NAT options and when to use them

dbakopanos · ‎10-19-2016

Good day,

I was hoping that something would provide some insight into Cisco NAT to help clear the air. Now there are a bunch of new NAT options that we have available since 8.3 and above. now can anyone explain how and when we use the following NAT statements; is there a difference in referencing the object once or twice in the source and destination fields.

1 - nat (inside,hr) source dynamic obj-src interface destination static obj-dst obj-dst

2 - nat (inside,hr) source static obj-src interface destination static obj-dst obj-dst

3 - nat (inside,hr) source static obj-src obj-src destination static obj-dst obj-dst

4 - nat (inside,hr) source static obj-src obj-src destination static obj-dst obj-dst

5 - nat (inside,hr) source static obj-src destination static obj-dst

why use after-auto ?

6 - nat (Inside,outside) after-auto source dynamic OBJECT-GROUP-NAME interface

miras · ‎10-19-2016

NATs are grouped on three different sections, Section1, Section2, and Section3. The NAT rules get checked in that order, from 1 to 3.

Section1 -> Policy/Twice NAT

Section2 -> Auto NAT

Section3 -> Policy/Twice NAT and this is the same as Section1, but is after auto NAT.

Now if you want a Policy/Twice NAT to be checked after the 'auto NAT', then you have to specify after-auto so that NAT rule is checked after 'Auto NAT'