Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22820
Views
45
Helpful
2
Replies

NAT After-Auto

Go to solution
sadik.bash
Level 1
Level 1

‎02-08-2013 11:54 AM - edited ‎03-11-2019 05:58 PM

Hello,

Could someone explain to me what this command does  "

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface"?

Much appreciated.

Best, ~sK

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-08-2013 11:59 AM

Hi,

This is a pretty typical Default PAT rule

And I say default in the sense that if a single host doesnt have any other translations towards the "OUTSIDE" interface, this will be the NAT rule that will apply to its connections.

To go through the whole NAT configuration

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

  • INSIDE = Is the source interface for the NAT
  • OUTSIDE = Is the destination interface for the NAT  
    • So its meant to be a NAT for INSIDE users heading to network behind OUTSIDE
  • after-auto = This configuration parameter simply moves this NAT configuration to the very end of the NAT configuration (called Section 3). It basicly says that its one of the last rules to be matched against and connections that is coming to the firewall.
  • source dynamic any = A dynamic translations is done for the source hosts
  • any = The source address behind interface INSIDE can be anything
  • interface = The PAT IP address used is that which belongs to the destination interface which in this case is OUTSIDE

EDIT: Heres a link to the NAT Rule Order on the ASA (8.4 software)

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157

Hope the information was helpfull

- Jouni

View solution in original post

2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎02-08-2013 11:59 AM

Hi,

This is a pretty typical Default PAT rule

And I say default in the sense that if a single host doesnt have any other translations towards the "OUTSIDE" interface, this will be the NAT rule that will apply to its connections.

To go through the whole NAT configuration

nat (INSIDE,OUTSIDE) after-auto source dynamic any interface

  • INSIDE = Is the source interface for the NAT
  • OUTSIDE = Is the destination interface for the NAT  
    • So its meant to be a NAT for INSIDE users heading to network behind OUTSIDE
  • after-auto = This configuration parameter simply moves this NAT configuration to the very end of the NAT configuration (called Section 3). It basicly says that its one of the last rules to be matched against and connections that is coming to the firewall.
  • source dynamic any = A dynamic translations is done for the source hosts
  • any = The source address behind interface INSIDE can be anything
  • interface = The PAT IP address used is that which belongs to the destination interface which in this case is OUTSIDE

EDIT: Heres a link to the NAT Rule Order on the ASA (8.4 software)

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_overview.html#wp1118157

Hope the information was helpfull

- Jouni

Go to solution
sadik.bash
Level 1
Level 1

‎02-08-2013 12:07 PM

That was very helpful!

Thank you!

Best, ~sK

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card