After Auto-Nat Question

jpl861 — Tue, 12 Mar 2019 02:54:54 GMT

Hi Guys,

Just a question on after auto-nat as I do not get its purpose. What is the purpose of that line if its format is just the same as manual nat?

If I have a configuration like this;

object network spoke_site_a

subnet 192.168.0.0 255.255.255.0

nat (inside,outside) source static any any destination static spoke_site_a spoke_site_a

From what I read, the configuration I did above is called manual nat. Assuming all inside hosts are within 10.0.0.0/8 network, if the destination is 192.168.0.0/24, no translation will take place. I think this is something like nat (inside) 0 acl123 prior to 8.3 and can be useful for VPN setup.

But if I do something like this next; I read this one is called object nat

object network inside_net

subnet 10.0.0.0 255.0.0.0

nat (inside,outside) dynamic interface

All traffic from 10.0.0.0/8 network will be translated to the outside interface IP address. Let's say this is towards the internet.

But isn't it the same if I configure something like this?

nat (inside,outside) after-auto source dynamic any interface

I can also put this below the first manual NAT and achieve the same result.

nat (inside,outside) 2 source dynamic any interface

It appeared to me that object nat is the method to use if you are not to think of the destination network but if you just want to do a translation base on the source subnet/network plus the exit interface of the firewall. And it would of course be easier to add entries in manual nat without having to worry on the sequence number.

If that's the case then what's a good reason to use after-auto command?

Thanks in advance.

John

After Auto-Nat Question

Jouni Forss — Tue, 22 Oct 2013 20:04:34 GMT

Hi,

I gather that you know that

There are Sections 1 - 3 for NAT configurations
Manual NAT by default is Section 1
Auto NAT is always Section 2
Manual NAT with "after-auto" is Section 3

To be honest I have not read completely what Ciscos intentions was with all these sections but I have partially used the Sections to separate different types of NAT even though I could use pretty much any Section for some type of NAT configurations.

With regards to Section 3 Manual NAT (after-auto), I tend to use it for the basic Dynamic PAT configurations to which users should fall if they have absolutely no other NAT configuration that applies to them. It seems to me to be a natural place where to place these type of NAT configurations.

Section 2 Auto NAT I personally use for Static NAT and Static PAT purposes only.

Section 1 Manual NAT I use for NAT0 / NAT Exempt type NAT configurations or any special type of NAT configurations that you could consider Policy NAT/PAT.

With utilizing each Section of the new NAT format I find that configuring the ASA through CLI is a lot easier and clearer when you have set a purpose for each Section and utilize all of them. Instead of following what I have mentioned above, you might be using only Section 1 Manual NAT and end up with a long continuous list of NAT configuration of which purpose you know nothing about on first glance.

So as you have said yourself, you can do the same NAT configuration in multiple different ways and achieve the same things. I just find dividing certain type of NAT configurations to their own sections the best solution to keep the configuration both clear and avoid situations where NAT rules order inside one Section becomes too much of a chore to handle.

I have written a document about the new NAT configuration format here on the CSC if you want to take a look. I have still to add a lot more to it. As I have said multiple times to others, I am just waiting for the next time to get some inspiration

https://supportforums.cisco.com/docs/DOC-31116

Hope this helps

Please do remember to mark a reply as the correct answer if it answered your question.

Naturally feel free to ask more if needed

- Jouni

topic After Auto-Nat Question in Network Security

After Auto-Nat Question

After Auto-Nat Question