Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Upgrading to 9.1: Source NAT migration


We are migrating to 9.1 and need to update our NAT config. I'm a bit confused about how to do Source Natting in 8.3+


Our Current setup translates the source IP to the inside interface address of the ASA:





global (inside) 2

nat (outside) 2 outside

nat (outside) 0 access-list 21


access-list 21 extended deny ip any host

access-list 21 extended permit ip any any



I've been at this for a while. Any thoughts?

Super Bronze

Hi, So the above NAT



So the above NAT configuration basically has a Dynamic PAT from "outside" to "inside" and it also has a NAT0 configuration for all traffic from "outside" to any other destination subnet/interface though it does have a line that prevents NAT0 when the destination IP address for a connection is


I guess in your situation you would be fine with just a single NAT configuration in the new software. You would configure a type of Dynamic Policy PAT configuration where the Dynamic PAT translation would be performed from "outside" to "inside" only if the destination IP address is


For example


object network SERVER

nat (outside,inside) after-auto 1 source dynamic any interface destination static SERVER SERVER


The above configuration would match traffic coming from behind "outside" interface from "any" source address and destined to destination address "SERVER" and the source address would be translated to the "interface" IP address which in this case is the IP address of the "inside" interface. You could use a different IP address and in that case you would configure an additional "object" and configure the IP address under that object and use that object in the "nat" configuration instead of the parameter "interface".


Any traffic that did not match the above NAT configuration would go through the firewall (if allowed by all the other configurations) without any NAT, so you dont really require a NAT0 configuration in this case.


Hope I made any sense and hope it helps :)


- Jouni