https://community.cisco.com/t5/network-security/asa-outside-interface-and-static-identity-nat/m-p/2962082#M144597 <P>You can use any interface for any "role" in the network. The ASA doesn't care which interface in inside, outside and so on. Also the names are not relevant any more. Very long time ago (when we used the PIX) there were some restrictions, but these are not relevant any more.&nbsp;The only restriction is that the management-port can't be used for through-traffic on&nbsp;some of the ASAs.</P> <P>For your second question: Yes, that can be done. But be careful that you get the right order of operation. For NATs like these, it's likely that you better place them in section one with "manual/twice NAT" instead to place them in section two (auto/object NAT).</P> Sun, 27 Nov 2016 10:10:43 GMT Karsten Iwen 2016-11-27T10:10:43Z https://community.cisco.com/t5/network-security/asa-outside-interface-and-static-identity-nat/m-p/2962081#M144596 <P>hi all,</P> <P>sorry i feel like a noob again. it's been a while since i designed/configured from scratch.</P> <P>a client wants to use an 'outside' interface on an ASA5516-X other than g0/0. is it possible to use g0/1 or other ports as outside interface?</P> <P>i remember configuring another outside interface other than e0/0 on a 5505 and i think it didn't work.</P> <P>also is below identity NAT possible?</P> <P><EM>object network NETWORK-1</EM></P> <P><EM>&nbsp;subnet 192.168.100.0 255.255.255.0</EM></P> <P><EM>&nbsp;nat (inside,outside) static NETWORK-1</EM></P> Tue, 12 Mar 2019 08:35:34 GMT https://community.cisco.com/t5/network-security/asa-outside-interface-and-static-identity-nat/m-p/2962081#M144596 johnlloyd_13 2019-03-12T08:35:34Z https://community.cisco.com/t5/network-security/asa-outside-interface-and-static-identity-nat/m-p/2962082#M144597 <P>You can use any interface for any "role" in the network. The ASA doesn't care which interface in inside, outside and so on. Also the names are not relevant any more. Very long time ago (when we used the PIX) there were some restrictions, but these are not relevant any more.&nbsp;The only restriction is that the management-port can't be used for through-traffic on&nbsp;some of the ASAs.</P> <P>For your second question: Yes, that can be done. But be careful that you get the right order of operation. For NATs like these, it's likely that you better place them in section one with "manual/twice NAT" instead to place them in section two (auto/object NAT).</P> Sun, 27 Nov 2016 10:10:43 GMT https://community.cisco.com/t5/network-security/asa-outside-interface-and-static-identity-nat/m-p/2962082#M144597 Karsten Iwen 2016-11-27T10:10:43Z https://community.cisco.com/t5/network-security/asa-outside-interface-and-static-identity-nat/m-p/2962083#M144598 <P>hi karsten,</P> <P>thanks! so i reviewed again NAT from this link:</P> <P>https://supportforums.cisco.com/document/132066/asa-nat-83-nat-operation-and-configuration-format-cli#TWICE-TYPE</P> <P>so the NAT on my original post would fall under 'section 1' correct?</P> <P>coz i have several PAT statements after this one. should i put the keyword 'after-auto' on my PAT?</P> <P>originally i wrote:</P> <P></P> <P><EM>object network NETWORK-1</EM></P> <P><EM>&nbsp;subnet 192.168.100.0 255.255.255.0</EM></P> <P><EM>&nbsp;nat (inside,outside) static NETWORK-1</EM></P> <P><EM></EM></P> <P><EM>object network NETWORK-192.168.180.0-24</EM><BR /><EM>&nbsp;description GUEST-WIFI</EM><BR /><EM>&nbsp;subnet 192.168.180.0 255.255.255.0</EM><BR /><EM>&nbsp;nat (GUEST-WIFI,outside) dynamic interface</EM></P> <P></P> <P>should i do below instead?</P> <P><EM>object network NETWORK-1</EM></P> <P><EM>&nbsp;subnet 192.168.100.0 255.255.255.0</EM></P> <P><EM> nat (inside,outside) <SPAN style="color: #ff0000;">1 source</SPAN> static NETWORK-1</EM></P> <P><EM></EM></P> <P><EM>object network NETWORK-10.100.180.0-24<BR />&nbsp;description LAN<BR />&nbsp;subnet 10.100.180.0 255.255.255.0<BR />&nbsp;nat (inside,outside) <SPAN style="color: #ff0000;">after-auto 1 </SPAN>dynamic interface<BR /></EM></P> <P><EM></EM></P> <P><EM>object network NETWORK-192.168.180.0-24</EM><BR /><EM>&nbsp;description GUEST-WIFI</EM><BR /><EM>&nbsp;subnet 192.168.180.0 255.255.255.0</EM><BR /><EM>&nbsp;nat (GUEST-WIFI,outside)&nbsp;<SPAN style="color: #ff0000;">after-auto 2</SPAN> dynamic interface</EM></P> Sun, 27 Nov 2016 10:36:55 GMT https://community.cisco.com/t5/network-security/asa-outside-interface-and-static-identity-nat/m-p/2962083#M144598 johnlloyd_13 2016-11-27T10:36:55Z