topic Regarding ASA nat issue in Network Security

Regarding ASA nat issue

yangfrank — Tue, 12 Mar 2019 05:38:40 GMT

Dear All

I notice a command listed in a document. There is a nat command in there. Can you tell me the meaning of keyword "interface" Please see below:

The "interface" is usually used as outside ip address for outbound packets in nat, but now we already use the outside range, why does the nat still use it ? Thank you

Dynamic NAT with Interface Overload

nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 interface
global (outside) 1 209.165.201.1-209.165.201.2

object network NAT_Pool
range 209.165.201.2 209.165.201.50
object network internal_net
subnet 10.1.1.0 255.255.255.0

object network internal_net
nat (inside,outside) dynamic NAT_Pool interface

The keyword "interface" is

Karsten Iwen — Mon, 16 Mar 2015 09:20:33 GMT

The keyword "interface" is typically used when you only have one dynamic public IP address.

When this address changes from time to time, there is no IP that you could configure. With the "interface" keyword, the ASA just uses the IP that is actually on the interface.

Thanks for your reply. You

yangfrank — Mon, 16 Mar 2015 21:07:29 GMT

Thanks for your reply. You mean when the range of ip is not available, the interface ip could be used as backup ? Why did you said "When this address changes from time to time" since i get a little confused about it?

If the ASA is using DHCP for

Jon Marshall — Mon, 16 Mar 2015 21:33:56 GMT

If the ASA is using DHCP for it's outside interface IP then it could change so you can't refer to the actual IP, instead you use the "interface" keyword.

The configuration you posted will use a one to one mapping for the two IPs in the NAT pool and if other clients need to connect and those two IPs are use then it will use the outside interface IP and overload the clients with that IP address ie. multiple clients can be translated using that single outside interface IP.

Jon