10-07-2011 12:58 PM - last edited on 03-25-2019 05:47 PM by ciscomoderator
I configured a manual after-auto NAT entry in an ASA that looked like this:
object-group network INTERNAL_SUBNETS
network-object 10.0.0.0 255.0.0.0
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
nat (inside,outside) after-auto source dynamic any interface
So, obviously the NAT statement above is not inside the object group when looking at the running configuration as the NAT statement is in a totally different area of configuration from the object group.
Question: How can a third person tell which NAT statement is tied to which group when they are looking at the configuration?
Thanks,
10-07-2011 05:24 PM
Hello Allen,
If you create a Auto-nat also called Network Object Nat It would look like these when you check the configuration:
object network inside
nat (inside,outside) dynamic interface
So you are going to see nat rule inside the network object.
While if you create the After-Auto Nat you will see tied the Network-objects on the line but not inside the network object, by the way it would look like this on the running-configuration
nat (inside,outside) source static Object-192.1680.1.15 Object-162.23.23.23
Hope this helps,
Julio
10-10-2011 03:41 AM
I have never seen the NAT satement actually shown as under the network object when viewing the running configuraiton. It has always been outside the object group area and in the NAT configuration area.
Also, my question is pertaining to creating NAT statements inside of OBJECT-GROUP NETWORK commands and not OBJECT NETWORK. And, the command syntax I gave above is correct.
My question is:
How can a third person tell which NAT statement is tied to which group when they are looking at the configuration?
10-10-2011 09:58 AM
Hello Allen,
If you do it with a object-group network when you place the Show runn you are not going to see the hosts that are attached to the Nat statement , you will need to go and get into the Object-Group network and check with Ip addresses does it have configure, this ones will be the ones being natted.
Hope this helps.
10-10-2011 11:23 AM
Julio, thanks for the response. I understand what you are saying, but that is not what I am trying to figure out. I am trying to determine if there is a way to determine which NAT statement is tied to a certain object groups such as the example I gave with my original question. From my observations, there is no way to know which NAT object is tied to a certain object-group.
Example of a configuration below, how would you be able to tell which NAT statement is tied to which object group?
hostname ASA
object-group network PUBLIC DNS
network-object host 1.1.1.1
object-group network INTERNAL_SUBNETS
network-object 10.0.0.0 255.0.0.0
network-object 192.168.0.0 255.255.0.0
network-object 172.16.0.0 255.240.0.0
nat (inside,outside) after-auto source dynamic any interface
nat (inside,outside) after-auto source dynamic any interface
10-11-2011 12:20 AM
Hi Allen,
In the Nat statement you would only be able to see the object or object-group name, not what IP's are included in it. Let me explain you of the procedure that I follow.
1. First do a "show run nat".
2. This would show you all the nat statemnets that you have.
3. Identify the nat for which you want to check the object-group included in it.
4. Then do "show object-group | begin
5. This tells you the ip's included in the group.
6. If its an object, do "show run object | begin
Hope that helps.
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide