Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

difference between nat

Newbi question....

What is the different for these two nat commands (asa v8.3)

nat (inside,outside) source static 10.10.10.5 88.234.23.2

object network obj-10.10.10.5
nat (inside,outside) static 88.234.23.2

The first is a NAT rule and the second is a network-object NAT rule, right? And what is the big difference ?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: difference between nat

nat (inside,outside) source static 10.10.10.5 88.234.23.2  ---------> manual nat - processed before auto nat

object network obj-10.10.10.5
nat (inside,outside) static 88.234.23.2  -------------> auto nat

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html

check NAT Rule Order in the above link.

You can find some samples here: https://supportforums.cisco.com/docs/DOC-9129

-KS

3 REPLIES
Cisco Employee

Re: difference between nat

nat (inside,outside) source static 10.10.10.5 88.234.23.2  ---------> manual nat - processed before auto nat

object network obj-10.10.10.5
nat (inside,outside) static 88.234.23.2  -------------> auto nat

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/nat_overview.html

check NAT Rule Order in the above link.

You can find some samples here: https://supportforums.cisco.com/docs/DOC-9129

-KS

New Member

Re: difference between nat

and when would you prefer manual nat and when auto nat ? At the moment for me its the same *confused*

Cisco Employee

Re: difference between nat

Say for example you have inside n/w 192.168.2.0/24 that you want to talk to 192.168.1.0 on the other side of the tunnel.

You have auto nat configured for any in the 192.168.2.0/24 to go to the internet.

Now, when the remote end tries to connect to your end, you response may look like the interface address and go out to the internet and not across the tunnel. In this case you need a manual nat to identity translate 192.168.2.0 to look like itself when it goes to talk to 192.168.1.0.

Does it make sense? There are other occasions too when you can't remove the auto nat but, you want other translation to take effect before that - then go with manual nat.

-KS

916
Views
0
Helpful
3
Replies
CreatePlease to create content