Post 8.3 How to tell what object group manual NAT objects are tied to

allensurface · ‎10-07-2011

I configured a manual after-auto NAT entry in an ASA that looked like this:

object-group network INTERNAL_SUBNETS

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

nat (inside,outside) after-auto source dynamic any interface

So, obviously the NAT statement above is not inside the object group when looking at the running configuration as the NAT statement is in a totally different area of configuration from the object group.

Question: How can a third person tell which NAT statement is tied to which group when they are looking at the configuration?

Thanks,

Julio Carvajal · ‎10-07-2011

Hello Allen,

If you create a Auto-nat also called Network Object Nat It would look like these when you check the configuration:

object network inside

nat (inside,outside) dynamic interface

So you are going to see nat rule inside the network object.

While if you create the After-Auto Nat you will see tied the Network-objects on the line but not inside the network object, by the way it would look like this on the running-configuration

nat (inside,outside) source static Object-192.1680.1.15 Object-162.23.23.23

Hope this helps,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

allensurface · ‎10-10-2011

I have never seen the NAT satement actually shown as under the network object when viewing the running configuraiton. It has always been outside the object group area and in the NAT configuration area.

Also, my question is pertaining to creating NAT statements inside of OBJECT-GROUP NETWORK commands and not OBJECT NETWORK. And, the command syntax I gave above is correct.

My question is:

How can a third person tell which NAT statement is tied to which group when they are looking at the configuration?

Julio Carvajal · ‎10-10-2011

Hello Allen,

If you do it with a object-group network when you place the Show runn you are not going to see the hosts that are attached to the Nat statement , you will need to go and get into the Object-Group network and check with Ip addresses does it have configure, this ones will be the ones being natted.

Hope this helps.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

allensurface · ‎10-10-2011

Julio, thanks for the response. I understand what you are saying, but that is not what I am trying to figure out. I am trying to determine if there is a way to determine which NAT statement is tied to a certain object groups such as the example I gave with my original question. From my observations, there is no way to know which NAT object is tied to a certain object-group.

Example of a configuration below, how would you be able to tell which NAT statement is tied to which object group?

hostname ASA

object-group network PUBLIC DNS

network-object host 1.1.1.1

object-group network INTERNAL_SUBNETS

network-object 10.0.0.0 255.0.0.0

network-object 192.168.0.0 255.255.0.0

network-object 172.16.0.0 255.240.0.0

nat (inside,outside) after-auto source dynamic any interface

varrao · ‎10-11-2011

Hi Allen,

In the Nat statement you would only be able to see the object or object-group name, not what IP's are included in it. Let me explain you of the procedure that I follow.

1. First do a "show run nat".

2. This would show you all the nat statemnets that you have.

3. Identify the nat for which you want to check the object-group included in it.

4. Then do "show object-group | begin

5. This tells you the ip's included in the group.

6. If its an object, do "show run object | begin

Hope that helps.

Thanks,

Varun

Thanks,
Varun Rao