topic Re: NAT Interface Outside in Cisco ASA 8.3 above in Network Security https://community.cisco.com/t5/network-security/nat-interface-outside-in-cisco-asa-8-3-above/m-p/2193444#M360752 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you want to PAT the traffic from the 2 source hosts behind 2 different interfaces to the "outside" interface IP address then you can use the following configurations</P><P></P><P></P><P><STRONG>object-group network PAT-SOURCE-ADDRESS</STRONG></P><P><STRONG> network-object host y.y.2.14</STRONG></P><P><STRONG> network-object host x.x.2.11</STRONG></P><P></P><P><STRONG>nat (any,outside) after-auto source dynamic PAT-SOURCE-ADDRESS interface</STRONG></P><P></P><P></P><P>The above configurations is meant to</P><UL><LI>Allow the 2 source hosts to access Internet using the public IP address of the "outside" interface of the ASA</LI><LI>If you want to add a whole network or more hosts to be NATed to the same public IP address you can simply add those under the "object-group" we created.</LI></UL><P></P><P></P><P>The reason why you have problems with access to ASA is that you statictly bind the whole public IP address to be used by a single LAN host</P><P></P><P><STRONG>EDIT: </STRONG>Notice that you have to remove the NAT configuration you made and mentioned in your original post.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 05 Mar 2013 13:53:30 GMT Jouni Forss 2013-03-05T13:53:30Z NAT Interface Outside in Cisco ASA 8.3 above https://community.cisco.com/t5/network-security/nat-interface-outside-in-cisco-asa-8-3-above/m-p/2193443#M360750 <P>Guys,</P><P></P><P></P><P>Do you have any experience with "NAT outside interface" in Cisco ASA 8.3 above ?</P><P></P><P>I have a problem</P><P></P><P>I want to do NAt-ing like this :</P><P></P><TABLE border="0" cellpadding="0" cellspacing="0" style="width: 249px;"><TBODY><TR style="height: 15.0pt;"><TD height="20" style="height: 15.0pt; width: 48pt;" width="64">Inside</TD><TD style="width: 62pt;" width="82">Y.Y.2.14</TD><TD style="border-left: none; width: 77pt;" width="103">X.X.2.66 </TD></TR><TR style="height: 15.0pt;"><TD height="20" style="height: 15.0pt;">DMZ-10</TD><TD style="border-top: none;">X.X.2.11</TD><TD style="border-top: none; border-left: none;">X.X.2.66</TD></TR></TBODY></TABLE><P></P><P>I have interface outside with ip address X.X.2.66, i want to do NAT in traffic from Zone inside with ip address Y.Y.2.14 to ANY, i want to change that traffic to X.X.2.66 and i want to do NAT traffic from Zone DMZ-10 ip address X.X.2.11 to ANY i want to change that traffc to X.X.2.66.</P><P></P><P>I do this configuration :</P><P></P><P></P><P>nat (DMZ-10,outside) source static X.X.2.11 interface</P><P></P><P>&amp;</P><P></P><P>nat (inside,outside) source static X.X.2.11 interface</P><P></P><P>this configuration work, the traffic from Zone inside (X.X.2.11) and Zone DMZ-10 (X.X.2.14) will be NAT to X.X.2.66 with warning message like this :</P><P></P><P>WARNING: All traffic destined to the IP address of the outside interface is being redirected.</P><P>WARNING: Users may not be able to access any service enabled on the outside interface.</P><P></P><P>But now i can't access ip X.X.2.66 from outside.</P><P></P><P>Is there any correct configuration to do NAT in interface ? Because i want to access interface outside from outside network ?</P><P></P><P>BR</P><P>Fara</P> Tue, 12 Mar 2019 01:10:02 GMT https://community.cisco.com/t5/network-security/nat-interface-outside-in-cisco-asa-8-3-above/m-p/2193443#M360750 fara.rhea 2019-03-12T01:10:02Z Re: NAT Interface Outside in Cisco ASA 8.3 above https://community.cisco.com/t5/network-security/nat-interface-outside-in-cisco-asa-8-3-above/m-p/2193444#M360752 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If you want to PAT the traffic from the 2 source hosts behind 2 different interfaces to the "outside" interface IP address then you can use the following configurations</P><P></P><P></P><P><STRONG>object-group network PAT-SOURCE-ADDRESS</STRONG></P><P><STRONG> network-object host y.y.2.14</STRONG></P><P><STRONG> network-object host x.x.2.11</STRONG></P><P></P><P><STRONG>nat (any,outside) after-auto source dynamic PAT-SOURCE-ADDRESS interface</STRONG></P><P></P><P></P><P>The above configurations is meant to</P><UL><LI>Allow the 2 source hosts to access Internet using the public IP address of the "outside" interface of the ASA</LI><LI>If you want to add a whole network or more hosts to be NATed to the same public IP address you can simply add those under the "object-group" we created.</LI></UL><P></P><P></P><P>The reason why you have problems with access to ASA is that you statictly bind the whole public IP address to be used by a single LAN host</P><P></P><P><STRONG>EDIT: </STRONG>Notice that you have to remove the NAT configuration you made and mentioned in your original post.</P><P></P><P>- Jouni</P></BODY></HTML> Tue, 05 Mar 2013 13:53:30 GMT https://community.cisco.com/t5/network-security/nat-interface-outside-in-cisco-asa-8-3-above/m-p/2193444#M360752 Jouni Forss 2013-03-05T13:53:30Z