https://community.cisco.com/t5/network-security/asa-nat-question/m-p/3798749#M7084 <P>I'm still figuring out NAT in the post 8.2 world. This question is a two parter. First. I have configured SSL VPN and and have the no nat setup like this.....</P> <P>&nbsp;</P> <PRE>nat (inside,outside) source static INTERNAL INTERNAL destination static VPN VPN no-proxy-arp route-lookup</PRE> <P>Since INTERNAL and VPN are object groups is static correct here? Or should it be dynamic?</P> <P>Second part is along the same lines. I have other firewalls behind my ASA. For those networks I need to NAT the public IP's to themselves and let them pass to their destination firewall. I THINK I would configure it like this?</P> <P>&nbsp;</P> <PRE>object network SUB1 range 1.1.1.1 1.1.1.250 ! object network SUB2 range 2.2.2.1 2.2.2.250 ! object-group network ONE-ONE network-object object SUB1 network-object object SUB2 ! nat (inside,outside) source static ONE-ONE destination static ONE-ONE</PRE> <P>or would it be like the no nat for vpn and be like this?</P> <PRE>nat (inside,outside) source static ONE-ONE ONE-ONE destination static ONE-ONE ONE-ONE</PRE> <P>or am i over thinking this and it really just needs to be?</P> <PRE>object-group network ONE-ONE nat static ONE-ONE</PRE> Fri, 21 Feb 2020 16:47:48 GMT cyoung1981 2020-02-21T16:47:48Z https://community.cisco.com/t5/network-security/asa-nat-question/m-p/3798749#M7084 <P>I'm still figuring out NAT in the post 8.2 world. This question is a two parter. First. I have configured SSL VPN and and have the no nat setup like this.....</P> <P>&nbsp;</P> <PRE>nat (inside,outside) source static INTERNAL INTERNAL destination static VPN VPN no-proxy-arp route-lookup</PRE> <P>Since INTERNAL and VPN are object groups is static correct here? Or should it be dynamic?</P> <P>Second part is along the same lines. I have other firewalls behind my ASA. For those networks I need to NAT the public IP's to themselves and let them pass to their destination firewall. I THINK I would configure it like this?</P> <P>&nbsp;</P> <PRE>object network SUB1 range 1.1.1.1 1.1.1.250 ! object network SUB2 range 2.2.2.1 2.2.2.250 ! object-group network ONE-ONE network-object object SUB1 network-object object SUB2 ! nat (inside,outside) source static ONE-ONE destination static ONE-ONE</PRE> <P>or would it be like the no nat for vpn and be like this?</P> <PRE>nat (inside,outside) source static ONE-ONE ONE-ONE destination static ONE-ONE ONE-ONE</PRE> <P>or am i over thinking this and it really just needs to be?</P> <PRE>object-group network ONE-ONE nat static ONE-ONE</PRE> Fri, 21 Feb 2020 16:47:48 GMT https://community.cisco.com/t5/network-security/asa-nat-question/m-p/3798749#M7084 cyoung1981 2020-02-21T16:47:48Z https://community.cisco.com/t5/network-security/asa-nat-question/m-p/3798902#M7087 You first statement is correct and for 2nd use the same vpn nat<BR /> Mon, 11 Feb 2019 05:36:18 GMT https://community.cisco.com/t5/network-security/asa-nat-question/m-p/3798902#M7087 Mohammed al Baqari 2019-02-11T05:36:18Z https://community.cisco.com/t5/network-security/asa-nat-question/m-p/3799309#M7089 <P>Your identity NAT statement (aka no NAT) is correct.</P> <P>&nbsp;</P> <P><STRONG><EM>Second part is along the same lines. I have other firewalls behind my ASA. For those networks I need to NAT the public IP's to themselves and let them pass to their destination firewall. I THINK I would configure it like this?</EM></STRONG></P> <P>&nbsp;</P> <P><SPAN>I am not sure I understand what you are trying to achieve here. Are these public IPs configured on the ASAs themselves and are just to be routed through this internet firewall?</SPAN></P> Mon, 11 Feb 2019 15:59:32 GMT https://community.cisco.com/t5/network-security/asa-nat-question/m-p/3799309#M7089 Marius Gunnerud 2019-02-11T15:59:32Z