https://community.cisco.com/t5/network-security/asa-static-nat/m-p/3334997#M414986 <P>I’ve created a bridge group interface named inside and I've assigned it an IP (192.168.1.1).<BR />Then I've created two interface inside_3 and inside_4, both assigned to the bridge group inside.</P> <P>Now if I make a nat rule, for example nat (inside,outside) static interface service tcp 80 80,<BR />a error is returned: I have to use nat (inside_3,outside) static interface service tcp 80 80, <BR />but I don’t want apply nat rule to a specific interface, but at every interfaces of the same network (192.168.1.0/24, in my case, the entire bridge group, with interface_3 and interface_4).</P> <P>How I can do this?<BR />Thank, Fabrizio</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:23:22 GMT RexPr 2020-02-21T15:23:22Z https://community.cisco.com/t5/network-security/asa-static-nat/m-p/3334997#M414986 <P>I’ve created a bridge group interface named inside and I've assigned it an IP (192.168.1.1).<BR />Then I've created two interface inside_3 and inside_4, both assigned to the bridge group inside.</P> <P>Now if I make a nat rule, for example nat (inside,outside) static interface service tcp 80 80,<BR />a error is returned: I have to use nat (inside_3,outside) static interface service tcp 80 80, <BR />but I don’t want apply nat rule to a specific interface, but at every interfaces of the same network (192.168.1.0/24, in my case, the entire bridge group, with interface_3 and interface_4).</P> <P>How I can do this?<BR />Thank, Fabrizio</P> <P>&nbsp;</P> Fri, 21 Feb 2020 15:23:22 GMT https://community.cisco.com/t5/network-security/asa-static-nat/m-p/3334997#M414986 RexPr 2020-02-21T15:23:22Z https://community.cisco.com/t5/network-security/asa-static-nat/m-p/3335740#M414987 <P>option 1:</P> <P>configure 2 nat rules one having&nbsp;<SPAN>inside_3 specified and the other&nbsp;inside_4</SPAN></P> <P><SPAN>option 2:</SPAN></P> <P><SPAN>use any when specifying&nbsp;interface in the nat rule, if applicable</SPAN></P> <P>&nbsp;</P> <P>NAT with BVI interfaces have a couple of restrictions you need to keep in mind:</P> <P>Configuring NAT on bridge group member interfaces (interfaces that are part of a Bridge Group Virtual Interface, or BVI) has the following restrictions:<BR />- When configuring NAT for the members of a bridge group, you specify the member interface. You cannot configure NAT for the bridge group interface (BVI) itself.<BR />- When doing NAT between bridge group member interfaces, you must specify the real and mapped addresses. You cannot specify “any” as the interface.<BR />- You cannot configure interface PAT when the mapped address is a bridge group member interface, because there is no IP address attached to the interface.<BR />- You cannot translate between IPv4 and IPv6 networks (NAT64/46) when the source and destination interfaces are members of the same bridge group. Static NAT/PAT 44/66, dynamic NAT44/66, and dynamic PAT44 are the only allowed methods; dynamic PAT66 is not supported.</P> <P>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/firewall/asa-97-firewall-config/nat-basics.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/firewall/asa-97-firewall-config/nat-basics.html</A></P> <P>&nbsp;</P> <P>HTH</P> <P>Bogdan</P> Thu, 22 Feb 2018 09:47:37 GMT https://community.cisco.com/t5/network-security/asa-static-nat/m-p/3335740#M414987 Bogdan Nita 2018-02-22T09:47:37Z