https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451768#M654953 <HTML><HEAD></HEAD><BODY><P>How does the ASA know how to nat the public IP to the real address, 10.21.5.13, of the AXA-Citrix-A10 host?&nbsp; Wouldn't I have to create the object and add the real IP somewhere?</P></BODY></HTML> Fri, 02 Jul 2010 13:55:53 GMT WILLIAM STEGMAN 2010-07-02T13:55:53Z https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451766#M654951 <P>Hi, I'm trying to convert a policy nat entry from 8.0.x to 8.3</P><P> and am hoping someone can check my config. </P><P></P><P>My old config:</P><P></P><P>access-list PNAT-A10 remark any Internet hosts to DMZ A10 hosted servers<BR />access-list PNAT-A10 extended permit ip any host 23.23.25.25 (Public IP)</P><P></P><P>nat (outside) 2 access-list PNAT-A10 outside</P><P></P><P>global (CustDMZ_1) 2 10.21.5.5 netmask 255.255.255.255</P><P></P><P>New config:</P><P></P><P>object network AXA-Citrix-A10_10.21.5.13</P><P> host 10.21.5.13<BR /> nat (CustDMZ_1,outside) static 23.23.25.25</P><P></P><P>object network obj-10.21.5.5 <BR /> host 10.21.5.5</P><P></P><P>nat (CustDMZ_1,outside) source dynamic any obj-10.21.5.5 destination static AXA-Citrix-A10_10.21.5.13 AXA-Citrix-A10_10.21.5.13</P><P></P><P>Is this right?&nbsp; I want to make Internet clients appear as 10.21.5.5 when they hit the public address 23.23.25.25. </P><P></P><P>thank you,</P><P></P><P>Bill</P> Mon, 11 Mar 2019 18:06:27 GMT https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451766#M654951 WILLIAM STEGMAN 2019-03-11T18:06:27Z https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451767#M654952 <HTML><HEAD></HEAD><BODY><P>You are almost right, the interfaces on the NAT statement is the other way round and the destination should be the public ip address instead of the real ip address. It should be as follows:</P><P></P><P>object network AXA-Citrix-A10_23.23.25.25</P><P>host 23.23.25.25</P><P></P><P>nat (outside,CustDMZ_1) source dynamic any obj-10.21.5.5 destination&nbsp; static AXA-Citrix-A10_23.23.25.25 AXA-Citrix-A10_23.23.25.25</P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 01 Jul 2010 23:35:22 GMT https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451767#M654952 Jennifer Halim 2010-07-01T23:35:22Z https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451768#M654953 <HTML><HEAD></HEAD><BODY><P>How does the ASA know how to nat the public IP to the real address, 10.21.5.13, of the AXA-Citrix-A10 host?&nbsp; Wouldn't I have to create the object and add the real IP somewhere?</P></BODY></HTML> Fri, 02 Jul 2010 13:55:53 GMT https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451768#M654953 WILLIAM STEGMAN 2010-07-02T13:55:53Z https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451769#M654955 <HTML><HEAD></HEAD><BODY><P>Could I also ask how disabled split tunneling traffic is now handled so VPN users use the Corporate Internet link?</P><P></P><P>Old config:</P><P></P><P>nat (outside) 1 192.168.1.0 255.255.255.0</P><P>global (outside) 1 interface</P><P></P><P></P><P>New config:</P><P></P><P>object network RAVPN_192.168.1.0</P><P>subnet 192.168.1.0 255.255.255.0</P><P>nat (outside,outside) dynamic interface</P><P></P><P></P><P>thanks again</P></BODY></HTML> Fri, 02 Jul 2010 15:26:50 GMT https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451769#M654955 WILLIAM STEGMAN 2010-07-02T15:26:50Z https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451770#M654957 <HTML><HEAD></HEAD><BODY><P>Yes, you already have the configuration to statically translate the server to a public ip address.</P><P></P><P>Here is the config:</P><P></P><P><STRONG>object network AXA-Citrix-A10_10.21.5.13</STRONG></P><P><STRONG>&nbsp;&nbsp;&nbsp;&nbsp; host 10.21.5.13<BR />&nbsp;&nbsp;&nbsp;&nbsp; nat (CustDMZ_1,outside) static 23.23.25.25</STRONG></P></BODY></HTML> Fri, 02 Jul 2010 23:08:02 GMT https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451770#M654957 Jennifer Halim 2010-07-02T23:08:02Z https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451771#M654958 <HTML><HEAD></HEAD><BODY><P>Yes, the following config posted is correct:</P><P></P><P>object network RAVPN_192.168.1.0</P><P>&nbsp;&nbsp;&nbsp;&nbsp; subnet 192.168.1.0&nbsp; 255.255.255.0</P><P>&nbsp;&nbsp;&nbsp;&nbsp; nat (outside,outside) dynamic interface</P></BODY></HTML> Fri, 02 Jul 2010 23:09:12 GMT https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451771#M654958 Jennifer Halim 2010-07-02T23:09:12Z https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451772#M654959 <HTML><HEAD></HEAD><BODY><P>thank you for your help.</P></BODY></HTML> Sat, 03 Jul 2010 01:39:20 GMT https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451772#M654959 WILLIAM STEGMAN 2010-07-03T01:39:20Z https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451773#M654960 <HTML><HEAD></HEAD><BODY><P>Also you can check this document as a reference:</P><P></P><H2 class="title-page">Cisco ASA 5500 Migration Guide for Version 8.3</H2><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html">http://www.cisco.com/en/US/docs/security/asa/asa83/upgrading/migrating.html</A></P></BODY></HTML> Sat, 03 Jul 2010 04:23:51 GMT https://community.cisco.com/t5/network-security/8-3-policy-nat/m-p/1451773#M654960 Jorge Salas 2010-07-03T04:23:51Z