Hi Alfredo,
The ASA (since 8.3) has different NAT “sections”:
- 1:Manual
- 2: Auto
- 3: "after auto" Manual
The ASA will first process NAT rules in section 1, then 2 and finally 3.
Here’s an example of manual NAT:
ASA(config)# object network INTERNAL_SERVER
ASA(config-network-object)# host 192.168.1.1
ASA(config)# object network PUBLIC_IP
ASA(config-network-object)# host 1.1.1.1
ASA(config)# nat (INSIDE,OUTSIDE) source static INTERNAL_SERVER PUBLIC_IP
The NAT rule has been configured globally, this section 1 rule is preferred over 2 and 3.
Here’s an example for Auto NAT:
ASA(config)# object network LAN
ASA(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA(config-network-object)# nat (INSIDE,OUTSIDE) static PUBLIC_IP
Above we configured NAT in the network object, this is a section 2 rule.
Last but not least, we have your rule:
ASA(config)# nat (INSIDE,OUTSIDE) after-auto 1 source dynamic any interface
This section 3 rule will be processed after 1 and 2.
The rule above is a general rule to translate all source addresses on the inside to the IP address of your outside interface. It might be a good idea to process this NAT rule last since it allows you to put more specific NAT rules in section 1 or 2.
Both options will get you the same result (if you don’t have any other NAT rules). The first one is processed in section 2, the other one in section 3.
Hope this helps.
Rene