topic Re: NAT for multiple internal subnets in Network Security

NAT for multiple internal subnets

kacper25711 — Fri, 29 Dec 2023 02:19:11 GMT

Hello, would anyone be able to explain me how to configure NAT for multiple internal subnets on a 5505 firewall?
I have 6 subnets 192.168.2.0, .10.0, .20.0, .30.0, .40.0 and .50.0.
It's configured like this for all 6 subnets, but the address translationonly only works for the 192.168.2.0 subnet for some reason:

I don't know why, object-group network doesn't work here.

the topology looks more less like this at the moment, maybe it would be easier to configure if firewall device was connected straight to the internal router? If yes, how should I configure it?

Re: NAT for multiple internal subnets

balaji.bandi — Fri, 29 Dec 2023 08:26:22 GMT

try below example : ( all more subnet to object group)

object-group network all_subnets
network-object 192.168.0.0 255.255.255.0
network-object 10.10.10.0 255.255.255.0
nat (inside,outside) source dynamic interface

Re: NAT for multiple internal subnets

kacper25711 — Fri, 29 Dec 2023 15:32:49 GMT

I get this problem here:

can only set a group of tcp/upd ports/services, not a subnet

Re: NAT for multiple internal subnets

MHM Cisco World — Fri, 29 Dec 2023 15:38:58 GMT

Friend there is

Object-group and object-network

Use object-network

MHM

Re: NAT for multiple internal subnets

kacper25711 — Fri, 29 Dec 2023 15:55:25 GMT

it's an unrecognized command

Re: NAT for multiple internal subnets

MHM Cisco World — Fri, 29 Dec 2023 16:21:08 GMT

Object network

without - inbetween

MHM

Re: NAT for multiple internal subnets

kacper25711 — Fri, 29 Dec 2023 16:41:54 GMT

yes, but there I can only set 1 subnet for 1 object, right?
I created objects for all 6 subnets, but it only works for the 192.168.2.0 subnet.

Re: NAT for multiple internal subnets

MHM Cisco World — Fri, 29 Dec 2023 16:56:09 GMT

Object network vlan1

Subnet x.x.x.x

Object network vlan2

subnet y.y.y.y

Then finally

Object-group allVLAN

Object vlan1

Object vlan2

Then you use this object-group in NAT or ACL

MHM

Re: NAT for multiple internal subnets

kacper25711 — Fri, 29 Dec 2023 17:40:41 GMT

well it still doesn't allow me to create an object-group:

I can only create a object-group service.

Could this be a CPT limitation?

Re: NAT for multiple internal subnets

MHM Cisco World — Fri, 29 Dec 2023 17:42:45 GMT

That can be let me check when I retrun home

MHM

Re: NAT for multiple internal subnets

balaji.bandi — Fri, 29 Dec 2023 19:58:06 GMT

what ASA code running here ? (this could be limitation of PT ASA i guess here ?)

ASA 9.1 code below syntax works :

Re: NAT for multiple internal subnets

MHM Cisco World — Fri, 29 Dec 2023 17:53:03 GMT

Until that time we can use this workaround for dynamic NAT

Object network allVLAN

Subnet 0.0.0.0

Then use it in NAT' this will include all your vlan subnet.

Goodluck

MHM

Re: NAT for multiple internal subnets

kacper25711 — Fri, 29 Dec 2023 19:38:51 GMT

somehow having object network allvlan with subnet 0.0.0.0 doesn't help.
still the address of the other subnets is not translated. Only the address of the devices in 192.168.2.0 is translated.

Re: NAT for multiple internal subnets

MHM Cisco World — Fri, 29 Dec 2023 19:53:55 GMT

How you know the NAT is not working?

MHM

Re: NAT for multiple internal subnets

kacper25711 — Fri, 29 Dec 2023 20:21:22 GMT

The source IP isn't changed from the internal IP address to firewall's public IP.

below as you can see a sent packet from the 192.168.2.0 network and the source address is translated:

Re: NAT for multiple internal subnets

kacper25711 — Fri, 29 Dec 2023 20:20:58 GMT

as you can see below, there is only service option available:

but i think this is just CPT limitation.

Re: NAT for multiple internal subnets

MHM Cisco World — Fri, 29 Dec 2023 21:12:29 GMT

same as My PKT it limitation then

Re: NAT for multiple internal subnets

kacper25711 — Fri, 29 Dec 2023 21:44:06 GMT

thanks a lot for your time