[RobertGraham]

May I second northlandboy? Manual NAT is sometimes very necessary.

Based on my experience with rulebases that are at least 75-100 rules in length, manual NAT is the way to go. In complex environments you need very specific NATing that the auto rules aren't designed for. I would add that effectively using groups in your NAT rules is a way to simplify the policy. This is a technique that a guy named Rick Centner and I developed at an organization we once worked at together.

It looks like this:

1. (Special one way NAT rule here for instance) blah -> blup
2. InternalNetworksGroup (ours had like thirty networks) - VPNnetworksGroup ORIGINAL for all other fields # FOR VPNs
3. VPNnetworksGroup InternalNetworksGroup ORIGINAL for all other fields #2 reversed
4. IntNetwork1 ANY HideIP1 ORIGINAL for all other fields #Internet access
5. IntNetwork2 ANY HideIP2 ORIGINAL for all other fields
.
.
.
20. IntNetwork17 ANY HideIP17 ORIGINAL for all other fields

This is a brief explanation that makes sense if you can imagine what I'm talking about. If you want a more specific information, please post.


Perhaps we can say that in *most* environments, it's best to use auto NAT for the KISS factor. In more complex situations (especially using Provider-1 you want to seriously consider using manual). Also, some of us are just real control freaks who live on UNIX and are used to being able to configure everything from how the CLI prompt looks to which type of clock(analog or digital) is shown on the desktop.