topic yes, the syntax a bit in Network Security

AutoNAT and ManualNAT question

networkwise — Tue, 12 Mar 2019 05:59:20 GMT

Hello,

Ive been trying to get a better understanding of Auto NAT (objectNAT) and Manual NAT by configuring it on an ASA.

I noticed that if I configure AutoNAT (object NAT) as below the NAT rule appears in section 2 Auto NAT.

ciscoasa(config-network-object)# sh run object

object network pat-pool-100-110*******PAT Pool config******

range 10.10.10.100 10.10.10.110

object network 10-10-3-0*******Source Subnet config******

subnet 10.10.3.0 255.255.255.0

ciscoasa(config)# object network 10-10-3-0

ciscoasa(config-network-object)#

ciscoasa(config-network-object)# nat dynamic pat-pool-100-110

ciscoasa(config-network-object)# sh nat

Auto NAT Policies (Section 2)

1 (any) to (any) source dynamic 10-10-3-0 pat-pool-100-110

translate_hits = 0, untranslate_hits = 0

ciscoasa(config-network-object)#

The above result is what Id expect from the applied configuration.

However if I try and configure Auto NAT (objectNAT) as below and specify the interfaces the NAT rule is placed in

section 1 (manual NAT). Just wondering if this is expected behavior or if Im not configuring something correctly?

I was thinking this should show up in section 2 also.

ciscoasa(config)# object network 10-10-3-0

ciscoasa(config-network-object)#nat (inside,outside) source dynamic 10-10-3-0 pat-pool-100-110

ciscoasa(config-network-object)# sh nat

Manual NAT Policies (Section 1)

1 (inside) to (outside) source dynamic 10-10-3-0 pat-pool-100-110

translate_hits = 0, untranslate_hits = 0

Any guidance would be appreciated.

Thanks

Andy

yes, the syntax a bit

Karsten Iwen — Sat, 23 May 2015 16:53:32 GMT

Yes, the syntax a bit confusing ...

You configure the nat-rule in object-mode, but use the syntax for manual nat. Because of that, the nat rule is placed into section 1.

If you want it to be an object-nat rule, you can't use the keyword "source" as object-nat is always source-nat:

object network 10-10-3-0
  nat (inside,outside) dynamic ...

You can see the difference with the interactive help:

asa(config-network-object)# nat (inside,outside) ?

network-object mode commands/options:
  dynamic  Specify NAT type as dynamic
  static   Specify NAT type as static

configure mode commands/options:
  <1-2147483647>  Position of NAT rule within before auto section
  after-auto      Insert NAT rule after auto section
  source          Source NAT parameters
asa(config-network-object)# nat (inside,outside)

Only if you use the "network-object" keywords, you configure object-nat. If you use the "configure mode" keywords, it will be a manual nat-rule.

Thanks Karsten,That was it.

networkwise — Sat, 23 May 2015 17:46:04 GMT

Thanks Karsten,

That was it. When I added the word dynamic after the(inside,outside) then the nat rule was added to section 2.

Thanks for your help.

Andy