nat (inside,outside) dynamic interface
Configures dynamic NAT to translate inside source addresses to the outside interface IP address.
Overview
The 'nat (inside,outside) dynamic interface' command configures dynamic Network Address Translation (NAT) on a Cisco ASA firewall. It translates source IP addresses of packets coming from the 'inside' interface to the IP address of the 'outside' interface when they exit the firewall. This is commonly used to allow internal hosts with private IP addresses to access the internet using the firewall's public IP. The command creates a dynamic translation entry in the NAT table, which is created on demand when traffic matches the rule. The translation is temporary and times out after a period of inactivity (default 30 seconds for TCP, 1 minute for UDP). This command is essential for small to medium networks where a single public IP is shared among multiple internal hosts. It fits into troubleshooting workflows by verifying that outbound traffic is being translated correctly; issues often manifest as no internet access for internal hosts. The ASA supports multiple NAT types, but dynamic interface NAT is the simplest form of Port Address Translation (PAT).
nat (real_ifc,mapped_ifc) dynamic interface [dns] [norandomseq] [timeout <seconds>] [backup] [description <text>]When to Use This Command
- Allowing internal hosts to access the internet using the firewall's outside interface IP.
- Hiding internal private IP addresses behind a single public IP.
- Enabling outbound connectivity for a small office with a single public IP.
- Providing internet access to internal servers without public IPs.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| real_ifc | interface_name | The name of the real (inside) interface where traffic originates. Typically 'inside'. |
| mapped_ifc | interface_name | The name of the mapped (outside) interface where traffic exits. Typically 'outside'. |
| dynamic | keyword | Specifies that this is a dynamic NAT rule, creating translations on demand. |
| interface | keyword | Indicates that the translated address is the IP address of the mapped interface. |
| dns | keyword | Enables DNS rewrite so that DNS replies with the mapped IP are translated back to the real IP. |
| norandomseq | keyword | Disables random TCP sequence number generation for this NAT rule. |
| timeout | seconds | Specifies the timeout in seconds for idle translations (default 30 for TCP, 1 for UDP). |
| backup | keyword | Marks this NAT rule as a backup rule, used only if primary rules fail. |
| description | text | Adds a description to the NAT rule for documentation purposes. |
Command Examples
Basic Dynamic NAT to Outside Interface
nat (inside,outside) dynamic interfaceNo output is generated on successful configuration. Use 'show nat' to verify.
Dynamic NAT with DNS Rewrite
nat (inside,outside) dynamic interface dnsEnables DNS rewrite so that internal DNS replies with the mapped IP are translated back to the real IP.
Understanding the Output
The 'show nat' command displays NAT rules. Key fields: 'match' shows the real interface and source IP; 'dynamic translation' shows the mapped interface and IP (interface means the outside interface IP). 'hitcnt' shows number of translations; 'id' is the NAT rule ID. Healthy values: hitcnt increments with traffic. Problem: zero hitcnt indicates no traffic matching the rule.
Configuration Scenarios
Basic Internet Access for Internal Network
A small office with a single public IP on the outside interface. Internal hosts (192.168.1.0/24) need internet access.
Topology
Internet --- [Outside: 203.0.113.1] ASA [Inside: 192.168.1.1] --- Internal Hosts (192.168.1.0/24)Steps
- 1.Configure interface IPs and security levels.
- 2.Configure the NAT rule: nat (inside,outside) dynamic interface
- 3.Configure an ACL to permit outbound traffic if needed (or use global policy).
! Basic configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! nat (inside,outside) dynamic interface
Verify: Use 'show nat' to see the NAT rule. Use 'show xlate' to see active translations. Ping an external IP from an internal host and verify translation.
Watch out: Ensure that the inside interface has a security level higher than outside (default 100 vs 0) to allow outbound traffic without ACL.
Troubleshooting with This Command
When troubleshooting dynamic NAT to interface, start by verifying the NAT rule exists with 'show nat'. Check that the rule is not being overridden by a more specific rule (NAT rules are processed in order). Use 'show xlate' to see active translations; if no translations appear for expected traffic, the traffic may not be matching the rule. Ensure the source IP of the traffic is in the range that the NAT rule applies to (if a network object is used, verify the object). Check that the mapped interface has an IP address; if the interface is down or has no IP, translations will fail. Use 'packet-tracer' to simulate traffic and see if NAT is applied. For example: 'packet-tracer input inside tcp 192.168.1.100 12345 8.8.8.8 80 detailed'. Look for the NAT phase; if it says 'no translation', the rule may not match. Also verify that the interface security levels allow the traffic; by default, outbound traffic from higher to lower security is allowed. If using ACLs, ensure an ACL permits the traffic. Common issues: forgetting to configure the outside interface IP, or using the wrong interface names.
CCNA Exam Tips
Remember that 'dynamic interface' uses the IP of the mapped interface as the translated address.
The 'dns' keyword is important for scenarios where internal servers are accessed by name from outside.
Understand that 'nat' commands are processed in order; the first match wins.
Common Mistakes
Forgetting to specify the correct interface names (e.g., inside, outside).
Omitting the 'dynamic' keyword, which would create a static NAT instead.
Not considering that 'interface' keyword requires the mapped interface to have a routable IP.
Platform Notes
On Cisco ASA, the 'nat' command syntax differs from IOS. In IOS, dynamic NAT is configured with 'ip nat inside source list <acl> interface <interface> overload'. The ASA uses interface pairs and the 'dynamic interface' keyword. ASA also supports object-based NAT with 'nat (real,mapped) dynamic interface' inside a network object. The ASA's NAT is more flexible but can be confusing. In ASA version 8.3+, the NAT configuration changed significantly; the command shown is for 8.3+ code. For older versions, the command was 'nat (inside) 1 0 0' and 'global (outside) 1 interface'. Always check the ASA version. The 'dns' keyword is specific to ASA and not available in IOS. The 'timeout' parameter allows tuning translation idle timeouts, which is not directly available in IOS dynamic NAT.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions