nat (inside,outside) dynamic interface
Configures dynamic NAT to translate inside private IP addresses to the outside interface's IP address using Port Address Translation (PAT).
Overview
The 'nat (inside,outside) dynamic interface' command is a fundamental configuration on Cisco ASA firewalls for enabling Network Address Translation (NAT) overload, also known as Port Address Translation (PAT). This command allows multiple internal hosts with private IP addresses to share the public IP address assigned to the outside interface when accessing external networks. The underlying concept is that the ASA maintains a translation table (xlate) that maps each internal IP:port combination to a unique source port on the outside interface IP. This conserves public IP addresses and provides a basic level of security by hiding internal addressing. This command is typically used in scenarios where an organization has a limited number of public IPs (often just one) and needs to provide internet access to many internal users. It is configured in global configuration mode and applies to traffic flowing from the specified real interface (inside) to the mapped interface (outside). The command is straightforward but must be combined with proper interface security levels and access rules to permit traffic. In troubleshooting workflows, verifying this command involves checking that NAT rules are active with 'show nat' and that translations are being created with 'show xlate'. Common issues include missing ACLs to permit traffic, incorrect interface naming, or the outside interface not having a routable IP. Platform-specific behavior on ASA includes support for DNS rewrite (dns keyword) to fix DNS replies, and options like no-proxy-arp to disable proxy ARP for the mapped IP. This command is a staple in ASA configurations and is often one of the first NAT rules implemented.
nat (real_ifc,mapped_ifc) dynamic interface [ipv6] [dns] [no-proxy-arp] [route-lookup]When to Use This Command
- Allowing internal hosts to access the internet using a single public IP address assigned to the outside interface.
- Hiding the internal private IP addressing scheme from external networks.
- Conserving public IP addresses by sharing one interface IP among multiple internal hosts via PAT.
- Providing internet access for a branch office with a single public IP address.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| real_ifc | interface_name | The name of the real (inside) interface where traffic originates. Must be configured on the ASA. |
| mapped_ifc | interface_name | The name of the mapped (outside) interface where traffic exits. The interface's IP address will be used as the translated source. |
| dynamic | keyword | Specifies that the translation is dynamic (many-to-one) rather than static. |
| interface | keyword | Indicates that the mapped address is the IP address of the mapped interface. |
| ipv6 | keyword | Enables NAT for IPv6 traffic. Rarely used with dynamic interface PAT. |
| dns | keyword | Enables DNS rewrite so that DNS replies containing the mapped IP are rewritten to the real IP. |
| no-proxy-arp | keyword | Disables proxy ARP for the mapped IP address on the mapped interface. |
| route-lookup | keyword | Forces the ASA to perform a route lookup for the real host before translation. |
Command Examples
Basic Dynamic PAT to Outside Interface
nat (inside,outside) dynamic interfaceThis command enables dynamic PAT for traffic from the inside interface to the outside interface, using the outside interface's IP address as the translated source.
Dynamic PAT with DNS Rewrite
nat (inside,outside) dynamic interface dnsAdds DNS rewrite so that DNS replies containing the outside interface IP are rewritten to the inside host's real IP.
Understanding the Output
The 'nat (inside,outside) dynamic interface' command does not produce immediate output when entered. To verify the configuration, use 'show nat' or 'show xlate'. The 'show nat' output lists all NAT rules with details like interface pair, type (dynamic), and translation (interface). For example: 'nat (inside,outside) source dynamic any interface' indicates that any source from inside is translated to the outside interface IP. The 'show xlate' command shows active translations: 'PAT Global 203.0.113.1(1024) Local 10.0.0.10(34567)' means the inside host 10.0.0.10 using port 34567 is translated to outside IP 203.0.113.1 with PAT port 1024. Healthy values show many translations for active connections; problem values include no translations (indicating misconfiguration) or high port usage (potential exhaustion).
Configuration Scenarios
Basic Internet Access for Internal Network
A small office with a single public IP on the outside interface needs to provide internet access to 50 internal hosts on the 10.0.0.0/24 network.
Topology
Internet --- [Outside: 203.0.113.1] ASA [Inside: 10.0.0.1] --- Internal Hosts (10.0.0.0/24)Steps
- 1.Configure inside and outside interfaces with IP addresses and security levels.
- 2.Create an ACL to permit inside traffic to any destination (optional, but often needed).
- 3.Apply the NAT rule: nat (inside,outside) dynamic interface
- 4.Verify with 'show nat' and 'show xlate'.
! Interface configuration interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.1 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0 ! ! NAT rule nat (inside,outside) dynamic interface ! ! Optional ACL to permit all inside traffic access-list inside_nat0 extended permit ip any any access-group inside_nat0 in interface inside
Verify: Use 'show nat' to see the NAT rule. Use 'show xlate' to see active translations after traffic flows.
Watch out: If the outside interface IP changes (e.g., DHCP), the NAT rule automatically uses the new IP. Ensure the interface has a routable IP.
Troubleshooting with This Command
When troubleshooting 'nat (inside,outside) dynamic interface', start by verifying that the NAT rule is present with 'show nat'. The output should list the rule with 'dynamic' and 'interface'. If the rule is missing, check that the command was entered correctly in global config mode. Next, check active translations with 'show xlate'. If no translations appear, ensure traffic is actually flowing from inside to outside. Use 'packet-tracer' to simulate traffic: 'packet-tracer input inside tcp 10.0.0.10 12345 8.8.8.8 80'. The output should show NAT translation applied. Common issues include: the inside interface not having a security level higher than outside (required for outbound traffic by default), missing ACLs to permit traffic, or the outside interface being down. Also verify that the outside interface has an IP address; if it's DHCP, ensure it has obtained an address. If translations are not being created, check for NAT exhaustion: 'show xlate count' shows the number of translations; if it's at maximum, increase the PAT pool or use additional public IPs. Use 'debug nat 255' with caution to see NAT events. Another common problem is asymmetric routing; ensure that return traffic is routed back through the ASA. The 'route-lookup' option can help in some scenarios. Finally, verify that DNS rewrite is working if using the 'dns' keyword; check DNS replies with packet captures.
CCNA Exam Tips
Remember that 'dynamic interface' uses PAT by default, translating many inside hosts to a single outside IP.
In CCNP Security exams, know that 'nat' commands are configured in global config mode, not under an object.
Be aware that 'nat' (object config) is different from 'object network' NAT; the command shown is a global NAT rule.
Common Mistakes
Forgetting to specify the interface pair (inside,outside) correctly, causing NAT to apply to wrong interfaces.
Confusing 'nat' with 'static nat'; dynamic interface is for PAT, not one-to-one mapping.
Omitting 'dynamic' keyword, which would make the command invalid.
Platform Notes
On Cisco ASA, the 'nat' command in global config mode is the traditional method for configuring NAT. In newer ASA versions (9.x+), there is also object NAT using 'object network' and 'nat' under the object. The command 'nat (inside,outside) dynamic interface' is a global NAT rule and is simpler for basic PAT. On Cisco IOS routers, the equivalent is 'ip nat inside source list <acl> interface <interface> overload'. On ASA, there is no need for an ACL if you want to translate all traffic; the rule applies to all traffic from the real interface. However, an ACL may be needed to permit traffic. The ASA also supports 'nat (inside,outside) dynamic interface' with additional options like 'dns' and 'no-proxy-arp' that are not available in IOS. In ASA version 8.3 and later, NAT rules are evaluated in order, and the 'nat' command is part of the NAT configuration. The 'show nat' output differs from IOS; it shows the rule details. For IPv6, the 'ipv6' keyword is used. Note that the ASA does not support 'overload' keyword; it is implicit with 'dynamic interface'. When migrating from ASA to other platforms, be aware of these differences.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions