https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/2323393#M345618 <P>Hi Everyone,</P> <P>I have the same problem of configuring PAT on the new Cisco firewall so addition to <SPAN>ASA1(config)# nat (inside,outside)&nbsp; source&nbsp; dynamic&nbsp; any&nbsp; interface command is any ACL&nbsp;statement is required to allow inside network?</SPAN></P> <P><SPAN>Best Regards! </SPAN></P> Wed, 13 Jul 2016 08:13:49 GMT rodi.wondu 2016-07-13T08:13:49Z https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/2323390#M345615 <P>Hi Everyone,</P><P></P><P>Does config below </P><P></P><P>ASA1(config)# nat (inside,outside)&nbsp; source&nbsp; dynamic&nbsp; any&nbsp; interface</P><P></P><P>Will do the PAT&nbsp; when source is any IP&nbsp; from inside interface of ASA&nbsp; and going to any destination IP&nbsp;&nbsp; address?</P><P></P><P>Regards</P><P></P><P>MAhesh</P> Tue, 12 Mar 2019 02:18:43 GMT https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/2323390#M345615 mahesh18 2019-03-12T02:18:43Z https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/2323391#M345616 <HTML><HEAD></HEAD><BODY><P>Hi Mahesh,</P><P></P><P>Yes, that NAT configuration would essentially do Dynamic PAT for any host behind the <STRONG>"inside"</STRONG> interface towards any destination address routed behind <STRONG>"outside"</STRONG> interface using the PAT IP address of <STRONG>"outside"</STRONG> interface.</P><P></P><P>I would however suggest configuring the same NAT configuration by adding the "after-auto" parameter</P><P></P><P><STRONG>nat (inside,outside) after-auto source dynamic any interface</STRONG></P><P></P><P>What the <STRONG>"after-auto"</STRONG> parameter does is that it moves the NAT rule to the very end of the NAT rules. It will be one of the last NAT rules matched against a new connection coming from behind <STRONG>"inside"</STRONG>.</P><P></P><P>If we configured the Dynamic PAT the way you mentioned, there might be a possibility that it would override other NAT rules either now or in the future because it is at such a high priority.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 30 Jul 2013 00:44:44 GMT https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/2323391#M345616 Jouni Forss 2013-07-30T00:44:44Z https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/2323392#M345617 <HTML><HEAD></HEAD><BODY><P>Best Regards</P><P></P><P>Mahesh</P></BODY></HTML> Tue, 30 Jul 2013 00:46:41 GMT https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/2323392#M345617 mahesh18 2013-07-30T00:46:41Z https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/2323393#M345618 <P>Hi Everyone,</P> <P>I have the same problem of configuring PAT on the new Cisco firewall so addition to <SPAN>ASA1(config)# nat (inside,outside)&nbsp; source&nbsp; dynamic&nbsp; any&nbsp; interface command is any ACL&nbsp;statement is required to allow inside network?</SPAN></P> <P><SPAN>Best Regards! </SPAN></P> Wed, 13 Jul 2016 08:13:49 GMT https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/2323393#M345618 rodi.wondu 2016-07-13T08:13:49Z https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/3817769#M345620 Yes. Interface of Higher security level (inside) is allowed to go out an interface of lower secirity level (outside) but not vice versa. You must apply acl allowing what traffic you want to allow in on outside interface. Tue, 12 Mar 2019 03:37:36 GMT https://community.cisco.com/t5/network-security/nat-inside-outside-source-dynamic-any-interface/m-p/3817769#M345620 CiscoBrownBelt 2019-03-12T03:37:36Z