Version 4.1 - 5.1.d NAT Part 1
This section is also straightforward and I can just about guarantee that something about NAT will be on the exam. So let's start with the general information and move to specifics. Also - the syntax for NAT and PAT changes with the different versions, so each type will be followed with the version.
GENERAL CONCEPTS
Check out Cisco's page on NAT. Know these four definitions:
Inside local address—The (real) IP address assigned to a host on the inside network. [Usually 1918]
Inside global address—A legitimate (routable) IP address that represents one or more inside local IP addresses to the outside world.
Outside global address—The (routable) IP address assigned to a host on the outside network by the host owner.
Outside local address—The IP address of an outside host as it appears to the inside network. [Usually 1918]
Normally the "local" addresses are from the RFC 1918 private address space. The "global" addresses are normally external addresses that are routable on the Internet. Normally questions like this either give you a NAT statement or a diagram and ask you to identify the address as one of the four above.
Below are examples of CLI nat configuration for 8.2 and 8.4 onwards. Rather than list them together under each version (like in the documentation), I am listing each type with both versions shown. For me it's easier to see this way. YMMV.
STATIC NAT
Version 8.2
static (inside,outside) 209.165.200.232 192.168.10.22 netmask 255.255.255.255
Version 8.4 onwards (using an object and then a mapped object)
object network MYNAT1
host 192.168.10.22
nat (inside,outside) static 209.165.200.232
object network MYMAPOBJ1
host 209.165.200.232
object network MYHOST1
host 192.168.10.22
nat (inside,outside) MYMAPOBJ1
DYNAMIC NAT
Version 8.2
nat (inside) 3 192.168.10.0 255.255.255.0
global (outside) 3 209.165.200.232-209.165.200.240
Version 8.4 onwards
object network MYNATOBJ
range 209.165.200.232 209.165.200.240
object network MYINSIDESUB
subnet 192.168.10.0 255.255.255.0
nat (inside,outside) MYNATOBJ
STATIC PAT
Version 8.2
static (inside,outside) tcp 209.165.200.232 80 192.168.100.100 8080 netmask 255.255.255.255
Version 8.4 onwards
object network obj-192.168.100.100
host 192.168.100.100
nat (inside,outside) static 209.165.200.232 service tcp 8080 www
DYNAMIC PAT
Version 8.2
hostname(config)# nat (inside) 1 0.0.0.0 0.0.0.0 0 0
hostname(config)# global (outside) 1 209.165.201.15
Version 8.4 onwards
The following example configures dynamic PAT that hides the 192.168.2.0 network behind address 10.2.2.2:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic 10.2.2.2
The following example configures dynamic PAT that hides the 192.168.2.0 network behind the outside interface address:
hostname(config)# object network my-inside-net
hostname(config-network-object)# subnet 192.168.2.0 255.255.255.0
hostname(config-network-object)# nat (inside,outside) dynamic interface
Those are the main ones. For a more complete listing of the differences see ASA Pre-8.3 to 8.3 NAT configuration examples on the Cisco Support Community page.
There are a number of pages on NAT in the documentation.
Static NAT 8.2
Static PAT 8.2
Dynamic NAT and PAT 8.2
Network Object NAT 8.4 and 8.6
ASA version 9.x Port Forwarding with NAT
Information About NAT CLI 9.1
Network Object NAT CLI 9.2
And of course, you should know how to do this with the ASDM also:
NAT 8.2 using ASDM
NAT using ASDM (newer)
But knowing how to nat is only part of what may be on the exam. There are still a lot of concepts that also may be relevant to the exam, so I'm going to move on to Part 2.