topic Hi in Network Security

Adding Dynamic Policy NAT to ASA

mahesh18 — Tue, 12 Mar 2019 08:55:12 GMT

Hi Everyone,

ASA 8.2 is configured with this

Current config

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 192.x.x.x netmask 255.255.255.255

global (DMZ64) 1 192.x.x.x netmask 255.255.255.255

I need to configure specific 3 subnets for users behind the inside interface and going out to internet via outside interface so that when they access one particular vendor website they get Dynamic PAT to one Public PAT IP

Here is my config for users on subnet 10.10.20.0,10.10.30.0 and 10.10.40.0

New config for users behind the 10.10.20,30 and 40 subnet

access-list Traffic_PAT permit ip 10.10.20.0 255.255.255.0 host 205.x.x.x

access-list Traffic_PAT permit ip 10.10.30.0 255.255.255.0 host 205.x.x.x

access-list Traffic_PAT permit ip 10.10.40.0 255.255.255.0 host 205.x.x.x

nat (inside) 2 access-list Traffic_PAT

global (outside) 2 206.x.x.x netmask 255.255.255.255

If i go this way then all the traffic will hit the nat order 1 and not hit the nat 2.

To make this work I will delete the current nat 1 and global 1 config and make the new subnets as nat 1 and global 1

and make the current nat 1 and global 1 to nat 2 and global 2 right?

Regards

Mahesh

Why don't you change all the

Philip D'Ath — Sun, 12 Feb 2017 02:47:25 GMT

Why don't you change all the references to NAT group "1" to say "10"?

Hi Philip,

mahesh18 — Sun, 12 Feb 2017 03:00:06 GMT

Hi Philip,

So you mean to say for below config

nat (inside) 1 0.0.0.0 0.0.0.0

global (outside) 1 192.x.x.x netmask 255.255.255.255

global (DMZ64) 1 192.x.x.x netmask 255.255.255.255

I should go to ASA and type

nat (inside) 10 0.0.0.0 0.0.0.0

global (outside) 10 192.x.x.x netmask 255.255.255.255

global (DMZ64) 10 192.x.x.x netmask 255.255.255.255 ?

and make new one as nat group 1?

Regards

Mahesh

First remove the old cofig

Philip D'Ath — Sun, 12 Feb 2017 05:01:10 GMT

First remove the old cofig then add the new config above.

So i can remove all the old

mahesh18 — Sun, 12 Feb 2017 05:17:37 GMT

So i can remove all the old config with nat and global group 1

After that I add new config with nat and global group of 1

Then I add the old config which had nat and global group of 1 as group 2 now right?

Hi

Zeeshan Aziz — Mon, 13 Feb 2017 11:13:54 GMT

If you don't want to remove your configs, just follow this.

object-group network LAN-USERS
network-object 10.10.20.0 255.255.255.0
network-object 10.10.30.0 255.255.255.0
network-object 10.10.40.0 255.255.255.0

access-list Traffic_PAT permit ip object-group LAN-USERS host 205.x.x.x

Objective - 1
To NAT all other traffic

global (outside) 1 192.x.x.x netmask 255.255.255.255
nat (inside) 1 0.0.0.0 0.0.0.0

Objective - 2
To NAT three subnets

global (outside) 2 206.x.x.x netmask 255.255.255.255 (Define available public IP which will be used by the LAN subnets when users will access 2)
nat (inside) 2 access-list Traffic_PAT

Try this, if still not working, then share output for the command.

packet-tracer input inside icmp 10.10.20.20 8 0 205.x.x.x