Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
873
Views
0
Helpful
4
Replies

8.2 to 8.3 static nat question

Go to solution
grobinson23
Level 1
Level 1

‎11-01-2013 07:15 PM - edited ‎03-11-2019 07:59 PM

So, in 8.2 If I had an inside interface at 10.10.10.1 and an mpls interface (sec-100) at 10.20.20.1, and I wanted traffic to traverse between the two to interfaces, I could write the following statement:

static (inside,mpls) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

What would this look like in 8.3?

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ganesh.krishnan13
Level 1
Level 1

‎11-02-2013 04:19 AM

In 8.3 version nat statement depends on object. You need to create object for the source ip as well nat ip and call the object in nat statement.
Object network
Host/Range/Subnet IP Address

Object network obj-10.10.10.0
Subnet 10.10.10.0 255.255.255.0
Exit

Nat (inside,mpls) sourse static obj-10.10.10.0 obj-10.10.10.0

This statement will work in similar way which u expect. You can mention nat wit respect to specific destination (similar to policy nat)

Nat (inside,mpls) source static obj-10.10.10.0 obj-10.10.10.0. Destination static obj-4.4.4.4 obj-4.4.4.4

Regards
Gk

View solution in original post

0 Helpful
4 Replies 4

Go to solution
ganesh.krishnan13
Level 1
Level 1

‎11-02-2013 04:19 AM

In 8.3 version nat statement depends on object. You need to create object for the source ip as well nat ip and call the object in nat statement.
Object network
Host/Range/Subnet IP Address

Object network obj-10.10.10.0
Subnet 10.10.10.0 255.255.255.0
Exit

Nat (inside,mpls) sourse static obj-10.10.10.0 obj-10.10.10.0

This statement will work in similar way which u expect. You can mention nat wit respect to specific destination (similar to policy nat)

Nat (inside,mpls) source static obj-10.10.10.0 obj-10.10.10.0. Destination static obj-4.4.4.4 obj-4.4.4.4

Regards
Gk

0 Helpful

Go to solution
grobinson23
Level 1
Level 1
In response to ganesh.krishnan13

‎11-03-2013 06:23 PM

That did it!  That should allow for communication to take place both ways, right?

Thanks!

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to grobinson23

‎11-04-2013 12:41 AM

Hi,

The above NAT rule should enable bidirectional connection establishment. (Provided that the interface ACL allow the traffic)

Though usually if you dont want to NAT the source or destination network then you should not need any NAT configuration in the new software.

But this depends on the rest of the NAT configuration which we have not seen.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-02-2013 06:45 AM

Hi,

In the 8.3+ software levels you dont need any NAT configuration between 2 interfaces if you dont need to specifically NAT something.

If you have a Dynamic PAT configuration from "inside" to "mpls" that contains the networks behind "inside" as the source address then in this situation you would need another NAT configuration to enable communication from the "mpls" to "inside". (to enable bidirectional connection forming that is)

If there is no NAT configuration between "inside" and "mpls" at the moment then you wont need any NAT configuration. You will just have to make sure the traffic is allowed in the interface ACL. If your have equal "security-level" between the interfaces then you will have to make sure you have "same-security-traffic permit inter-interface" also configured

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card