topic OK, dumb question, but does in Network Security

dynamic NAT for 2 interface with ASA 8.4(2)

Wilco Fong — Tue, 12 Mar 2019 04:12:04 GMT

I have ASA 5510 with 8.4(2) version.

I need help to create 2 dynamic NAT for 2 interface. Here is what I have.

Outside interface

Inside interface

DMZ interface

backup interface

Here is my nat

object network DMZ-10.1.8.0_24
nat (dmz,outside) dynamic interface
object network INSIDE-10.1.7.0_24
nat (inside,outside) dynamic interface

I want to add additional NAT like

"object network INSIDE-10.1.7.0_24
nat (inside,backup) dynamic interface"

But it does not allow me to add, once I add, it removes "nat (inside,outside) dynamic interface". My goal is to achieve inside network and dmz network to translate backup network interface without affecting current outside NAT. backup interface is private network which connect to different network with other untrusted connections connect to that network. Thanks in advance for your advice.

OK, dumb question, but does

Colin Higgins — Wed, 14 May 2014 14:12:47 GMT

OK, dumb question, but does the backup interface have an IP address and security level assigned?

Hi Colin,Thanks for your

Wilco Fong — Wed, 14 May 2014 15:30:54 GMT

Hi Colin,

Thanks for your reply. Yes backup interface has same security level as outside and it has ip assigned.

You need to create another

guibarati — Wed, 14 May 2014 17:28:49 GMT

You need to create another object, with the same IP address and use this new object for nat. Exemple

INSIDE-10.1.7.0_24-2

subnet 10.1.7.0 255.255.255.0

nat (inside,backup) dynamic interface

Also if the backup interface has the same security level of the inside interface you need to allow the traffic explicitly because it's denied by default. Use the command

same-security-traffic permit inter-interface