Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
2
Replies

How to properly insert a Static NAT via ASDM

tjreeddoc
Level 1
Level 1

‎06-03-2015 01:54 PM - edited ‎03-11-2019 11:02 PM

There has to be a better way to insert a Static NAT into an ASA.  I am hopeful someone can give me options. Our ASA had many Static NATs from inside networks to various other security zones:

 

  1. static (inside,dmz) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

  2. static (inside,dmz1) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

  3. static (inside,dmz2) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

     

    I needed to create a static NAT from a specific host to a brand new security zone.  So, I used Add->Add Static NAT Rule and Insert to place the following Static NAT to the ASA via ASDM above static NAT rule number:

     

    static (inside,dmz3) 1.1.1.1 1.1.1.1 netmask 255.255.255.255

     

    To my shock, when I inserted the static nat rule “static (inside,dmz3) 1.1.1.1 1.1.1.1 netmask 255.255.255.255 “above rule 1, all static nat rules below were deleted.  How do I avoid deleting static nat rules when inserting I insert? 

    I read Poonguzhali Sankar comments from the following post, but I am still confused how to properly insert a static nat without deleting nats below it via ASDM.

     

    https://supportforums.cisco.com/discussion/11078396/insert-nat-statement-asa-5520-80-code

     

     

    Thank you,

     

    T.J.

Labels:
0 Helpful
2 Replies 2

jmattbullen
Level 1
Level 1

‎06-03-2015 05:43 PM

I'm not for sure there is  way to do what you are wanting.  The way I read Poonguzhali comment is not that she is explaining a way to do it without deleting.  She is saying if you wanted to do it via CLI put all the no nat statements up to the point of insertion then put them back in with the new nat added.  This is the same thing ASDM does  I wouldn't blink an eye to add one in during the middle of the day.  Though I do usually add it at the bottom unless it's one of those situations where you have overlapping nats and the order matters.  Running the command through ASDM will only take a spit second and doesn't affect existing connections UNLESS you hit yes after you apply the changes and it prompts you to clear the xlate table.  I sometimes hit No on that prompt if it's middle of day and it would possibly affect a critical process.

Also, what version of code is your ASA?  It looks like all your nats are identity nats and aren't needed in asa version 8.3 and above.  any traffic that doesn't have a nat just flows through with the real IP.

0 Helpful

tjreeddoc
Level 1
Level 1
In response to jmattbullen

‎06-08-2015 08:50 AM

jmattbullen,

 

Thanks for the reply and tip about ASA version 8.3 and above.

 

The ASA Code is 8.0(3)

The ADSDM Version is 7.2(1)

 

T.J.

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card