Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT explanation

Hi Guys

need some help what does the follwoing means its been taken from ASA what does 2 and 5 and 4 means how its toed to interfaces can someone explain

global (External) 2 X.X.X.X

global (External) 3

global (External) 5

global (Internal) 4

nat (External) 4 access-list ABC outside

nat (Internal) 0 access-list nonat-out-in

nat (Internal) 2 access-list VPN-NAT-Source

nat (Internal) 3 access-list VVC_nat

nat (Internal) 5 access-list GTT-out

Everyone's tags (1)
Cisco Employee

Re: NAT explanation


I think there are two interfaces on the ASA named as External and internal.

The nat 2 and 5 corresponds to the traffic that originated from hosts behind the internal interface and are destined for the external interface.

An access list has been applied to the internal interface which specifies the source and a destination and an external command is applied with the same number. For ex,

nat (Internal) 5 access-list GTT-out

global (External) 5

Lets says that the access-list GTT-out is:

access-list GTT-out permit ip

Now if this is the configuration, then the host behind the ASA ( when they go to will get natted to

To get exactly what these commands are doing, we need to go through the show run configuration of the ASA.

To understand it more deeply, please go through the link:

Let me know if this helps.


Vishnu Sharma

New Member

Re: NAT explanation

Hi Vishnu

Thanks and very good explanation i need to know one more thing what does

nat (Internal) 0 access-list nonat-out-in means in above....secondly my understanding is that number of rules shd match number of rules for out side....for example 2 to 5 are there in global but there are not same in nat....thirdly what is teh difference between global and nat last question is what is nat-control and if you put this command do i have to do nat for all subnets or??? thanks again