- Cisco ASA Identity NAT / NAT Exemption for VPNs - the Section 1 manual NAT pattern that keeps VPN tunnels working.
- Cisco ASA NAT Order of Operations Cheat Sheet - the three-section model in one printable page.
- Cisco ASA packet-tracer Command: Complete Troubleshooting Guide - the troubleshooting tool that walks every NAT decision.
Key Takeaways
Modern ASA NAT is two types (Auto and Manual) evaluated in three sections (Manual-before-auto, Auto, Manual-after-auto), first match wins. Auto NAT covers the 90% case: unconditional source-only translation tied to a network object. Manual NAT exists for the 10% case where translation depends on destination, where you need NAT exemption for VPN, or where the auto-ordering does not give you the precedence you want. ACLs always reference real IPs - the ASA untranslates before evaluating the ACL. Use show nat detail for compiled rule order and show xlate for live translations, and use packet-tracer to confirm a specific flow takes the rule you expected.
