Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22792
Views
5
Helpful
4
Replies

nat (inside,outside) source dynamic any interface

Go to solution
mahesh18
Level 6
Level 6

‎07-29-2013 05:37 PM - edited ‎03-11-2019 07:18 PM

Hi Everyone,

Does config below

ASA1(config)# nat (inside,outside)  source  dynamic  any  interface

Will do the PAT  when source is any IP  from inside interface of ASA  and going to any destination IP   address?

Regards

MAhesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-29-2013 05:44 PM

Hi Mahesh,

Yes, that NAT configuration would essentially do Dynamic PAT for any host behind the "inside" interface towards any destination address routed behind "outside" interface using the PAT IP address of "outside" interface.

I would however suggest configuring the same NAT configuration by adding the "after-auto" parameter

nat (inside,outside) after-auto source dynamic any interface

What the "after-auto" parameter does is that it moves the NAT rule to the very end of the NAT rules. It will be one of the last NAT rules matched against a new connection coming from behind "inside".

If we configured the Dynamic PAT the way you mentioned, there might be a possibility that it would override other NAT rules either now or in the future because it is at such a high priority.

- Jouni

View solution in original post

4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-29-2013 05:44 PM

Hi Mahesh,

Yes, that NAT configuration would essentially do Dynamic PAT for any host behind the "inside" interface towards any destination address routed behind "outside" interface using the PAT IP address of "outside" interface.

I would however suggest configuring the same NAT configuration by adding the "after-auto" parameter

nat (inside,outside) after-auto source dynamic any interface

What the "after-auto" parameter does is that it moves the NAT rule to the very end of the NAT rules. It will be one of the last NAT rules matched against a new connection coming from behind "inside".

If we configured the Dynamic PAT the way you mentioned, there might be a possibility that it would override other NAT rules either now or in the future because it is at such a high priority.

- Jouni

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎07-29-2013 05:46 PM

Best Regards

Mahesh

0 Helpful

Go to solution
rodi.wondu
Level 1
Level 1
In response to mahesh18

‎07-13-2016 01:13 AM

Hi Everyone,

I have the same problem of configuring PAT on the new Cisco firewall so addition to ASA1(config)# nat (inside,outside)  source  dynamic  any  interface command is any ACL statement is required to allow inside network?

Best Regards!

0 Helpful

Go to solution
CiscoBrownBelt
Level 6
Level 6
In response to rodi.wondu

‎03-11-2019 08:37 PM

Yes. Interface of Higher security level (inside) is allowed to go out an interface of lower secirity level (outside) but not vice versa. You must apply acl allowing what traffic you want to allow in on outside interface.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card