https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039451#M1067243 <P>Hi,</P><P>What exactly did you configure?</P><P>Below is an example of what I assume you require, this will NAT the local network behind the outside interface.</P><P>&nbsp;</P><PRE>object network NET1<BR /> subnet 192.168.10.0 255.255.255.0<BR /> nat (inside,outside) dynamic interface</PRE><P>&nbsp;</P><P>Which should appear as below:-</P><P>&nbsp;</P><PRE>ASA-DC-1/pri/act(config-network-object)# <STRONG>show nat detail</STRONG><BR />Manual NAT Policies (Section 1)<BR /><BR />Auto NAT Policies (Section 2)<BR /><STRONG>1 (INSIDE) to (OUTSIDE) source dynamic NET1 interface</STRONG><BR /><STRONG>translate_hits = 0, untranslate_hits = 0</STRONG><BR /><STRONG>Source - Origin: 192.168.10.0/24, Translated: 1.1.1.1/24</STRONG></PRE><P>HTH</P><P>&nbsp;</P> Tue, 03 Mar 2020 17:03:37 GMT Rob Ingram 2020-03-03T17:03:37Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039444#M1067242 <P>Hello,</P><P>&nbsp;</P><P>Im trying to get a new subnet setup on my ASA5512. I've created the object group and put in the subnet. But when sitting up the NAT rule- nat (inside,outside) dynamic NAT+PAT -&nbsp; its not showing up on the new objects I created.</P><P>Is there something missing? Any help would be great.</P><P>&nbsp;</P><P>Thank you,</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 03 Mar 2020 16:57:05 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039444#M1067242 KCMM14457 2020-03-03T16:57:05Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039451#M1067243 <P>Hi,</P><P>What exactly did you configure?</P><P>Below is an example of what I assume you require, this will NAT the local network behind the outside interface.</P><P>&nbsp;</P><PRE>object network NET1<BR /> subnet 192.168.10.0 255.255.255.0<BR /> nat (inside,outside) dynamic interface</PRE><P>&nbsp;</P><P>Which should appear as below:-</P><P>&nbsp;</P><PRE>ASA-DC-1/pri/act(config-network-object)# <STRONG>show nat detail</STRONG><BR />Manual NAT Policies (Section 1)<BR /><BR />Auto NAT Policies (Section 2)<BR /><STRONG>1 (INSIDE) to (OUTSIDE) source dynamic NET1 interface</STRONG><BR /><STRONG>translate_hits = 0, untranslate_hits = 0</STRONG><BR /><STRONG>Source - Origin: 192.168.10.0/24, Translated: 1.1.1.1/24</STRONG></PRE><P>HTH</P><P>&nbsp;</P> Tue, 03 Mar 2020 17:03:37 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039451#M1067243 Rob Ingram 2020-03-03T17:03:37Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039462#M1067244 Yes I have something like that already:<BR />object network NET1<BR />subnet 192.168.10.0 255.255.255.0<BR />nat (inside,outside) dynamic NAT+PAT<BR /><BR />when I try to add:<BR />object network NET5<BR />subnet 10.10.130.0 255.255.254.0<BR />nat (inside,outside) dynamic NAT+PAT<BR /><BR />the nat rule doesnt work. It just not there for the Obj NET5 Tue, 03 Mar 2020 17:16:18 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039462#M1067244 KCMM14457 2020-03-03T17:16:18Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039463#M1067245 Ok, so what is the configuration of NAT+PAT?<BR />I assume you meant it doesn't show up under "show nat detail"? Tue, 03 Mar 2020 17:18:43 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039463#M1067245 Rob Ingram 2020-03-03T17:18:43Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039472#M1067247 Here is what we have for the NAT+PAT right now:<BR />object network NAT_POOL<BR />range 66.76.8.100 66.76.8.124<BR />object network PAT<BR />host 66.76.8.125<BR />object-group network NAT+PAT<BR />network-object object NAT_POOL<BR />network-object object PAT<BR /><BR />Correct when I enter cmd:<BR />nat (inside,outside) dynamic NAT+PAT<BR />It doesnt show up in the "show nat detail" Tue, 03 Mar 2020 17:25:09 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039472#M1067247 KCMM14457 2020-03-03T17:25:09Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039476#M1067248 <P>Ok, I copied and pasted your configuration, that worked in my lab using ASA 9.12(3).</P><P>&nbsp;</P><PRE>Auto NAT Policies (Section 2)<BR />1 (INSIDE) to (OUTSIDE) source dynamic NET1 NAT+PAT<BR />translate_hits = 0, untranslate_hits = 0<BR />Source - Origin: 192.168.10.0/24, Translated: 66.76.8.100/30, 66.76.8.104/29, 66.76.8.112/29, 66.76.8.120/30<BR />66.76.8.124/32, 66.76.8.125/32</PRE><P>What ASA code are you using? Potentially a bug</P><P><BR />HTH</P> Tue, 03 Mar 2020 17:31:24 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039476#M1067248 Rob Ingram 2020-03-03T17:31:24Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039480#M1067250 Yea im not sure its something im doing wrong on my config or is there a limit to how many subnets I can add to a obj group for nat.<BR /><BR />Where would i find ASA code? Tue, 03 Mar 2020 17:36:47 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039480#M1067250 KCMM14457 2020-03-03T17:36:47Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039483#M1067251 "show version" Tue, 03 Mar 2020 17:40:47 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039483#M1067251 Rob Ingram 2020-03-03T17:40:47Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039490#M1067252 Cisco Adaptive Security Appliance Software Version 8.6(1)2<BR />Device Manager Version 6.6(1)<BR /><BR />Compiled on Fri 01-Jun-12 02:16 by builders<BR />System image file is "disk0:/asa861-2-smp-k8.bin"<BR />Config file at boot was "startup-config"<BR /><BR /><BR />Hardware: ASA5512, 4096 MB RAM, CPU Clarkdale 2793 MHz, 1 CPU (2 cores)<BR />ASA: 2048 MB RAM, 1 CPU (1 core)<BR />Internal ATA Compact Flash, 4096MB<BR />BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB<BR /><BR />Encryption hardware device : Cisco ASA-55xx on-board accelerator (revision 0x1)<BR />Boot microcode : CNPx-MC-BOOT-2.00<BR />SSL/IKE microcode : CNPx-MC-SSL-PLUS-0014<BR />IPSec microcode : CNPx-MC-IPSEC-MAIN-0014<BR />Number of accelerators: 1<BR />Baseboard Management Controller (revision 0x1) Firmware Version: 2.4<BR /><BR /><BR />0: Int: Internal-Data0/0 : address is 4c00.821d.e2aa, irq 11<BR />1: Ext: GigabitEthernet0/0 : address is 4c00.821d.e2ae, irq 10<BR />2: Ext: GigabitEthernet0/1 : address is 4c00.821d.e2ab, irq 10<BR />3: Ext: GigabitEthernet0/2 : address is 4c00.821d.e2af, irq 5<BR />4: Ext: GigabitEthernet0/3 : address is 4c00.821d.e2ac, irq 5<BR />5: Ext: GigabitEthernet0/4 : address is 4c00.821d.e2b0, irq 10<BR />6: Ext: GigabitEthernet0/5 : address is 4c00.821d.e2ad, irq 10<BR />7: Int: Internal-Data0/1 : address is 0000.0001.0002, irq 0<BR />8: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0<BR />9: Int: Internal-Data0/2 : address is 0000.0001.0003, irq 0<BR />10: Ext: Management0/0 : address is 4c00.821d.e2aa, irq 0<BR /><BR />Licensed features for this platform:<BR />Maximum Physical Interfaces : Unlimited perpetual<BR />Maximum VLANs : 50 perpetual<BR />Inside Hosts : Unlimited perpetual<BR />Failover : Disabled perpetual<BR />VPN-DES : Enabled perpetual<BR />VPN-3DES-AES : Enabled perpetual<BR />Security Contexts : 0 perpetual<BR />GTP/GPRS : Disabled perpetual<BR />AnyConnect Premium Peers : 2 perpetual<BR />AnyConnect Essentials : 250 perpetual<BR />Other VPN Peers : 250 perpetual<BR />Total VPN Peers : 250 perpetual<BR />Shared License : Disabled perpetual<BR />AnyConnect for Mobile : Enabled perpetual<BR />AnyConnect for Cisco VPN Phone : Disabled perpetual<BR />Advanced Endpoint Assessment : Disabled perpetual<BR />UC Phone Proxy Sessions : 2 perpetual<BR />Total UC Proxy Sessions : 2 perpetual<BR />Botnet Traffic Filter : Disabled perpetual<BR />Intercompany Media Engine : Disabled perpetual<BR />IPS Module : Disabled perpetual<BR /><BR />This platform has a Base license. Tue, 03 Mar 2020 17:45:34 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039490#M1067252 KCMM14457 2020-03-03T17:45:34Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039494#M1067253 Well you are running a really old version - v8.6(1)2.<BR /><BR />Are you already using this nat+pat configuration? If not it may not support it on such an old version, I'd consider upgrading regardless. Your ASA 5512 hardware will support up to the latest version. Tue, 03 Mar 2020 17:49:45 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039494#M1067253 Rob Ingram 2020-03-03T17:49:45Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039498#M1067254 Yes i am on at least 7 other subnets. The new ones im adding just wont accept the nat rule.<BR /><BR />Im working on upgrading to a new ASA. Tue, 03 Mar 2020 17:52:46 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039498#M1067254 KCMM14457 2020-03-03T17:52:46Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039504#M1067255 Ok, if you are configuring exactly the same as your existing objects, then it should work on that version.<BR />You should consider logging a call with TAC...but they will probably recommend you upgrade to a supported version though. So I suggest you do that.<BR /><BR />In the meantime, consider modifying your nat rule to nat behind a single IP address. Tue, 03 Mar 2020 17:56:49 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039504#M1067255 Rob Ingram 2020-03-03T17:56:49Z https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039505#M1067256 okay so I deleted one of the nat rules on a obj its working on and adding to the one its not and it took it. So it looks like there is a limit to how many I can add<BR /> Tue, 03 Mar 2020 17:57:35 GMT https://community.cisco.com/t5/network-security/adding-new-subnet-to-asa5512-issues/m-p/4039505#M1067256 KCMM14457 2020-03-03T17:57:35Z