NATGlobal Config

nat (inside,outside) dynamic interface

Configures dynamic NAT to translate inside source addresses to the outside interface IP address.

Overview

The 'nat (inside,outside) dynamic interface' command configures dynamic Network Address Translation (NAT) on a Cisco ASA firewall. It translates source IP addresses of packets coming from the 'inside' interface to the IP address of the 'outside' interface when they exit the firewall. This is commonly used to allow internal hosts with private IP addresses to access the internet using the firewall's public IP. The command creates a dynamic translation entry in the NAT table, which is created on demand when traffic matches the rule. The translation is temporary and times out after a period of inactivity (default 30 seconds for TCP, 1 minute for UDP). This command is essential for small to medium networks where a single public IP is shared among multiple internal hosts. It fits into troubleshooting workflows by verifying that outbound traffic is being translated correctly; issues often manifest as no internet access for internal hosts. The ASA supports multiple NAT types, but dynamic interface NAT is the simplest form of Port Address Translation (PAT).

Syntax·Global Config
nat (real_ifc,mapped_ifc) dynamic interface [dns] [norandomseq] [timeout <seconds>] [backup] [description <text>]

When to Use This Command

  • Allowing internal hosts to access the internet using the firewall's outside interface IP.
  • Hiding internal private IP addresses behind a single public IP.
  • Enabling outbound connectivity for a small office with a single public IP.
  • Providing internet access to internal servers without public IPs.

Parameters

ParameterSyntaxDescription
real_ifcinterface_nameThe name of the real (inside) interface where traffic originates. Typically 'inside'.
mapped_ifcinterface_nameThe name of the mapped (outside) interface where traffic exits. Typically 'outside'.
dynamickeywordSpecifies that this is a dynamic NAT rule, creating translations on demand.
interfacekeywordIndicates that the translated address is the IP address of the mapped interface.
dnskeywordEnables DNS rewrite so that DNS replies with the mapped IP are translated back to the real IP.
norandomseqkeywordDisables random TCP sequence number generation for this NAT rule.
timeoutsecondsSpecifies the timeout in seconds for idle translations (default 30 for TCP, 1 for UDP).
backupkeywordMarks this NAT rule as a backup rule, used only if primary rules fail.
descriptiontextAdds a description to the NAT rule for documentation purposes.

Command Examples

Basic Dynamic NAT to Outside Interface

nat (inside,outside) dynamic interface

No output is generated on successful configuration. Use 'show nat' to verify.

Dynamic NAT with DNS Rewrite

nat (inside,outside) dynamic interface dns

Enables DNS rewrite so that internal DNS replies with the mapped IP are translated back to the real IP.

Understanding the Output

The 'show nat' command displays NAT rules. Key fields: 'match' shows the real interface and source IP; 'dynamic translation' shows the mapped interface and IP (interface means the outside interface IP). 'hitcnt' shows number of translations; 'id' is the NAT rule ID. Healthy values: hitcnt increments with traffic. Problem: zero hitcnt indicates no traffic matching the rule.

Configuration Scenarios

Basic Internet Access for Internal Network

A small office with a single public IP on the outside interface. Internal hosts (192.168.1.0/24) need internet access.

Topology

Internet --- [Outside: 203.0.113.1] ASA [Inside: 192.168.1.1] --- Internal Hosts (192.168.1.0/24)

Steps

  1. 1.Configure interface IPs and security levels.
  2. 2.Configure the NAT rule: nat (inside,outside) dynamic interface
  3. 3.Configure an ACL to permit outbound traffic if needed (or use global policy).
Configuration
! Basic configuration
interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 203.0.113.1 255.255.255.0
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
nat (inside,outside) dynamic interface

Verify: Use 'show nat' to see the NAT rule. Use 'show xlate' to see active translations. Ping an external IP from an internal host and verify translation.

Watch out: Ensure that the inside interface has a security level higher than outside (default 100 vs 0) to allow outbound traffic without ACL.

Troubleshooting with This Command

When troubleshooting dynamic NAT to interface, start by verifying the NAT rule exists with 'show nat'. Check that the rule is not being overridden by a more specific rule (NAT rules are processed in order). Use 'show xlate' to see active translations; if no translations appear for expected traffic, the traffic may not be matching the rule. Ensure the source IP of the traffic is in the range that the NAT rule applies to (if a network object is used, verify the object). Check that the mapped interface has an IP address; if the interface is down or has no IP, translations will fail. Use 'packet-tracer' to simulate traffic and see if NAT is applied. For example: 'packet-tracer input inside tcp 192.168.1.100 12345 8.8.8.8 80 detailed'. Look for the NAT phase; if it says 'no translation', the rule may not match. Also verify that the interface security levels allow the traffic; by default, outbound traffic from higher to lower security is allowed. If using ACLs, ensure an ACL permits the traffic. Common issues: forgetting to configure the outside interface IP, or using the wrong interface names.

CCNA Exam Tips

1.

Remember that 'dynamic interface' uses the IP of the mapped interface as the translated address.

2.

The 'dns' keyword is important for scenarios where internal servers are accessed by name from outside.

3.

Understand that 'nat' commands are processed in order; the first match wins.

Common Mistakes

Forgetting to specify the correct interface names (e.g., inside, outside).

Omitting the 'dynamic' keyword, which would create a static NAT instead.

Not considering that 'interface' keyword requires the mapped interface to have a routable IP.

Platform Notes

On Cisco ASA, the 'nat' command syntax differs from IOS. In IOS, dynamic NAT is configured with 'ip nat inside source list <acl> interface <interface> overload'. The ASA uses interface pairs and the 'dynamic interface' keyword. ASA also supports object-based NAT with 'nat (real,mapped) dynamic interface' inside a network object. The ASA's NAT is more flexible but can be confusing. In ASA version 8.3+, the NAT configuration changed significantly; the command shown is for 8.3+ code. For older versions, the command was 'nat (inside) 1 0 0' and 'global (outside) 1 interface'. Always check the ASA version. The 'dns' keyword is specific to ASA and not available in IOS. The 'timeout' parameter allows tuning translation idle timeouts, which is not directly available in IOS dynamic NAT.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions