Cisco ASA Dynamic NAT with DMZ

Maybe I am misunderstanding:
Should the key words OUTSIDE and INSIDE be swapped in both examples
and the IP addresses swapped in the text below the examples?

Thanks You

I was following the Cisco ASA Dynamic NAT with DMZ, however a bit confused in regard to:

ASA1(config)# object network PUBLIC_POOL -> What does it refer, shouldn’t be the public IP address on ASA (
ASA1(config-network-object)# range

I have tried to implement similar, however i have the following error:

[ok] object network dmz
    object network dmz
[ok] host
[ERROR] nat stactic outside net-to-net
            Address overlaps with outside interface address.
ERROR: NAT Policy is not downloaded

Hello Bruno

The object network PUBLIC_POOL command is used to define the range of outside IP addresses to be used for NAT. This doesn’t have to be the actual physical address on the outside interface, and actually must be a range of addresses since we are configuring dynamic NAT. Actually, the IP addresses specified here don’t even have to be in the same subnet as the address of the outside interface, as long as there is routing to the configured outside NAT interfaces to reach them.

I’m not sure I understand the syntax of the commands here, but I do understand the error that states that the address overlaps with the outside interface address. It seems that you have another NAT rule (without the object NAT configuration) somewhere that already uses the outside interface address and that is why you have a conflict. A similar such situation can be found at the following Cisco community forum that might help you in your troubleshooting:

In any case, if you would like to duplicate the lesson, follow the configurations and explanations there and let us know your results.

I hope this has been helpful!


Hello Donald

Yes you are right, that seems to be a typo in Rene’s post. I’ve corrected it. Thanks for pointing that out!