Just a question on after auto-nat as I do not get its purpose. What is the purpose of that line if its format is just the same as manual nat?
If I have a configuration like this;
object network spoke_site_a
subnet 192.168.0.0 255.255.255.0
nat (inside,outside) source static any any destination static spoke_site_a spoke_site_a
From what I read, the configuration I did above is called manual nat. Assuming all inside hosts are within 10.0.0.0/8 network, if the destination is 192.168.0.0/24, no translation will take place. I think this is something like nat (inside) 0 acl123 prior to 8.3 and can be useful for VPN setup.
But if I do something like this next; I read this one is called object nat
object network inside_net
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface
All traffic from 10.0.0.0/8 network will be translated to the outside interface IP address. Let's say this is towards the internet.
But isn't it the same if I configure something like this?
nat (inside,outside) after-auto source dynamic any interface
I can also put this below the first manual NAT and achieve the same result.
nat (inside,outside) 2 source dynamic any interface
It appeared to me that object nat is the method to use if you are not to think of the destination network but if you just want to do a translation base on the source subnet/network plus the exit interface of the firewall. And it would of course be easier to add entries in manual nat without having to worry on the sequence number.
If that's the case then what's a good reason to use after-auto command?
To be honest I have not read completely what Ciscos intentions was with all these sections but I have partially used the Sections to separate different types of NAT even though I could use pretty much any Section for some type of NAT configurations.
With regards to Section 3 Manual NAT (after-auto), I tend to use it for the basic Dynamic PAT configurations to which users should fall if they have absolutely no other NAT configuration that applies to them. It seems to me to be a natural place where to place these type of NAT configurations.
Section 2 Auto NAT I personally use for Static NAT and Static PAT purposes only.
Section 1 Manual NAT I use for NAT0 / NAT Exempt type NAT configurations or any special type of NAT configurations that you could consider Policy NAT/PAT.
With utilizing each Section of the new NAT format I find that configuring the ASA through CLI is a lot easier and clearer when you have set a purpose for each Section and utilize all of them. Instead of following what I have mentioned above, you might be using only Section 1 Manual NAT and end up with a long continuous list of NAT configuration of which purpose you know nothing about on first glance.
So as you have said yourself, you can do the same NAT configuration in multiple different ways and achieve the same things. I just find dividing certain type of NAT configurations to their own sections the best solution to keep the configuration both clear and avoid situations where NAT rules order inside one Section becomes too much of a chore to handle.
I have written a document about the new NAT configuration format here on the CSC if you want to take a look. I have still to add a lot more to it. As I have said multiple times to others, I am just waiting for the next time to get some inspiration
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :