topic Re: NAT on 8.3+ question in Network Security

NAT on 8.3+ question

Colin Higgins — Tue, 12 Mar 2019 01:42:50 GMT

I have an ASA running 8.4 code, and I need to do the following:

Dynamic NAT on the outside interface for

1 subnet

2 different hosts on a different network

So will something like this work?

object network obj-192.168.20.10

host 192.168.20.10

nat (inside,outside) dynamic interface

object network obj-172.25.1.10

host 172.25.1.10

nat (inside,outside) dynamic interface

...

Will this work? If it won't, what will?

NAT on 8.3+ question

Jouni Forss — Mon, 13 May 2013 18:46:03 GMT

Hi,

For smaller/simpler configuration I would suggest the following configurations to handle the complete configuration

object-group network DEFAULT-PAT-SOURCE

network-object

network-object host 192.168.20.10

network-object host 172.25.1.10

nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface

Hope this helps

Remember to mark the reply as the correct answer if it answered your question.

Ask more if needed

- Jouni

NAT on 8.3+ question

Colin Higgins — Mon, 13 May 2013 19:15:14 GMT

That worked! Thanks

haven't seen this "after-auto" option before. Is that new with 8.3+?

Re: NAT on 8.3+ question

Jouni Forss — Mon, 13 May 2013 19:23:56 GMT

Hi,

To give you the short story about the NAT of 8.3+ software versions

NAT Configurations are divided in 3 Sections
Section 1 holds Manual NAT / Twice NAT format configurations (the above "nat" command format would be WITHOUT "after-auto")
Section 2 holds Network Object NAT (the above "nat" command format you mentioned)
Section 3 holds Manual NAT / Twice NAT format configuration (the above "nat" command format THAT uses "after-auto")

So Section 1 NAT configurations are configured directly in the global configuration mode with the command "nat"

Section 2 NAT configurations are always under some "object network "

Section 3 NAT configurations are like Section 1 BUT they have been moved at the lowest Section with "after-auto" parameter.

The order of the NAT configurations matched against traffic is gone through from Section 1 to Section 3 until a match is found. In that sense configuring Default PAT in the final Section 3 makes sense since it SHOULDNT be able to override any other NAT configuration.

I would suggest reading a 8.3+ NAT Document I made on the Firewall/Document section. It lists the above and more a lot more clearly described.

https://supportforums.cisco.com/docs/DOC-31116

Than you for marking the reply as the correct answer. Appriciate it

- Jouni