NAT translation - migrating from 8.2 to 9.x

David Niemann · ‎11-21-2013

What is the new 8.3+ "coding" for the NAT translation below from an 8.2 ASA? I'm running 9.1.2 on a 5512X

static (WebTestInside,outside) tcp 172.31.0.14 https 192.168.20.14 https netmask 255.255.255.255 dns

I basically want the translation to be used for htttps only. Otherwise the host should use the interface NAT.

Here's what I've tried, but it doesn't want to let me do the port translation and the dns rewrite. It will let me do one or the other, not both.

nat (any,outside) source dynamic any interface

object network WebInsideNAT-192.168.20.14
host 192.168.20.14

It will let me do this

object network WebInsideNAT-192.168.20.14

nat (WebTestInside,outside) static 172.31.0.14 dns

or

object network WebInsideNAT-192.168.20.14

nat (WebTestInside,outside) static 172.31.0.14 service tcp 443 443

but not both

object network WebInsideNAT-192.168.20.14

nat (WebTestInside,outside) static 172.31.0.14 service tcp 443 443 dns

Marius Gunnerud · ‎11-24-2013

PAT with DNS rewrite is not supported, which is why you can only do dns rewrite when performing NAT and not PAT.

DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple PAT rules are applicable for each A-record, and the PAT rule to use is ambiguous.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807968c8.shtml#prereq

--

Please rate all helpful posts.

--
Please remember to select a correct answer and rate helpful posts

David Niemann · ‎12-11-2013

So it just happened to work on the earlier code? That stinks. Oh well.

Marius Gunnerud · ‎12-11-2013

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts