Thanks for your reply. You

yangfrank · ‎03-15-2015

Dear All

I notice a command listed in a document. There is a nat command in there. Can you tell me the meaning of keyword "interface" Please see below:

The "interface" is usually used as outside ip address for outbound packets in nat, but now we already use the outside range, why does the nat still use it ? Thank you

Dynamic NAT with Interface Overload

nat (inside) 1 10.1.1.0 255.255.255.0
global (outside) 1 interface
global (outside) 1 209.165.201.1-209.165.201.2

object network NAT_Pool
range 209.165.201.2 209.165.201.50
object network internal_net
subnet 10.1.1.0 255.255.255.0

!

object network internal_net
nat (inside,outside) dynamic NAT_Pool interface

Karsten Iwen · ‎03-16-2015

The keyword "interface" is typically used when you only have one dynamic public IP address.

When this address changes from time to time, there is no IP that you could configure. With the "interface" keyword, the ASA just uses the IP that is actually on the interface.

yangfrank · ‎03-16-2015

Thanks for your reply. You mean when the range of ip is not available, the interface ip could be used as backup ? Why did you said "When this address changes from time to time" since i get a little confused about it?

Jon Marshall · ‎03-16-2015

If the ASA is using DHCP for it's outside interface IP then it could change so you can't refer to the actual IP, instead you use the "interface" keyword.

The configuration you posted will use a one to one mapping for the two IPs in the NAT pool and if other clients need to connect and those two IPs are use then it will use the outside interface IP and overload the clients with that IP address ie. multiple clients can be translated using that single outside interface IP.

Jon

Regarding ASA nat issue