We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career!
  • Full Access to our 537 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)


323 New Members signed up the last 30 days!


100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Notable Replies

  1. Hello,

    I do not understand the difference of the object nat and the regular nat, can you explain that to me?

  2. Rene

    I was not able to ping between interfaces after adding the policy map on a ASA 5505

    1    inside                           up        Et0/0, Et0/3, Et0/4, Et0/5
    Et0/6, Et0/7
    2    outside                          up        Et0/1
    3    DMZ                              up        Et0/2

    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    message-length maximum client auto
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    service-policy global_policy global
  3. Hi Donald,

    Try the "packet-tracer" command from the CLI, it will show you why it is dropping the packet.


  4. Hi Rene,
    What is the difference or when do you use one or the other? on this example I am using PAT with a dynamic ip address on the outside interface.

    nat (INSIDE,OUTSIDE) dynamic interface


    nat (INSIDE,OUTSIDE) after-auto 1 source dynamic any interface.

    Please advise

  5. Hi Alfredo,

    The ASA (since 8.3) has different NAT "sections":

    • 1:Manual

    • 2: Auto

    • 3: "after auto" Manual
    • The ASA will first process NAT rules in section 1, then 2 and finally 3.

      Here's an example of manual NAT:

    ASA(config)# object network INTERNAL_SERVER
    ASA(config-network-object)# host
    ASA(config)# object network PUBLIC_IP
    ASA(config-network-object)# host
    ASA(config)# nat (INSIDE,OUTSIDE) source static INTERNAL_SERVER PUBLIC_IP

    The NAT rule has been configured globally, this section 1 rule is preferred over 2 and 3.

    Here's an example for Auto NAT:

    ASA(config)# object network LAN
    ASA(config-network-object)# subnet
    ASA(config-network-object)# nat (INSIDE,OUTSIDE) static PUBLIC_IP

    Above we configured NAT in the network object, this is a section 2 rule.

    Last but not least, we have your rule:

    ASA(config)# nat (INSIDE,OUTSIDE) after-auto 1 source dynamic any interface

    This section 3 rule will be processed after 1 and 2.

    The rule above is a general rule to translate all source addresses on the inside to the IP address of your outside interface. It might be a good idea to process this NAT rule last since it allows you to put more specific NAT rules in section 1 or 2.

    Both options will get you the same result (if you don't have any other NAT rules). The first one is processed in section 2, the other one in section 3.

    Hope this helps.


Continue the discussion forum.networklessons.com

12 more replies