https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401211#M1080693 <P>Understood, thank you. The main issue appeared to be with IPSec. A device on the inside was trying to make a IPSec connection out and couldn’t due conflict, I think it was related to ISAKMP 500...?Ended up creating a static NAT with an different public IP for that device which resolved the issue. I think it was&nbsp;</P> Tue, 11 May 2021 14:57:07 GMT Jack G 2021-05-11T14:57:07Z https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401177#M1080689 <P>I generally I see the outside interface IP used for the dynamic NAT, though after enabling RAVPN, etc. there appears to be a warning in FMC about possible conflict, etc. Is it a best practice to use a different IP than the outside interface for dynamic NAT assuming you have more than 1 public IP to work with?</P> Tue, 11 May 2021 14:31:04 GMT https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401177#M1080689 Jack G 2021-05-11T14:31:04Z https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401183#M1080690 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/175212">@Jack G</a>&nbsp;General practice, yes use a unique IP address or pool of IP addresses for outbound Dynamic PAT.</P> <P>Obviously if you don't have spare IP addresses you won't have that luxury.</P> Tue, 11 May 2021 14:36:34 GMT https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401183#M1080690 Rob Ingram 2021-05-11T14:36:34Z https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401184#M1080691 <P>Neither way is more or less secure than the other.</P> <P>As far as best practices, from an engineering point of view you want to make sure the dynamic NAT/PAT has enough resources for the potential clients. If you have more than a couple hundred devices that will be using the NAT, then it's advised to use a larger address pool.</P> Tue, 11 May 2021 14:38:05 GMT https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401184#M1080691 Marvin Rhoads 2021-05-11T14:38:05Z https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401211#M1080693 <P>Understood, thank you. The main issue appeared to be with IPSec. A device on the inside was trying to make a IPSec connection out and couldn’t due conflict, I think it was related to ISAKMP 500...?Ended up creating a static NAT with an different public IP for that device which resolved the issue. I think it was&nbsp;</P> Tue, 11 May 2021 14:57:07 GMT https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401211#M1080693 Jack G 2021-05-11T14:57:07Z https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401216#M1080694 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/175212">@Jack G</a> If the outbound IPSec connection from the inside was translated behind the ASA interface IP address and the ASA's outside interface itself was listening on udp/500, then yes I can imagine why that would not have worked. Your static NAT using a different public IP address was the correct way to resolve it.</P> Tue, 11 May 2021 15:02:28 GMT https://community.cisco.com/t5/network-security/dynamic-nat-for-internet-access-best-practice-to-use-outside/m-p/4401216#M1080694 Rob Ingram 2021-05-11T15:02:28Z