NAT with bridged virtual interface (BVI)

It’s probable that you have found out this yourself already, but I want to mention a few things about NAT rules regarding using the BVI on the Cisco ASA firewalls (5506, 5508, etc).

NAT’ing with the 5505 is a different story since it use vlans and switchports on its interfaces, so one can NAT to a vlan rather than a physical port interface, but in the 5506 and similar series, it is no vlan and only physical port interfaces (not including subinterfaces), and the default config includes 7 dynamic PAT rules. One for each interface that is included in the default BVI for the inside network.

And if you want to have a static pre-rule before the object NAT-rules, you may select the BVI interface in the list as destination or source in ASDM, but you’ll get an error when applying it, since it can’t handle it in CLI. There are no BVI-interface in CLI. You have to do one of the following:

  • give names to all interfaces belonging to the BVI-group and make a rule for each one. Not a good idea, since the packet hits the top rule, and don’t go any further down the list, even if the host it’s looking for is not found on that first interface it hits
  • Make a network object for the network used on the BVI interface, and NAT to or from “any” interface and using the object as source or destination address, and use that in stead, and that will work


This also works great for dynamic PAT, if you have to hide behind a single public IP. Just make a post-NAT after the object rules, and set the source interface to any, source address to a network object for the BVI network, and set destination to outside and destination address to original. And NAT type to dynamic PAT, of course.

Just bear in mind that the packet tracer tool not always likes this, so it may say that the packet is dropped, but the real traffic goes through.

I also found some limitations to this regarding translation of IP networks in static NAT:
I could make an object for e.g a 10.0.0.0/24 network, and set that as source address for the translated packet, where it says “original” in the screenshot above, so any packet from the inside to the BVI would be translated like this:

inside 192.168.100.10 to BVI 192.168.250.50
would be translated to:
xlate 10.0.0.10 to BVI 192.168.250.50

This is how it should be, and works great both ways. But I also tested to translate the BVI interface network, so in the same example, setting the destination address to the same xlate 10.0.0.0/24 network object, and having the source address as original. In this example, the packet will be dropped because of no adjacency. So if you need to translate the BVI network, you may be out of luck doing it this way.

One solution is to have one interface on the ASA for the network you need, instead of a BVI group, and hook it up with a proper switch who handles the L2 traffic. Then all will work as intended.

I came over this problem when having to go from a 5505, where the switchports and vlan where used for L2 switching and NAT rules applied to the VLAN, and try to replicate this to a 5506 with no switchports, vlans, and only use BVI. And since it’s not that many articles covering this, I wanted to write a few lines about it.

Leave a Reply

Your email address will not be published. Required fields are marked *