06-13-2019 07:27 PM - edited 02-21-2020 09:13 AM
I am trying to confirm that the following means nat the object source from any interface to OUTSIDE interface IP as I can't find this config in any docs.
object network natted_Subnet
subnet 10.10.10.0 255.255.255.0
nat (any,outside) static interface
Solved! Go to Solution.
06-13-2019 07:57 PM
That would not be a recommended configuration since you need to use dynamic (PAT) rather than static NAT when mapping many-to-one.
06-13-2019 09:34 PM
06-14-2019 08:07 PM
Now that you've added the port 3389 (rdp) your use case changes. You want a static port forwarding NAT rule:
nat (inside,outside) static (interface or mapped IP address) service tcp 3889 3889
06-15-2019 12:16 AM
object network natted_Subnet
subnet 10.10.10.0 255.255.255.0
nat (any,outside) static interface
long ago i read in cisco documentation nat (any,outside) is not a best practice. would be better if you put tight control on the flow of traffic either from (inside,outside) or (dmz,outside) instead of any,outside.
you better do a dynamic PAT,
object network natted_Subnet
subnet 10.10.10.0 255.255.255.0
nat (any,outside) dynamic interface
06-22-2019 08:55 PM
06-13-2019 07:57 PM
That would not be a recommended configuration since you need to use dynamic (PAT) rather than static NAT when mapping many-to-one.
06-14-2019 05:59 PM - edited 06-14-2019 06:01 PM
This would be correct then on an ASA for let's say internal servers that need to be access from the Outside right?
nat (insde,outside) dynamic (interface or mapped IP address) service tcp 3889 3889
access-list Outside-IN extended permit tcp any host (real IP) eq 3389
06-13-2019 09:34 PM
06-14-2019 06:01 PM - edited 06-14-2019 06:02 PM
This would be correct then on an ASA for let's say internal servers that need to be access from the Outside but just NATTING them to 1 IP or the Outside interface right?
nat (insde,outside) dynamic (interface or mapped IP address) service tcp 3889 3889
access-list Outside-IN extended permit tcp any host (real IP) eq 3389
06-14-2019 08:07 PM
Now that you've added the port 3389 (rdp) your use case changes. You want a static port forwarding NAT rule:
nat (inside,outside) static (interface or mapped IP address) service tcp 3889 3889
06-15-2019 09:24 AM - edited 06-15-2019 09:44 AM
Having trouble knowing when would I really know to use "Static" vs "Dynamic"?
06-15-2019 12:16 AM
object network natted_Subnet
subnet 10.10.10.0 255.255.255.0
nat (any,outside) static interface
long ago i read in cisco documentation nat (any,outside) is not a best practice. would be better if you put tight control on the flow of traffic either from (inside,outside) or (dmz,outside) instead of any,outside.
you better do a dynamic PAT,
object network natted_Subnet
subnet 10.10.10.0 255.255.255.0
nat (any,outside) dynamic interface
06-15-2019 09:25 AM - edited 06-15-2019 09:43 AM
When would I really know to use "Static" vs "Dynamic"?
06-15-2019 11:28 AM
have a read on this doc https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/nat_objects.html will clear all your concepts
06-22-2019 08:55 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: