https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324542#M344491 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>ASA1(config)# object network MY-RANGE-OBJ</P><P>ASA1(config-network-object)#</P><P>ASA1(config-network-object)# range 172.16.1.100 172.16.1.120</P><P>ASA1(config-network-object)#</P><P>ASA1(config-network-object)# object network MY-INSIDE-NET</P><P>ASA1(config-network-object)#</P><P>ASA1(config-network-object)# subnet 10.0.0.0 255.255.255.0</P><P>ASA1(config-network-object)# nat</P><P>ASA1(config-network-object)# nat (is</P><P>ASA1(config-network-object)# nat (ins</P><P>ASA1(config-network-object)# nat (inside,o</P><P>ASA1(config-network-object)# nat (inside,outside) d</P><P>ASA1(config-network-object)# nat (inside,outside) dynamic&nbsp; MY-RANGE-OBJ</P><P>ASA1(config-network-object)# sh run nat</P><P>ASA1(config-network-object)# end</P><P>ASA1# sh run nat</P><P>ASA1#</P><P>ASA1#</P><P></P><P></P><P>ASA1# sh run | b obje</P><P>object network MY-RANGE-OBJ</P><P> range 172.16.1.100 172.16.1.120</P><P>object network MY-INSIDE-NET</P><P> subnet 10.0.0.0 255.255.255.0</P><P>access-list OUT extended permit icmp host 172.16.1.2 host 10.0.0.10</P><P>pager lines 24</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any outside</P><P></P><P></P><P>Any idea ?</P><P></P><P>You're right, below command works fine:</P><P></P><P>ASA1(config)# nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ</P><P></P><P>ASA1(config)# sh run nat</P><P>!</P><P>nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ</P><P>ASA1(config)#</P><P></P><P></P><P>By cisco doc the first version should work as well (</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1106144" rel="nofollow">http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1106144</A></P><P>), is it bug ?</P><P></P><P>Thanks!</P></BODY></HTML> Sat, 17 Aug 2013 21:20:27 GMT Hubert Wisniewski 2013-08-17T21:20:27Z https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324540#M344489 <P>Hi,</P><P>I'm trying to implement NAT on ASA and I found very strange behavior.</P><P></P><P>a) I started with dynamic NAT:</P><P></P><P>object network MY-RANGE-OBJ</P><P> range 172.16.1.100 172.16.1.120</P><P>object network MY-INSIDE-NET</P><P> subnet 10.0.0.0 255.255.255.0</P><P></P><P></P><P></P><P>ASA1(config)# object network MY-INSIDE-NET</P><P>ASA1(config-network-object)# nat (inside,outside) dynamic MY-RANGE-OBJ</P><P>ASA1(config-network-object)# sh ru | i nat</P><P><SPAN> destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN> destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com" target="_blank">callhome@cisco.com</A></P><P> destination transport-method http</P><P>ASA1(config-network-object)# nat (inside,outside) dynamic MY-RANGE-OBJ interfa</P><P>ASA1(config-network-object)# sh ru | i nat</P><P><SPAN> destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN> destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com" target="_blank">callhome@cisco.com</A></P><P> destination transport-method http</P><P>ASA1(config-network-object)# nat (inside,outside) static interface</P><P>WARNING: All traffic destined to the IP address of the outside interface is being redirected.</P><P>WARNING: Users may not be able to access any service enabled on the outside interface.</P><P>ASA1(config-network-object)# sh ru | i nat</P><P> nat (inside,outside) static interface</P><P><SPAN> destination address http </SPAN><A class="jive-link-external-small" href="https://tools.cisco.com/its/service/oddce/services/DDCEService" target="_blank">https://tools.cisco.com/its/service/oddce/services/DDCEService</A></P><P><SPAN> destination address email </SPAN><A class="jive-link-email-small" href="mailto:callhome@cisco.com" target="_blank">callhome@cisco.com</A></P><P> destination transport-method http</P><P>ASA1(config-network-object)#</P><P></P><P></P><P>Why I can't add 'dynamic MY-RANGE-OBJ' or 'dynamic MY-RANGE-OBJ inter' ? I can't see any errors, the commands are ignored </P><P></P><P></P><P>Thank you </P><P>Hubert</P> Tue, 12 Mar 2019 02:27:00 GMT https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324540#M344489 Hubert Wisniewski 2019-03-12T02:27:00Z https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324541#M344490 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Can you rather post the output of </P><P></P><P><STRONG>show run nat</STRONG></P><P></P><P>Even though I guess your command should list it also.</P><P></P><P>You can also configure the same in this way (which is the way I prefer doing it)</P><P></P><P>This<STRONG> IS NOT</STRONG> inserted under any <STRONG>"object"</STRONG></P><P></P><P><STRONG>nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ</STRONG></P><P></P><P>- Jouni</P></BODY></HTML> Sat, 17 Aug 2013 20:54:27 GMT https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324541#M344490 Jouni Forss 2013-08-17T20:54:27Z https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324542#M344491 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>ASA1(config)# object network MY-RANGE-OBJ</P><P>ASA1(config-network-object)#</P><P>ASA1(config-network-object)# range 172.16.1.100 172.16.1.120</P><P>ASA1(config-network-object)#</P><P>ASA1(config-network-object)# object network MY-INSIDE-NET</P><P>ASA1(config-network-object)#</P><P>ASA1(config-network-object)# subnet 10.0.0.0 255.255.255.0</P><P>ASA1(config-network-object)# nat</P><P>ASA1(config-network-object)# nat (is</P><P>ASA1(config-network-object)# nat (ins</P><P>ASA1(config-network-object)# nat (inside,o</P><P>ASA1(config-network-object)# nat (inside,outside) d</P><P>ASA1(config-network-object)# nat (inside,outside) dynamic&nbsp; MY-RANGE-OBJ</P><P>ASA1(config-network-object)# sh run nat</P><P>ASA1(config-network-object)# end</P><P>ASA1# sh run nat</P><P>ASA1#</P><P>ASA1#</P><P></P><P></P><P>ASA1# sh run | b obje</P><P>object network MY-RANGE-OBJ</P><P> range 172.16.1.100 172.16.1.120</P><P>object network MY-INSIDE-NET</P><P> subnet 10.0.0.0 255.255.255.0</P><P>access-list OUT extended permit icmp host 172.16.1.2 host 10.0.0.10</P><P>pager lines 24</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>icmp unreachable rate-limit 1 burst-size 1</P><P>icmp permit any outside</P><P></P><P></P><P>Any idea ?</P><P></P><P>You're right, below command works fine:</P><P></P><P>ASA1(config)# nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ</P><P></P><P>ASA1(config)# sh run nat</P><P>!</P><P>nat (inside,outside) after-auto source dynamic MY-INSIDE-NET MY-RANGE-OBJ</P><P>ASA1(config)#</P><P></P><P></P><P>By cisco doc the first version should work as well (</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1106144" rel="nofollow">http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/nat_objects.html#wp1106144</A></P><P>), is it bug ?</P><P></P><P>Thanks!</P></BODY></HTML> Sat, 17 Aug 2013 21:20:27 GMT https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324542#M344491 Hubert Wisniewski 2013-08-17T21:20:27Z https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324543#M344494 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes, to my understanding the configuration you mention should work.</P><P></P><P>We have a firewall running that same software version and generally we have not faced any NAT related problems. Though we dont really use the Network Object NAT / Auto NAT to configure it.</P><P></P><P>Here is one Bug that seems to match your problem. Though the listed software refers to the ASASM modules starting software and not this software level. But can't be sure the Bug ID notes contain all the information</P><P></P><P><A class="jive-link-external-small" href="https://tools.cisco.com/bugsearch/bug/" rel="nofollow">https://tools.cisco.com/bugsearch/bug/</A><A href="https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&amp;page=bstBugDetail&amp;BugID=CSCty36464" rel="nofollow" target="_blank">CSCty36464</A></P><P></P><P>Picture (click to enlarge)</P><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/3/0/2/151203-CSC-AUTONAT-BUG.jpg" class="jive-image" /></P><P>- Jouni</P></BODY></HTML> Sat, 17 Aug 2013 21:31:33 GMT https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324543#M344494 Jouni Forss 2013-08-17T21:31:33Z https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324544#M344496 <HTML><HEAD></HEAD><BODY><P>Thanks for the bug details</P><P>cheers!</P></BODY></HTML> Sat, 17 Aug 2013 21:40:13 GMT https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324544#M344496 Hubert Wisniewski 2013-08-17T21:40:13Z https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324545#M344501 <HTML><HEAD></HEAD><BODY><P>You can naturally try updating the software and see if that takes the problem away. I do remember testing the NAT configuration in the same way you attempted it in your original post and it has worked.</P><P></P><P>You could for example consider newer softwares in the same Major and Minor release. For example 8.4(5) or 8.4(6)</P><P></P><P>Here is a list of software leves and feature additions/changes in them</P><P></P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html">http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html</A></P><P></P><P>- Jouni</P></BODY></HTML> Sat, 17 Aug 2013 21:41:12 GMT https://community.cisco.com/t5/network-security/asa-8-4-2-nat-problem/m-p/2324545#M344501 Jouni Forss 2013-08-17T21:41:12Z